SIMATIC Logon V2.0 - support.industry.siemens.com · SIMATIC BATCH or WinCC). ... SIMATIC Logon...

Configuration Instruction

SIMATIC PCS 7 – SIMATIC IT – Integration PCS 7 / SIMATIC IT Integration Pack 2007

SIMATIC Logon in a domain

Warranty, liability and support

SIMATIC Logon in a domain 26639558

V2.0 02.06.08 2/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

NOTE The application examples are not binding and do not claim to be com-plete regarding the circuits shown, equipping and any eventuality. The application examples do not represent customer-specific solutions. They are only intended to pro-vide support for typical applications. You are responsible in ensuring that the de-scribed products are correctly used. These application examples do not relieve you of the responsibility in safely and professionally using, installing, operating and servicing equip-ment. When using these application examples, you recognize that Sie-mens cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these applica-tion examples at any time without prior notice. If there are any deviations between the recommendations provided in these application examples and other Siemens publications - e.g. Catalogs - then the contents of the other documents have priority.

Warranty, liability and support We do not accept any liability for the information contained in this docu-ment.

Any claims against us - based on whatever legal reason - resulting from the use of the examples, information, programs, engineering and performance data etc., described in this application example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condi-tion which goes to the root of the contract (“wesentliche Vertragspflichten”). However, claims arising from a breach of a condition which goes to the root of the contract shall be limited to the foreseeable damage which is intrinsic to the contract, unless caused by intent or gross negligence or based on mandatory liability for injury of life, body or health The above provisions does not imply a change in the burden of proof to your detriment.

Copyright© 2008 Siemens A&D. It is not permissible to transfer or co-py these application examples or excerpts of them without first hav-ing prior authorization from Siemens A&D in writing. For questions about this document please use the following e-mail address:

mailto:[email protected]

mailto:[email protected]�

Table of Content


V2.0 02.06.08 3/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

Table of Content

Table of Content ........................................................................................................... 3

1 Introduction to SIMATIC Logon..................................................................... 4 1.1 In general.......................................................................................................... 4 1.2 Installing SIMATIC Logon ................................................................................. 5 1.3 SIMATIC Logon Service ................................................................................... 6 1.4 SIMATIC Logon Role management.................................................................. 7 1.5 SIMATIC Logon Event log Viewer .................................................................... 7 1.6 SIMATIC Electronic signature........................................................................... 7 1.7 SIMATIC Logon Development Kit ..................................................................... 8 1.8 FDA 21 CFR Part 11 Support ........................................................................... 8 1.9 Test environment .............................................................................................. 9 1.9.1 Equipment for the Windows active directory domain...................................... 10 1.9.2 Installed software............................................................................................ 11

Operating systems ..................................................................................... 11 SIMATIC software ...................................................................................... 11

2 SIMATIC Logon Configuration .................................................................... 12 2.1 Preparations inside the Windows domain....................................................... 12 2.2 Active directory for SIMATIC Software ........................................................... 13 2.3 Active directory for Windows .......................................................................... 16 2.4 Configuring SIMATIC Logon........................................................................... 17 2.5 SIMATIC Automation License Manager (ALM)............................................... 21 2.6 SIMATIC PCS 7 OS Server and Multiclient .................................................... 28 2.7 SIMATIC BATCH ............................................................................................ 30 2.8 SIMATIC Engineering System ........................................................................ 35 2.9 SIMATIC IT Servers........................................................................................ 38 2.10 Important notes............................................................................................... 53 2.10.1 User for SIMATIC BATCH and SIMATIC PCS 7 OS Multiclient ..................... 53 2.10.2 Display name of the user ................................................................................ 55 2.10.3 Domain Policies .............................................................................................. 57 2.10.4 Backup Licenses before moving computer from domain to workgroup .......... 58 2.10.5 Using the Default User option from SIMATIC Logon ...................................... 59

Login on to SIMATIC IT with a default user ............................................... 59 Login on to SIMATIC PCS 7 OS/ SIMATIC BATCH with a default user .... 60

3 Adding a new user........................................................................................ 61

4 References .................................................................................................... 65

5 Abbreviations................................................................................................ 66

Introduction to SIMATIC Logon


V2.0 02.06.08 4/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

1 Introduction to SIMATIC Logon

1.1 In general

With SIMATIC Logon, you can assign authorizations for SIMATIC applica-tions and plant areas. The following software components belong to SIMATIC Logon:

Table 1-1

Component Description

SIMATIC Logon service Central access protection for SIMATIC applications and plant areas

SIMATIC Logon Role Management Administration of application policies and their assign-ment to Windows groups, including the assignment of permissions.

SIMATIC Logon Eventlog Viewer

SIMATIC Logon Eventlog Viewer is a component which handles the logging and visualization of event for an application.

SIMATIC Electronic Signature

Used to create electronic signatures for status transi-tions and user intervention in the process

SIMATIC Logon Development Kit

The Development Kit is designed for use by program-mers who want to integrate SIMATIC Logon in customer applications.

SIMATIC Logon components are only available to applications in which the SIMATIC Logon components have been integrated.

The SIMATIC Logon components are e.g. integrated in the applications:

• SIMATIC Automation License Manager (ALM)

• SIMATIC PCS 7 OS

• SIMATIC BATCH

• SIMATIC STEP 7

• SIMATIC IT

NOTE SIMATIC Logon users must be direct members of a Windows domain. These users may not be members of a subdomain of a Windows domain.

This document provides an overview of how to setup the SIMATIC Logon tool with the different SIMATIC software components.



V2.0 02.06.08 5/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

1.2 Installing SIMATIC Logon

SIMATIC Logon is installed with a setup program.

The following components are installed with the setup:

• SIMATIC Logon Service

• SIMATIC Logon Role management

• SIMATIC Logon Event Log

• SIMATIC Electronic Signature

The actual installed version for the Integration Pack 2007 is the version V1.4 SP1.

You will find the SIMATIC Logon software on the SIMATIC PCS 7 or SIMATIC IT DVD.

Figure 1-1 Installing SIMATIC Logon

NOTE As of PCS 7 V7.0 SP1, SIMATIC Logon requires no license key in PCS 7.



V2.0 02.06.08 6/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

The license key for SIMATIC Logon is included with every software pack-age for SIMATIC PCS 7 PC stations (reinstallation and updates).

Figure 1-2 Contract License in SIMATIC PCS 7 V7.0 SP1

NOTE A license for the version V1.4 SP1 is needed to use SIMATIC logon on a SIMATIC IT machine.

Figure 1-3 Message on a pure SIMATIC IT computer

1.3 SIMATIC Logon Service

SIMATIC Logon Service is the basis for SIMATIC Logon. The SIMATIC Lo-gon Service implements access protection for applications (for example, SIMATIC BATCH or WinCC). The access protection is based on mecha-nisms of the Windows operating system. The user logs on and off of the application through the SIMATIC Logon Service.

SIMATIC Logon records the following events:

• Successful logon

• Failed logon attempt

• Authentication of a user

• Logoff by user

• Automatic logoff

• Password change



V2.0 02.06.08 7/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

The recorded events can be viewed using the SIMATIC Logon Event Log Viewer.

1.4 SIMATIC Logon Role management

The SIMATIC Logon Role Management is the group of SIMATIC Logon components used to create roles and assign roles, groups and users of the operating system as well as the function rights to roles. A role contains the rights of groups/users within applications to perform specific actions (for example, transferring data).

Role management is used to regulate access to applications and functions by users and groups. Access protection forces users to log on with the sys-tem if they want to use an application or function. Assigning specific tasks to roles simplifies the task of assigning rights to users and groups.

User management is based on the users and groups of the operating sys-tem.

SIMATIC Logon Role Management is started with the user interface of the application in which this service is embedded. It cannot be started in Win-dows.

1.5 SIMATIC Logon Event log Viewer

The SIMATIC Logon Event Log Viewer is a component that records and displays events for an application. The recording of events is triggered by the application, the display occurs in the SIMATIC logon event log viewer.

Events are saved in the "EventLog.mdb" database. This database is lo-cated in the directory "...\SIMATICLogon\Logging" after installation with default settings.

It is recommended to backup the database in short intervals. This will pro-tect against loss of data (in the event of hard disk failure, for example). To prevent damage to the database, do not perform the backup when applica-tions are running. If no database exists, a new database is created auto-matically.

1.6 SIMATIC Electronic signature

SIMATIC Electronic Signature is the SIMATIC Logon component that can be used to create an electronic signature. An electronic signature is a veri-fication created and archived to fulfill a requirement such as important or critical operator input in an automation system.

These verifications contain information about an operation, for example:

• Name of the person or persons responsible for performing the operation



V2.0 02.06.08 8/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

• Date and time of the operation to be performed

• Significance of the signatures (an authorization, for example)

• Author (for example, of a Batch recipe).

1.7 SIMATIC Logon Development Kit

The Development Kit is intended for programmers who wish to integrate SIMATIC Logon in a customer application.

You will find the following files in the directory "...\SimaticLogon\developmentkit":

• SL_ProgrammingGuide.pdf The "SL_ProgrammingGuide.pdf" contains the English language man-ual; SIMATIC Logon Development Kit; Programming Guide.

• SL_Example.zip The "SL_Example.zip" file contains a example application. The SIMATIC Logon Development Kit programming guide uses an example application to demonstrate how to integrate SIMATIC Logon in a cus-tomer application.

1.8 FDA 21 CFR Part 11 Support

In plants monitored and controlled by process control systems, there are special requirements relating to access to functions and plant areas.

The following requirements are important for the validation of plants:

• User management for assigning access rights to avoid unauthorized or unwanted access to the plant

• Creation and archiving of verification of important or critical actions

SIMATIC Logon and SIMATIC Electronic Signature simplify the validation of plants in conformity to FDA 21 CFR Part 11. These globally recognized guidelines and requirements were formulated by the U.S. FDA (Food and Drug Administration).



V2.0 02.06.08 9/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

1.9 Test environment

The following schema provides an overview of the test environment which is used to configure SIMATIC Logon for the different SIMATIC software components.

Figure 1-4: Schema of the Windows active directory domain computers

A private IP address band is used with fixed IP addresses.



V2.0 02.06.08 10/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

1.9.1 Equipment for the Windows active directory domain

• 2 Windows active directory domain controllers (DNS, WINS)

• 2 SIMATIC PCS 7 OS Servers (redundant)

• 2 SIMATIC BATCH Servers (redundant)

• 1 SIMATIC PCS 7 Engineering System (ES)

• 2 SIMATIC PCS 7 OS Multiclient + SIMATIC BATCH Client

• 1 SIMATIC IT Production Modeler

• 1 SIMATIC IT Historian + PPA DB

• 1 SIMATIC IT Report Manager/ CAB engineering

• 1 SIMATIC IT components software + SITMesDB

• 1 SIMATIC AS CPU 417 with a CP 443-1



V2.0 02.06.08 11/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

1.9.2 Installed software

Operating systems The used operating systems for the domain computers can be found in the following table. Table 1-2

Station Installation

Windows 2003 MUI (Multilanguage User Interface) with SP2 Internet Explorer V6.0 SP2 (6.0.3790.3959)

Server

Image software Windows XP SP2 Client Image software Windows 2003 MUI (Multilanguage User Interface) with SP2 Domain Controller Internet Explorer V6.0 SP2 (6.0.3790.3959)

SIMATIC software SIMATIC software and its required software packages (e.g. message queu-ing, SQL Server 2005 with SPx, ..) are installed as needed. The installed software for SIMATIC PCS 7 and SIMATIC IT is the released “Integration Pack 2007” on top of the released SIMATIC Versions. Table 1-3

Product Version

V7.0 SP1

Microsoft SQL 2005 SP1 HF

SIMATIC PCS 7

PCS 7 / SIMATIC IT Integration Pack 2007 Part1 Updates SIMATIC PCS 7 V6.3 SP1 Microsoft SQL 2005 SP2

SIMATIC IT

PCS 7 / SIMATIC IT Integration Pack 2007 Part2 Updates SIMATIC IT

A detailed list of the installed SIMATIC software can be found in the at-tachment A of the document “SIMATIC software in a domain”.

http://support.automation.siemens.com/WW/view/en/26639558�

SIMATIC Logon Configuration


V2.0 02.06.08 12/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

2 SIMATIC Logon Configuration

The SIMATIC Logon software is used to manage the access control to dif-ferent SIMATIC software. It allows the system administrator to give users only the needed rights inside the SIMATIC applications.

2.1 Preparations inside the Windows domain

NOTE There are many ways to set up an environment and the user access permissions. This document provides one possible solution. This example can be adapted to meet your specific needs.

In the test environment the following SIMATIC software uses SIMATIC Lo-gon:

• SIMATIC ALM

• SIMATIC PCS 7 OS Server and Multiclient

• SIMATIC BATCH

• SIMATIC ES

• SIMATIC IT

For the software packages we added active directory integrated organiza-tional units inside the Windows 2003 Active Directory:

• OrgUnitALM

• OrgUnitCC

• OrgUnitSB

• OrgUnitSIT

These organization units contain active directory domain local security groups with users which are used to logon to the different SIMATIC soft-ware.

A general description about the structure of the test environment can be found in the knowledge document: “SIMATIC software in a domain”.




V2.0 02.06.08 13/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

2.2 Active directory for SIMATIC Software

For the test environment, we created group names and user names that are nearly identically. The groups have an “s” at the end while the users re-present some possible use cases for users and there rights e.g. the user “operator” for SIMATIC OS is called “CCoperator” and the corresponding group is called “CCoperators”.

Figure 2-1: Active directory “OrgUnitCC” with users and groups

Figure 2-2: Active directory “OrgUnitSB” with users and groups



V2.0 02.06.08 14/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

Figure 2-3: Active directory “OrgUnitSIT” with users and groups

Figure 2-4 Active directory “OrgUnitAlm” with users and groups



V2.0 02.06.08 15/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

In the following table the users and groups for the SIMATIC software used in the test environment are listed:

Table 2-1

OrgUnit Name (Login) Group (Rights) Comment

OrgUnitSB SBauto SBautos Automation engineer (predefined user group from SIMATIC BATCH)

OrgUnitSB SBsuperuser SBsuperusers Super user (predefined user group from SIMATIC BATCH)

OrgUnitSB SBoperator SBoperators Operator (predefined user group from SIMATIC BATCH)

OrgUnitSB SBshift SBshifts Shift manager (predefined user group from SIMATIC BATCH)

OrgUnitSB SBfactory SBfactorys Factory manager (predefined user group from SIMATIC BATCH)

OrgUnitSB SBengineer SBengineers Process engineer (predefined user group from SIMATIC BATCH)

OrgUnitSB SBemergency SBemergencys Emergency operator (predefined user group from SIMATIC BATCH)

OrgUnitCC CCsuperuser CCsuperusers Super user (user group for SIMATIC OS)

OrgUnitCC CCengineer CCengineers Process engineer (user group for SIMATIC OS)

OrgUnitCC CCoperator CCoperators Operator (user group for SIMATIC OS)

OrgUnitCC CCemergency CCemergencys Emergency operator (user group for SIMATIC OS)

OrgUnitSIT Administrators Administratorss Administrators (predefined user group from SIMATIC IT)

OrgUnitSIT Developer Developers Developer (predefined user group from SIMATIC IT)

OrgUnitSIT High Level Op High Level Ops High Level Op (predefined user group from SIMATIC IT)

OrgUnitSIT Low Level Op Low Level Op Low Level Op (predefined user group from SIMATIC IT)

OrgUnitSIT Maintenance Op Maintenance Ops Maintenance Op (predefined user group from SIMATIC IT)

OrgUnitALM AL Administrator - Administrator (predefined user group from ALM)



V2.0 02.06.08 16/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

OrgUnit Name (Login) Group (Rights) Comment

OrgUnitALM ALM Licenser - Administrator (predefined user group from ALM)

OrgUnitALM ALM Power User - Administrator (predefined user group from ALM)

OrgUnitALM ALM User - Administrator (predefined user group from ALM)

NOTE The user names and groups are just an example. In a real plant the users will be the users with the corresponding naming convention of your Win-dows domain.

2.3 Active directory for Windows

We created an organization unit called “OrgUnitWindows” with a domain lo-cal security group called “ADLocalPowerUsers”. This security group con-tains a user called “WindowsLogin” which is used to start each Windows domain computer (SIMATIC PCS 7 OS Server/ Multiclient, SIMATIC BATCH, ...) with local power user rights.

Figure 2-5: Active directory “OrgUnitWindows” with users and groups



V2.0 02.06.08 17/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

NOTE The group „ADLocalPowerUsers” has to be added to the local “power users” group of each computer in the domain. We do this in an automated way. This is described in the document “SIMATIC software in a domain”.

NOTE Due to some restrictions running SIMATIC IT with a login which is a member of the local “Power Users” group we are running the SIMATIC IT computers with an administrative login. For further details see the “SIMATIC software in a domain” document.

2.4 Configuring SIMATIC Logon

NOTE To be able to work with SIMATIC Logon the following Windows group is mandatory: “Logon_Administrator”

One or more users can be assigned to the “Logon_Administrator group, such as a user called “logon”

Figure 2-6: The mandatory Windows group and a user for the group





V2.0 02.06.08 18/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

After installing the SIMATIC Logon software open the configuration tool: “Start > All Programs > SIMATIC > SIMATIC Logon > Con-figure SIMATIC Logon”

Figure 2-7 Configure SIMATIC Logon

Log in with the user “logon”. This user is assigned to the “Logon_Administrator” group.

Figure 2-8 SIMATIC Logon Service – Identity check

After logging in the dialog “Configure SIMATIC Logon” interface opens.



V2.0 02.06.08 19/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

In the “General” tab you can choose the configuration tool display lan-guage. You can also make some general settings for the time display. An-other possibility is the setting of a Default Group and Default user.

Figure 2-9 Configure SIMATIC Logon – General

NOTE In contrast to all other users, the "Default group" and the "Default user" cannot be listed in the Windows User Management. The "Default user" is a member of the "Default group" and "Emergency_operator" groups. You specify the rights of these roles in the specific applications.



V2.0 02.06.08 20/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

The “Working environment” tab is used for defining if a domain, a local host or a Logon computer is used.

Figure 2-10 Configure SIMATIC Logon – Working environment

In the “Logon device” tab you can choose the method that is to be used to Logon.

Figure 2-11 Configure SIMATIC Logon – Logon device



V2.0 02.06.08 21/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

In the “Automatic logoff” tab you can automatically logoff the user which is currently logged on if the system is not used for a pre-defined period of time.

Figure 2-12 Configure SIMATIC Logon – Automatic logoff

For additional help and info please see the help file: “C: > Program Files > SIEMENS > SimaticLogon > manuals > slogon_b.pdf”

or “C: > Program Files > SIEMENS > SimaticLogon > slhelp_b.chm”

2.5 SIMATIC Automation License Manager (ALM)

The Automation License Manager is used to display the licenses that are installed on your system. By default the ALM does not use user rights man-agement and everybody can use this software (including moving licenses), but you have the possibility to assign user management via the SIMATIC Logon software.

Open the SIMATIC Automation License Manager (ALM):



V2.0 02.06.08 22/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

“Start > All Programs > SIMATIC > License Management > Automation License Manager”

Figure 2-13 Start the ALM

Once ALM is open, start the SIMATIC Logon Role Management using the menu command “File > User management…”

Figure 2-14 SIMATIC Logon Role Management



V2.0 02.06.08 23/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

After the SIMATIC Logon Role Management starts, configure the user ma-nagement for the ALM.

Figure 2-15 Configure the SIMATIC Logon Role Management



V2.0 02.06.08 24/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

Browse in your domain for the users and groups which are present in the Windows domain. From there it is possible via drag and drop to move the appropriate users/groups to the upper part, where you can assign the groups/users to either new roles or to the four predefined roles (Licenser, Administrator, Power user, User).




V2.0 02.06.08 25/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

Assign the ALM users to the right groups of the ALM. You can do this with Drag and drop or a Copy – Insert like shown in the next picture.




V2.0 02.06.08 26/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

This screen capture shows the rights of the predefined “Administrator” group.


After assigning the users/groups to their roles choose the menu: “File > Settings…”




V2.0 02.06.08 27/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

Select “Activate SIMATIC Logon access protection”.


NOTE The activation is only enabled on the system if the SIMATIC Logon Role Management is installed. These settings have to be made on every com-puter that has ALM installed.

After activating the SIMATIC Logon inside ALM only users with access rights can access ALM.




V2.0 02.06.08 28/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

NOTE See 8 2.10.4 for further information in case you upgrade your old domain computers from the last Integration Pack V6.1 SP1 HF4 to the actual Integration Pack 2007.

2.6 SIMATIC PCS 7 OS Server and Multiclient

The previous tool "WinCC Adapter" which was delivered with SIMATIC Lo-gon, to help you configure your SIMATIC PCS 7 OS project, is in the new Integration Pack 2007 version not anymore available. This is due to the fact that the used SIMATIC Logon version is completely integrated in the used WinCC version.

Prior to this, SIMATIC Logon had to be entered as "wincclogonconnec-tor_x.exe" in the WinCC start up list. To open an existing project you need to delete the entry "wincclogonconnector_x.exe" from the start up list. The entry "wincclogonconnector_x.exe" should not be manually entered again in the start up list.

The assignment of Windows groups to SIMATIC PCS 7 OS roles is made in the User Administration of SIMATIC PCS 7 OS. For example, if you want to assign users from the "CCoperators" Windows group to SIMATIC PCS 7 OS, a group with the same name ("CCoperators") must be created in the SIMATIC PCS 7 OS “User Administrator” editor and the corresponding Au-thorization must be assigned:

• Open the SIMATIC OS project

• Open the editor “User Administrator” in the SIMATIC PCS 7 OS control center

• Create the group(s)

• Assign the Authorizations to each group



V2.0 02.06.08 29/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

Figure 2-22: The “User Administrator” editor

NOTE You have to enable the check mark "SIMATIC Logon" in order to use SIMATIC Logon within SIMATIC PCS 7 OS.

For additional help and info please see the help file.

To configure the SIMATIC PCS 7 OS, you have to start every SIMATIC OS Server and Multiclient project on your engineering system computer and add the groups you have defined in the Windows domain to the SIMATIC PCS 7 OS (e.g. “CCoperators”) inside the “User Administrator” editor. In this way with each download of the SIMATIC PCS 7 project the correct set-tings for the usage of SIMATIC Logon are available in the project.



V2.0 02.06.08 30/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

2.7 SIMATIC BATCH

To configure SIMATIC BATCH, start the SIMATIC Batch Control Center (BCC) with a user which is a member of the “Logon_Administrator” group, e.g. the user “logon”. This allows the integrated SIMATIC Logon Role Man-agement to be started via the menu command: “Options > Roles Management…”

Figure 2-23 Starting the Roles management of SIMATIC BATCH

In the SIMATIC BATCH software, several roles have been predefined in SIMATIC Logon Role Management:

• Super user

• Factory manager

• Shift manager

• Operator

• Process engineer

• Automation engineer

• Emergency operator

NOTE It is possible to add new roles if the existing once do not meet your com-pany regulations.



V2.0 02.06.08 31/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

Figure 2-24: SIMATIC BATCH predefined roles in SIMATIC Logon Admin Tool

In a domain environment after starting the SIMATIC Logon Role Manage-ment the groups and users which are defined in the Windows domain are visible in the bottom part (Available assignment types/Available groups and users) of the screen. From there it is possible e.g. via drag and drop to mo-ve the appropriate users/groups to the upper part (Configured roles and as-signment types).

NOTE It is only possible to assign one user or group to a role.

Figure 2-25 Assigning a group

This behavior affects the planning of the SIMATIC Logon Role Manage-ment.



V2.0 02.06.08 32/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

Figure 2-26 Assigning a group

In the BATCH Control Center you see the logged on user in the bottom right part. To change the logged in user you can double click on the name of the user. In the "One-time logon" window of the SIMATIC Logon Service you can "Log off" the current user with that button. If you press this button, the logoff is performed immediately. No confirmation box shows up where you are asked to confirm the log off.

Figure 2-27: SIMATIC BATCH Control Center and the logged in user



V2.0 02.06.08 33/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

After starting the permission management inside the BCC it is possible to view the individual permissions of each role. You open this view from the Permission management of the BCC.

Figure 2-28 Permission Management



V2.0 02.06.08 34/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

In the tab “Computers and units” it is possible to assign the rights of each group for every SIMATIC BATCH Client computer in the environment. It is possible to have rights on one computer and not on another computer. This means that you can say that a predefined group can have access on one computer but no access on another. In the picture this is visible with the cli-ent03 – on this computer every role is configured while on client02 only the predefined groups Super user, Shift manager and Factory manager are as-signed.

Figure 2-29: Start of the permission management inside the BCC

The tab “View permissions of the logged in user” shows the rights of the ac-tual user in detail.

In the tab “Change log” an overview of who changed what at which time is provided.



V2.0 02.06.08 35/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

2.8 SIMATIC Engineering System

As of the new version PCS 7 V7.0 SP1 the ES is integrated with the SIMATIC logon software in order to protect projects and subcomponents. Due to this integration the SIMATIC Logon service STEP 7 software pro-vided in the last Integration Pack V6.1 SP1 HF4 is no longer provided in the Integration Pack 2007 as separate setup.

Access Protection As of STEP 7 V5.4, you have the option of restricting access to projects and libraries by assigning a password to them. In order to do this, you must have installed "SIMATIC Logon". You can also enable, disable and display a change log.

If SIMATIC Logon is installed on your computer, you will have access to the following menu commands in the SIMATIC Manager. You can use these commands to manage access protection for a project or library:

• Access Protection > Enable

• Access Protection > Disable

• Access Protection > Manage Users

• Access Protection > Adjust in Multiproject

• Access Protection > Remove Access Protection und Change Log

You activate access protection in SIMATIC Manager with the “Options > Access Protection > Enable” menu command.

Figure 2-30 Enable access protection



V2.0 02.06.08 36/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

If you enable access protection for the first time with this menu command, a dialog opens in which you will need to log on with SIMATIC Logon. You will then be prompted to assign a project password. The relevant project or li-brary can then only be edited as authenticated user or after entering the project password.

The “Remove Access Protection and Change Log” menu command re-moves access protection as well as the change log for a password-protected project or library. After having removed the access protection you can once again edit projects with a STEP 7 version prior to V5.4.

When you open access-protected projects, STEP 7 implicitly requests a lo-gon with user name and password. When the project is closed, there is an automatic logoff from the project. As an alternative, you can log on or change to a different logon in STEP 7 with the menu command “Options > SIMATIC Logon Service…” in the SIMATIC Manager.

Notes • To enable or disable access protection, you must be authorized in

SIMATIC Logon as project administrator.

• The first time you enable access protection, the project format is chan-ged. You will receive a message indicating that the modified project can no longer be edited with older STEP 7 versions.

• The “Options > Access Protection > Remove Access Pro-tection and Change Log” function allows the project or the library to be used with a STEP 7 version lower than V5.4. You do, however, loose the information on the users that are allowed access to this pro-ject or library and all change logs.

• The user currently logged on is displayed in the status bar of the SIMATIC Manager.

• The currently logged on Logon user who enables access protection is entered as the project administrator and is requested to assign the pro-ject password the first time access protection is enabled.

• To open an access-protected project, you must be authenticated in SIMATIC Logon as project administrator or project user or you must know the password.

• Remember that a logged-on user is entered in the project as project administrator when the user opens a project with the project password.



V2.0 02.06.08 37/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

As we installed the SIMATIC Logon software on the engineering system as a result it is possible to use SIMATIC Logon on the ES computer. An addi-tional use on the SIMATIC ES is the Version Trail where you can version your projects. You open the Version trail in the path: “File > Versioned Project > Archive…”

Figure 2-31: Version trail inside SIMATIC Manager

Once you want to retrieve a versioned project you have to logon to do this.

Figure 2-32 Version trail inside SIMATIC Manager



V2.0 02.06.08 38/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

2.9 SIMATIC IT Servers

To configure SIMATIC IT with SIMATIC Logon, start the SIMATIC Logon Import Tool. This tool imports the Windows groups from the domain. Start the SIMATIC Logon Import Tool via the menu command “Tools > SIMATIC Logon Import Tool”.

Figure 2-33 Start of the SIMATIC Logon Import Tool



V2.0 02.06.08 39/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

In the start page you can enable/ disable SIMATIC Logon in SIMATIC IT. Enable the usage of the SIMATIC Logon.

Figure 2-34 SIMATIC Logon Import Tool – Enable/ Disable

Continue with “Next” after acknowledging the message that SIMATIC IT has to be restarted in order for the changes to take effect.

Figure 2-35 SIMATIC Logon Import Tool



V2.0 02.06.08 40/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

Choose the validation type you want to apply. Choose the “Windows Do-main User validation (SIMATIC Logon needed)”.


Continue with the “Next >” button.



V2.0 02.06.08 41/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed


Continue with the “Add” button.


Open the extended input option with the button “Advanced…”



V2.0 02.06.08 42/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

Enter in the field “From this location” the right domain directory and use the button “Find Now”. A list with all users and groups of the domain will be displayed.


From this display select the users to add. As in an earlier chapter men-tioned the users and groups were created with the name matching the pre-defined group names of SIMATIC IT. Therefore it is possible to filter all possible users and groups inside this dialog.

Continue with the “OK” button.



V2.0 02.06.08 43/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

The selected groups are shown in the following picture.


Continue with the “OK” button.



V2.0 02.06.08 44/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed


Continue with the “Proceed” button.

A message is shown that no Administrators were found. You are asked if you want to assign one of the listed users to the Administrator group.


Press the “Yes” button.



V2.0 02.06.08 45/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed


Choose an administrator and press “OK”.



V2.0 02.06.08 46/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

At the end of the import you have a summary in the window text.


Press the “Finish” button.

As previous the message box appeared to restart SIMATIC IT we should restart the system now.



V2.0 02.06.08 47/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

After the reboot of the computer, start the User Manager in SIMATIC IT. “Tools > User Manager”

Figure 2-45 User Manager

Figure 2-46 User Manager – User View

The users in red are imported from the Windows active directory domain while the user “Manager” is the build in user.

If you want to use the build in user you have to disable the SIMATIC Logon inside of SIMATIC IT.



V2.0 02.06.08 48/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

It is possible to modify the group membership and user rights using the “Modify” menu.

Figure 2-47 User Manager



V2.0 02.06.08 49/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

In the tab Group membership you can choose one of the available groups.

Figure 2-48 User Manager – Modify user



V2.0 02.06.08 50/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

From the SIMATIC User Manager you can display the predefined groups for SIMATIC IT.

Figure 2-49 User Manager – Group view

If the predefined groups do not match your needs, it is possible to add a new group.

After assigning all imported users to a group it might look like that.

Figure 2-50 User Manager – Imported users



V2.0 02.06.08 51/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

NOTE In order to log in with the created users, use “SHIFT + ESC” keys

– this opens the login Box.

If you try to log on with a user e.g. the Low level op…

Figure 2-51 SIMATIC Logon Service – One-time logon

… you cannot do this on the servers as the needed rights are not assigned.

Figure 2-52 Resource Access Control – User Logon message

NOTE Make sure to check if the predefined rights meet your needs – otherwise create your own groups with the needed settings.



V2.0 02.06.08 52/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

In SIMATIC IT you can configure local resources for managing the access to different functions – see online help for detailed info.

Figure 2-53 SIMATIC IT configuration of local resources

You can use this for the creation of new groups inside SIMATIC IT.

CAUTION The Login Box does not appear automatically. You have to use the “SHIFT + ESC” keys to activate the login Box.



V2.0 02.06.08 53/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

2.10 Important notes

2.10.1 User for SIMATIC BATCH and SIMATIC PCS 7 OS Multiclient

If you have an operator, engineer or superuser that needs to work on a SIMATIC PCS 7 OS Multiclient that is also a SIMATIC BATCH Client, you have to make sure that the user has the needed SIMATIC PCS 7 OS and SIMATIC BATCH rights.

NOTE If you use on a computer the SIMATIC logon software and you log on as “UserX” - every installed SIMATIC software on this computer - which is using SIMATIC logon - is using this “UserX”. If you log off in one applica-tion the “UserX” this user is logged off in all applications on this computer.

As in SIMATIC BATCH, only one user group or one user can be assigned to a role, this influences the chosen strategy.

We created general groups inside the domain:

• superusers

• operators

• engineers

• …..

Figure 2-54 properties of the group superusers



V2.0 02.06.08 54/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

We assigned in the “superusers” group the users “CCsuperuser” and “SBsuperuser”.

This allows us to configure the SIMATIC BATCH “Super user” predefined role with this “superusers” group.

Figure 2-55 Configuring SIMATIC BATCH

Then we also configure the SIMATIC PCS 7 OS Multiclient with this “supe-rusers” group. In that way also on a mixed installation it is possible to log on using either the “CCsuperuser” or the “SBsuperuser” user and both applica-tions are operable. The same strategy can be applied to the other groups (operators, engineers,…).

Figure 2-56 Configuring SIMATIC PCS 7 OS



V2.0 02.06.08 55/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

2.10.2 Display name of the user

SIMATIC BATCH displays the full name (if available) as the username on the Windows screen. Keep this in mind especially on machines with SIMATIC PCS 7 OS Multiclient and SIMATIC BATCH Client installed. It is possible that the SIMATIC BATCH Client shows the full name while the SIMATIC PCS 7 OS Multiclient shows only the name (you can define the behaviour from the OS project editor).

Figure 2-57 OS project editor setting Display “Username” and “User ID”



V2.0 02.06.08 56/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

Choosing “User ID” in the Display option of the project editor the name is displayed as followed:

Figure 2-58 Name of the domain user

If you choose “User name” instead the display shows the Display name of the domain user:

Figure 2-59 Display name of the domain user



V2.0 02.06.08 57/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

This is simply due to the settings inside the domain.

Figure 2-60 Settings inside the domain

2.10.3 Domain Policies

As we are working in a domain the policies of the domain will be applied to the computers in the domain.

You will e.g. find the settings for the passwords in the following path of a GPO: “Default domain policy\Windows setting\security settings\account policies\password policy”.

This means that e.g. the settings from:

• Enforce password history

• Maximum password age

• Minimum password age

• Minimum password length

• Password must meet complexity requirements

• Store passwords using reversible encryption

will be applied from there.

If the standard settings apply you can change e.g. the password only once a day.



V2.0 02.06.08 58/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

2.10.4 Backup Licenses before moving computer from domain to workgroup

If you are upgrading computers from the previous Integration Pack version to the new version you have already some licenses on the hard disk. If you put the computers out of the domain to bring a fresh Windows installation onto your system make sure to save your licenses before removing the computer out of the domain as from the workgroup you might have no ac-cess anymore to the licenses due to the fact that the user is not recognized anymore.

Figure 2-61 Automation License Manager



V2.0 02.06.08 59/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

2.10.5 Using the Default User option from SIMATIC Logon

In the general settings of the SIMATIC Logon you can set the login with a DefaultGroup and a Default User.

Figure 2-62 Default User

NOTE In contrast to all other users, the "Default group" and the "Default user" cannot be listed in the Windows User Management. The "Default user" is a member of the "Default group" and "Emergency_operator" groups. You specify the rights of these roles in the specific applications.

You can use this setting for your applications in the following way.

Login on to SIMATIC IT with a default user To use this feature on a SIMATIC IT computer in the domain you have to add the used “Default User” login locally to the User Manager of SIMATIC IT. In the User view you have to add the “Default User” and give him the appropriate group membership. Once you start the SIMATIC IT manage-ment console this “Default User” is taken automatically and logs in with the assigned rights to SIMATIC IT.



V2.0 02.06.08 60/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

NOTE As this user is logged in automatically every person who has physically access to this computer has the rights which are assigned to this “Default User”. This might be a security issue.

NOTE The name “Default User” can be whatever name you like. The same applies to the “DefaultGroup”.

Login on to SIMATIC PCS 7 OS/ SIMATIC BATCH with a default user You can use this feature on a SIMATIC PCS 7 OS/ SIMATIC BATCH com-puter in the domain to have a user logged in after starting the system au-tomatically up. This user has no rights in SIMATIC BATCH.

Adding a new user


V2.0 02.06.08 61/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

3 Adding a new user

The following steps are used to assign a new user with appropriate permis-sions to access the different SIMATIC software with SIMATIC Logon.

A new SIMATIC User named “New.User” needs to have the following ac-cess:

• SIMATIC PCS 7 OS (as CCsuperuser)

• SIMATIC IT (as Developer)

• SIMATIC BATCH (as SBengineer)

All users in your plant might be located in an active directory organizational unit called “Plantusers”. There you have to create the user.

Figure 3-1 Properties of the New.User

The user has to be created with the appropriate settings and naming con-ventions for your plant.

Adding a new user


V2.0 02.06.08 62/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

Add the new user to the appropriate windows groups. In our case the New.User is a member of the CCsuperusers, Developers and SBengineers. The Domain Users group is applied automatically from Active Directory.

Figure 3-2 Properties of the New.User

Adding a new user


V2.0 02.06.08 63/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

This new user can be used immediately to logon to the SIMATIC software with the appropriate rights assigned prior. In this example, the new user is performing the logon in SIMATIC BATCH.

Figure 3-3 Logon with the new account

Of course the domain specific settings apply to the new login, e.g. pass-word expiration, user has to change password at first login (recommended).


Adding a new user


V2.0 02.06.08 64/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

After the logon is done for SIMATIC BATCH the user “New.User” is also logged in into SIMATIC PCS 7 Multiclient.


References


V2.0 02.06.08 65/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

4 References

The following documents help files and FAQ were used in setting up the test environment.

World Wide Web

http://www.fda.gov

SIMATIC Logon Electronic Signature

http://support.automation.siemens.com/WW/view/en/22657587

Security Handbook

http://support.automation.siemens.com/WW/view/en/26462131 (English)

SIMATIC Logon readme and manuals

C:\Program Files\SIEMENS\SimaticLogon\manuals\*

C:\Program Files\SIEMENS\SimaticLogon\*

SIEMENS online help

bfhelp_b.chm

ps7bas_b.chm

slhelp_b.chm

WinCCInformationSystem.chm

http://www.fda.gov/�



Abbreviations


V2.0 02.06.08 66/66

Cop

yrig

ht ©

Sie

men

s A

G 2

008

All

right

s re

serv

ed

5 Abbreviations

In this manual are used several abbreviations. Please find here the corresponding complete name. Table 5-1

Abbreviation Complete name

AD Active Directory ALM Authorization License Manager BCC Batch Control Center CAB Client Application Builder CFR Code of Federal Regulations CP Communication Processor DB Data Base DHCP Dynamic Host Configuration Protocol DNS Domain Name Service ES Engineering System FAQ Frequent Asked Question FDA Food and Drug Administration HF Hot Fix HMI Human Machine Interface IP Internet Protocol MUI Multilanguage User Interface OS Operator Station PLC Programmable Logical Controller SIT SIMATIC IT SQL Structured Query Language SP Service Pack WINS Windows Internet Naming Service

SIMATIC Logon V2.0 - support.industry.siemens.com · SIMATIC BATCH or WinCC). ... SIMATIC Logon...

Documents

Transcript of SIMATIC Logon V2.0 - support.industry.siemens.com · SIMATIC BATCH or WinCC). ... SIMATIC Logon...