Configuration Instruction
SIMATIC PCS 7 – SIMATIC IT – Integration PCS 7 / SIMATIC IT Integration Pack 2007
SIMATIC Logon in a domain
Warranty, liability and support SIMATIC Logon in a domain
Copyright © Siemens AG 2008 All rights reserved
NOTE
26639558
The application examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The application examples do not represent customer-specific solutions. They are only intended to pro-vide support for typical applications. You are responsible in ensuring that the de-scribed products are correctly used. These application examples do not relieve you of the responsibility in safely and professionally using, installing, operating and servicing equipment. When using these application examples, you recognize that Siemens cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these application examples at any time without prior notice. If there are any deviations between the recommendations provided in these application examples and other Siemens publications - e.g. Catalogs - then the contents of the other documents have priority.
Warranty, liability and support We do not accept any liability for the information contained in this document. Any claims against us - based on whatever legal reason - resulting from the use of the examples, information, programs, engineering and performance data etc., described in this application example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract (“wesentliche Vertragspflichten”). However, claims arising from a breach of a condition which goes to the root of the contract shall be limited to the foreseeable damage which is intrinsic to the contract, unless caused by intent or gross negligence or based on mandatory liability for injury of life, body or health The above provisions does not imply a change in the burden of proof to your detriment. Copyright© 2008 Siemens A&D. It is not permissible to transfer or copy these application examples or excerpts of them without first having prior authorization from Siemens A&D in writing. For questions about this document please use the following e-mail address: mailto:
[email protected]
V2.0
02.06.08
2/66
Table of Content SIMATIC Logon in a domain
26639558
Table of Content
Copyright © Siemens AG 2008 All rights reserved
Table of Content ........................................................................................................... 3 1 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.9.1 1.9.2
Introduction to SIMATIC Logon..................................................................... 4 In general.......................................................................................................... 4 Installing SIMATIC Logon ................................................................................. 5 SIMATIC Logon Service ................................................................................... 6 SIMATIC Logon Role management .................................................................. 7 SIMATIC Logon Event log Viewer .................................................................... 7 SIMATIC Electronic signature........................................................................... 7 SIMATIC Logon Development Kit ..................................................................... 8 FDA 21 CFR Part 11 Support ........................................................................... 8 Test environment .............................................................................................. 9 Equipment for the Windows active directory domain ...................................... 10 Installed software............................................................................................ 11 Operating systems ..................................................................................... 11 SIMATIC software ...................................................................................... 11
2 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.10.1 2.10.2 2.10.3 2.10.4 2.10.5
SIMATIC Logon Configuration .................................................................... 12 Preparations inside the Windows domain....................................................... 12 Active directory for SIMATIC Software ........................................................... 13 Active directory for Windows .......................................................................... 16 Configuring SIMATIC Logon........................................................................... 17 SIMATIC Automation License Manager (ALM)............................................... 21 SIMATIC PCS 7 OS Server and Multiclient .................................................... 28 SIMATIC BATCH ............................................................................................ 30 SIMATIC Engineering System ........................................................................ 35 SIMATIC IT Servers........................................................................................ 38 Important notes............................................................................................... 53 User for SIMATIC BATCH and SIMATIC PCS 7 OS Multiclient ..................... 53 Display name of the user ................................................................................ 55 Domain Policies .............................................................................................. 57 Backup Licenses before moving computer from domain to workgroup .......... 58 Using the Default User option from SIMATIC Logon ...................................... 59 Login on to SIMATIC IT with a default user ............................................... 59 Login on to SIMATIC PCS 7 OS/ SIMATIC BATCH with a default user .... 60
3
Adding a new user........................................................................................ 61
4
References .................................................................................................... 65
5
Abbreviations................................................................................................ 66
V2.0
02.06.08
3/66
Introduction to SIMATIC Logon SIMATIC Logon in a domain
26639558
1
Introduction to SIMATIC Logon
1.1
In general With SIMATIC Logon, you can assign authorizations for SIMATIC applications and plant areas. The following software components belong to SIMATIC Logon:
Table 1-1
Copyright © Siemens AG 2008 All rights reserved
Component
Description
SIMATIC Logon service
Central access protection for SIMATIC applications and plant areas
SIMATIC Logon Role Management
Administration of application policies and their assignment to Windows groups, including the assignment of permissions.
SIMATIC Logon Eventlog Viewer
SIMATIC Logon Eventlog Viewer is a component which handles the logging and visualization of event for an application.
SIMATIC Electronic Signature
Used to create electronic signatures for status transitions and user intervention in the process
SIMATIC Logon Development Kit
The Development Kit is designed for use by programmers who want to integrate SIMATIC Logon in customer applications.
SIMATIC Logon components are only available to applications in which the SIMATIC Logon components have been integrated. The SIMATIC Logon components are e.g. integrated in the applications:
NOTE
•
SIMATIC Automation License Manager (ALM)
•
SIMATIC PCS 7 OS
•
SIMATIC BATCH
•
SIMATIC STEP 7
•
SIMATIC IT
SIMATIC Logon users must be direct members of a Windows domain. These users may not be members of a subdomain of a Windows domain.
This document provides an overview of how to setup the SIMATIC Logon tool with the different SIMATIC software components.
V2.0
02.06.08
4/66
Introduction to SIMATIC Logon SIMATIC Logon in a domain
1.2
26639558
Installing SIMATIC Logon SIMATIC Logon is installed with a setup program. The following components are installed with the setup: •
SIMATIC Logon Service
•
SIMATIC Logon Role management
•
SIMATIC Logon Event Log
•
SIMATIC Electronic Signature
The actual installed version for the Integration Pack 2007 is the version V1.4 SP1.
Copyright © Siemens AG 2008 All rights reserved
You will find the SIMATIC Logon software on the SIMATIC PCS 7 or SIMATIC IT DVD. Figure 1-1 Installing SIMATIC Logon
NOTE
V2.0
As of PCS 7 V7.0 SP1, SIMATIC Logon requires no license key in PCS 7.
02.06.08
5/66
Introduction to SIMATIC Logon SIMATIC Logon in a domain
26639558
The license key for SIMATIC Logon is included with every software package for SIMATIC PCS 7 PC stations (reinstallation and updates). Figure 1-2 Contract License in SIMATIC PCS 7 V7.0 SP1
Copyright © Siemens AG 2008 All rights reserved
NOTE
A license for the version V1.4 SP1 is needed to use SIMATIC logon on a SIMATIC IT machine.
Figure 1-3 Message on a pure SIMATIC IT computer
1.3
SIMATIC Logon Service SIMATIC Logon Service is the basis for SIMATIC Logon. The SIMATIC Logon Service implements access protection for applications (for example, SIMATIC BATCH or WinCC). The access protection is based on mechanisms of the Windows operating system. The user logs on and off of the application through the SIMATIC Logon Service. SIMATIC Logon records the following events:
V2.0
•
Successful logon
•
Failed logon attempt
•
Authentication of a user
•
Logoff by user
•
Automatic logoff
•
Password change
02.06.08
6/66
Introduction to SIMATIC Logon SIMATIC Logon in a domain
26639558
The recorded events can be viewed using the SIMATIC Logon Event Log Viewer.
1.4
SIMATIC Logon Role management The SIMATIC Logon Role Management is the group of SIMATIC Logon components used to create roles and assign roles, groups and users of the operating system as well as the function rights to roles. A role contains the rights of groups/users within applications to perform specific actions (for example, transferring data). Role management is used to regulate access to applications and functions by users and groups. Access protection forces users to log on with the system if they want to use an application or function. Assigning specific tasks to roles simplifies the task of assigning rights to users and groups.
Copyright © Siemens AG 2008 All rights reserved
User management is based on the users and groups of the operating system. SIMATIC Logon Role Management is started with the user interface of the application in which this service is embedded. It cannot be started in Windows.
1.5
SIMATIC Logon Event log Viewer The SIMATIC Logon Event Log Viewer is a component that records and displays events for an application. The recording of events is triggered by the application, the display occurs in the SIMATIC logon event log viewer. Events are saved in the "EventLog.mdb" database. This database is located in the directory "...\SIMATICLogon\Logging" after installation with default settings. It is recommended to backup the database in short intervals. This will protect against loss of data (in the event of hard disk failure, for example). To prevent damage to the database, do not perform the backup when applications are running. If no database exists, a new database is created automatically.
1.6
SIMATIC Electronic signature SIMATIC Electronic Signature is the SIMATIC Logon component that can be used to create an electronic signature. An electronic signature is a verification created and archived to fulfill a requirement such as important or critical operator input in an automation system. These verifications contain information about an operation, for example: •
V2.0
Name of the person or persons responsible for performing the operation
02.06.08
7/66
Introduction to SIMATIC Logon SIMATIC Logon in a domain
1.7
26639558
•
Date and time of the operation to be performed
•
Significance of the signatures (an authorization, for example)
•
Author (for example, of a Batch recipe).
SIMATIC Logon Development Kit The Development Kit is intended for programmers who wish to integrate SIMATIC Logon in a customer application.
Copyright © Siemens AG 2008 All rights reserved
You will find the following files in the directory "...\SimaticLogon\developmentkit":
1.8
•
SL_ProgrammingGuide.pdf The "SL_ProgrammingGuide.pdf" contains the English language manual; SIMATIC Logon Development Kit; Programming Guide.
•
SL_Example.zip The "SL_Example.zip" file contains a example application. The SIMATIC Logon Development Kit programming guide uses an example application to demonstrate how to integrate SIMATIC Logon in a customer application.
FDA 21 CFR Part 11 Support In plants monitored and controlled by process control systems, there are special requirements relating to access to functions and plant areas. The following requirements are important for the validation of plants: •
User management for assigning access rights to avoid unauthorized or unwanted access to the plant
•
Creation and archiving of verification of important or critical actions
SIMATIC Logon and SIMATIC Electronic Signature simplify the validation of plants in conformity to FDA 21 CFR Part 11. These globally recognized guidelines and requirements were formulated by the U.S. FDA (Food and Drug Administration).
V2.0
02.06.08
8/66
Introduction to SIMATIC Logon SIMATIC Logon in a domain
1.9
26639558
Test environment The following schema provides an overview of the test environment which is used to configure SIMATIC Logon for the different SIMATIC software components.
Copyright © Siemens AG 2008 All rights reserved
Figure 1-4: Schema of the Windows active directory domain computers
A private IP address band is used with fixed IP addresses.
V2.0
02.06.08
9/66
Introduction to SIMATIC Logon SIMATIC Logon in a domain
Equipment for the Windows active directory domain •
2 Windows active directory domain controllers (DNS, WINS)
•
2 SIMATIC PCS 7 OS Servers (redundant)
•
2 SIMATIC BATCH Servers (redundant)
•
1 SIMATIC PCS 7 Engineering System (ES)
•
2 SIMATIC PCS 7 OS Multiclient + SIMATIC BATCH Client
•
1 SIMATIC IT Production Modeler
•
1 SIMATIC IT Historian + PPA DB
•
1 SIMATIC IT Report Manager/ CAB engineering
•
1 SIMATIC IT components software + SITMesDB
•
1 SIMATIC AS CPU 417 with a CP 443-1
Copyright © Siemens AG 2008 All rights reserved
1.9.1
26639558
V2.0
02.06.08
10/66
Introduction to SIMATIC Logon SIMATIC Logon in a domain
1.9.2
26639558
Installed software
Operating systems The used operating systems for the domain computers can be found in the following table. Table 1-2
Station Server
Installation Windows 2003 MUI (Multilanguage User Interface) with SP2 Internet Explorer V6.0 SP2 (6.0.3790.3959) Image software
Client
Windows XP SP2 Image software
Domain Controller
Windows 2003 MUI (Multilanguage User Interface) with SP2
Copyright © Siemens AG 2008 All rights reserved
Internet Explorer V6.0 SP2 (6.0.3790.3959)
SIMATIC software SIMATIC software and its required software packages (e.g. message queuing, SQL Server 2005 with SPx, ..) are installed as needed. The installed software for SIMATIC PCS 7 and SIMATIC IT is the released “Integration Pack 2007” on top of the released SIMATIC Versions. Table 1-3
Product SIMATIC PCS 7
Version V7.0 SP1 Microsoft SQL 2005 SP1 HF PCS 7 / SIMATIC IT Integration Pack 2007 Part1 Updates SIMATIC PCS 7
SIMATIC IT
V6.3 SP1 Microsoft SQL 2005 SP2 PCS 7 / SIMATIC IT Integration Pack 2007 Part2 Updates SIMATIC IT
A detailed list of the installed SIMATIC software can be found in the attachment A of the document “SIMATIC software in a domain”.
V2.0
02.06.08
11/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
2
26639558
SIMATIC Logon Configuration The SIMATIC Logon software is used to manage the access control to different SIMATIC software. It allows the system administrator to give users only the needed rights inside the SIMATIC applications.
2.1
Preparations inside the Windows domain
NOTE
There are many ways to set up an environment and the user access permissions. This document provides one possible solution. This example can be adapted to meet your specific needs.
Copyright © Siemens AG 2008 All rights reserved
In the test environment the following SIMATIC software uses SIMATIC Logon: •
SIMATIC ALM
•
SIMATIC PCS 7 OS Server and Multiclient
•
SIMATIC BATCH
•
SIMATIC ES
•
SIMATIC IT
For the software packages we added active directory integrated organizational units inside the Windows 2003 Active Directory: •
OrgUnitALM
•
OrgUnitCC
•
OrgUnitSB
•
OrgUnitSIT
These organization units contain active directory domain local security groups with users which are used to logon to the different SIMATIC software. A general description about the structure of the test environment can be found in the knowledge document: “SIMATIC software in a domain”.
V2.0
02.06.08
12/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
2.2
26639558
Active directory for SIMATIC Software For the test environment, we created group names and user names that are nearly identically. The groups have an “s” at the end while the users represent some possible use cases for users and there rights e.g. the user “operator” for SIMATIC OS is called “CCoperator” and the corresponding group is called “CCoperators”.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-1: Active directory “OrgUnitCC” with users and groups
Figure 2-2: Active directory “OrgUnitSB” with users and groups
V2.0
02.06.08
13/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
Copyright © Siemens AG 2008 All rights reserved
Figure 2-3: Active directory “OrgUnitSIT” with users and groups
Figure 2-4 Active directory “OrgUnitAlm” with users and groups
V2.0
02.06.08
14/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
In the following table the users and groups for the SIMATIC software used in the test environment are listed: Table 2-1
Copyright © Siemens AG 2008 All rights reserved
OrgUnit
Name (Login)
Group (Rights)
Comment
OrgUnitSB
SBauto
SBautos
Automation engineer (predefined user group from SIMATIC BATCH)
OrgUnitSB
SBsuperuser
SBsuperusers
Super user (predefined user group from SIMATIC BATCH)
OrgUnitSB
SBoperator
SBoperators
Operator (predefined user group from SIMATIC BATCH)
OrgUnitSB
SBshift
SBshifts
Shift manager (predefined user group from SIMATIC BATCH)
OrgUnitSB
SBfactory
SBfactorys
Factory manager (predefined user group from SIMATIC BATCH)
OrgUnitSB
SBengineer
SBengineers
Process engineer (predefined user group from SIMATIC BATCH)
OrgUnitSB
SBemergency
SBemergencys
Emergency operator (predefined user group from SIMATIC BATCH)
OrgUnitCC
CCsuperuser
CCsuperusers
Super user (user group for SIMATIC OS)
OrgUnitCC
CCengineer
CCengineers
Process engineer (user group for SIMATIC OS)
OrgUnitCC
CCoperator
CCoperators
Operator (user group for SIMATIC OS)
OrgUnitCC
CCemergency
CCemergencys
Emergency operator (user group for SIMATIC OS)
OrgUnitSIT
Administrators
Administratorss
Administrators (predefined user group from SIMATIC IT)
OrgUnitSIT
Developer
Developers
Developer (predefined user group from SIMATIC IT)
OrgUnitSIT
High Level Op
High Level Ops
High Level Op (predefined user group from SIMATIC IT)
OrgUnitSIT
Low Level Op
Low Level Op
Low Level Op (predefined user group from SIMATIC IT)
OrgUnitSIT
Maintenance Op
Maintenance Ops
Maintenance Op (predefined user group from SIMATIC IT)
OrgUnitALM
AL Administrator
V2.0
-
02.06.08
Administrator (predefined user group from ALM)
15/66
SIMATIC Logon Configuration SIMATIC Logon in a domain OrgUnit
Group (Rights)
Comment
OrgUnitALM
ALM Licenser
-
Administrator (predefined user group from ALM)
OrgUnitALM
ALM Power User
-
Administrator (predefined user group from ALM)
OrgUnitALM
ALM User
-
Administrator (predefined user group from ALM)
NOTE
2.3 Copyright © Siemens AG 2008 All rights reserved
Name (Login)
26639558
The user names and groups are just an example. In a real plant the users will be the users with the corresponding naming convention of your Windows domain.
Active directory for Windows We created an organization unit called “OrgUnitWindows” with a domain local security group called “ADLocalPowerUsers”. This security group contains a user called “WindowsLogin” which is used to start each Windows domain computer (SIMATIC PCS 7 OS Server/ Multiclient, SIMATIC BATCH, ...) with local power user rights.
Figure 2-5: Active directory “OrgUnitWindows” with users and groups
V2.0
02.06.08
16/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
NOTE
The group „ADLocalPowerUsers” has to be added to the local “power users” group of each computer in the domain. We do this in an automated way. This is described in the document “SIMATIC software in a domain”.
NOTE
Due to some restrictions running SIMATIC IT with a login which is a member of the local “Power Users” group we are running the SIMATIC IT computers with an administrative login. For further details see the “SIMATIC software in a domain” document.
2.4 Copyright © Siemens AG 2008 All rights reserved
26639558
NOTE
Configuring SIMATIC Logon To be able to work with SIMATIC Logon the following Windows group is mandatory: “Logon_Administrator” One or more users can be assigned to the “Logon_Administrator group, such as a user called “logon”
Figure 2-6: The mandatory Windows group and a user for the group
V2.0
02.06.08
17/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
After installing the SIMATIC Logon software open the configuration tool: “Start > All Programs > SIMATIC > SIMATIC Logon > Configure SIMATIC Logon”
Copyright © Siemens AG 2008 All rights reserved
Figure 2-7 Configure SIMATIC Logon
Log in with the user “logon”. This user is assigned to the “Logon_Administrator” group. Figure 2-8 SIMATIC Logon Service – Identity check
After logging in the dialog “Configure SIMATIC Logon” interface opens.
V2.0
02.06.08
18/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
In the “General” tab you can choose the configuration tool display language. You can also make some general settings for the time display. Another possibility is the setting of a Default Group and Default user.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-9 Configure SIMATIC Logon – General
NOTE
V2.0
In contrast to all other users, the "Default group" and the "Default user" cannot be listed in the Windows User Management. The "Default user" is a member of the "Default group" and "Emergency_operator" groups. You specify the rights of these roles in the specific applications.
02.06.08
19/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
The “Working environment” tab is used for defining if a domain, a local host or a Logon computer is used.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-10 Configure SIMATIC Logon – Working environment
In the “Logon device” tab you can choose the method that is to be used to Logon. Figure 2-11 Configure SIMATIC Logon – Logon device
V2.0
02.06.08
20/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
In the “Automatic logoff” tab you can automatically logoff the user which is currently logged on if the system is not used for a pre-defined period of time.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-12 Configure SIMATIC Logon – Automatic logoff
For additional help and info please see the help file: “C: > Program Files > SIEMENS > SimaticLogon > manuals > slogon_b.pdf” or “C: > Program Files > SIEMENS > SimaticLogon > slhelp_b.chm”
2.5
SIMATIC Automation License Manager (ALM) The Automation License Manager is used to display the licenses that are installed on your system. By default the ALM does not use user rights management and everybody can use this software (including moving licenses), but you have the possibility to assign user management via the SIMATIC Logon software. Open the SIMATIC Automation License Manager (ALM):
V2.0
02.06.08
21/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
“Start > All Programs > SIMATIC > License Management > Automation License Manager”
Copyright © Siemens AG 2008 All rights reserved
Figure 2-13 Start the ALM
Once ALM is open, start the SIMATIC Logon Role Management using the menu command “File > User management…” Figure 2-14 SIMATIC Logon Role Management
V2.0
02.06.08
22/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
After the SIMATIC Logon Role Management starts, configure the user management for the ALM.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-15 Configure the SIMATIC Logon Role Management
V2.0
02.06.08
23/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
Browse in your domain for the users and groups which are present in the Windows domain. From there it is possible via drag and drop to move the appropriate users/groups to the upper part, where you can assign the groups/users to either new roles or to the four predefined roles (Licenser, Administrator, Power user, User).
Copyright © Siemens AG 2008 All rights reserved
Figure 2-16 Configure the SIMATIC Logon Role Management
V2.0
02.06.08
24/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
Assign the ALM users to the right groups of the ALM. You can do this with Drag and drop or a Copy – Insert like shown in the next picture.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-17 Configure the SIMATIC Logon Role Management
V2.0
02.06.08
25/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
This screen capture shows the rights of the predefined “Administrator” group.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-18 Configure the SIMATIC Logon Role Management
After assigning the users/groups to their roles choose the menu: “File > Settings…” Figure 2-19 Configure the SIMATIC Logon Role Management
V2.0
02.06.08
26/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
Select “Activate SIMATIC Logon access protection”.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-20 Configure the SIMATIC Logon Role Management
NOTE
The activation is only enabled on the system if the SIMATIC Logon Role Management is installed. These settings have to be made on every computer that has ALM installed.
After activating the SIMATIC Logon inside ALM only users with access rights can access ALM. Figure 2-21 Configure the SIMATIC Logon Role Management
V2.0
02.06.08
27/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
NOTE
2.6
26639558
See 2.10.4 for further information in case you upgrade your old domain computers from the last Integration Pack V6.1 SP1 HF4 to the actual Integration Pack 2007. 8
SIMATIC PCS 7 OS Server and Multiclient The previous tool "WinCC Adapter" which was delivered with SIMATIC Logon, to help you configure your SIMATIC PCS 7 OS project, is in the new Integration Pack 2007 version not anymore available. This is due to the fact that the used SIMATIC Logon version is completely integrated in the used WinCC version.
Copyright © Siemens AG 2008 All rights reserved
Prior to this, SIMATIC Logon had to be entered as "wincclogonconnector_x.exe" in the WinCC start up list. To open an existing project you need to delete the entry "wincclogonconnector_x.exe" from the start up list. The entry "wincclogonconnector_x.exe" should not be manually entered again in the start up list. The assignment of Windows groups to SIMATIC PCS 7 OS roles is made in the User Administration of SIMATIC PCS 7 OS. For example, if you want to assign users from the "CCoperators" Windows group to SIMATIC PCS 7 OS, a group with the same name ("CCoperators") must be created in the SIMATIC PCS 7 OS “User Administrator” editor and the corresponding Authorization must be assigned:
V2.0
•
Open the SIMATIC OS project
•
Open the editor “User Administrator” in the SIMATIC PCS 7 OS control center
•
Create the group(s)
•
Assign the Authorizations to each group
02.06.08
28/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
Copyright © Siemens AG 2008 All rights reserved
Figure 2-22: The “User Administrator” editor
NOTE
You have to enable the check mark "SIMATIC Logon" in order to use SIMATIC Logon within SIMATIC PCS 7 OS. For additional help and info please see the help file.
To configure the SIMATIC PCS 7 OS, you have to start every SIMATIC OS Server and Multiclient project on your engineering system computer and add the groups you have defined in the Windows domain to the SIMATIC PCS 7 OS (e.g. “CCoperators”) inside the “User Administrator” editor. In this way with each download of the SIMATIC PCS 7 project the correct settings for the usage of SIMATIC Logon are available in the project.
V2.0
02.06.08
29/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
2.7
26639558
SIMATIC BATCH To configure SIMATIC BATCH, start the SIMATIC Batch Control Center (BCC) with a user which is a member of the “Logon_Administrator” group, e.g. the user “logon”. This allows the integrated SIMATIC Logon Role Management to be started via the menu command: “Options > Roles Management…”
Copyright © Siemens AG 2008 All rights reserved
Figure 2-23 Starting the Roles management of SIMATIC BATCH
In the SIMATIC BATCH software, several roles have been predefined in SIMATIC Logon Role Management:
NOTE
V2.0
•
Super user
•
Factory manager
•
Shift manager
•
Operator
•
Process engineer
•
Automation engineer
•
Emergency operator
It is possible to add new roles if the existing once do not meet your company regulations.
02.06.08
30/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
Copyright © Siemens AG 2008 All rights reserved
Figure 2-24: SIMATIC BATCH predefined roles in SIMATIC Logon Admin Tool
In a domain environment after starting the SIMATIC Logon Role Management the groups and users which are defined in the Windows domain are visible in the bottom part (Available assignment types/Available groups and users) of the screen. From there it is possible e.g. via drag and drop to move the appropriate users/groups to the upper part (Configured roles and assignment types).
NOTE
It is only possible to assign one user or group to a role.
Figure 2-25 Assigning a group
This behavior affects the planning of the SIMATIC Logon Role Management.
V2.0
02.06.08
31/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
Copyright © Siemens AG 2008 All rights reserved
Figure 2-26 Assigning a group
In the BATCH Control Center you see the logged on user in the bottom right part. To change the logged in user you can double click on the name of the user. In the "One-time logon" window of the SIMATIC Logon Service you can "Log off" the current user with that button. If you press this button, the logoff is performed immediately. No confirmation box shows up where you are asked to confirm the log off. Figure 2-27: SIMATIC BATCH Control Center and the logged in user
V2.0
02.06.08
32/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
After starting the permission management inside the BCC it is possible to view the individual permissions of each role. You open this view from the Permission management of the BCC.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-28 Permission Management
V2.0
02.06.08
33/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
In the tab “Computers and units” it is possible to assign the rights of each group for every SIMATIC BATCH Client computer in the environment. It is possible to have rights on one computer and not on another computer. This means that you can say that a predefined group can have access on one computer but no access on another. In the picture this is visible with the client03 – on this computer every role is configured while on client02 only the predefined groups Super user, Shift manager and Factory manager are assigned.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-29: Start of the permission management inside the BCC
The tab “View permissions of the logged in user” shows the rights of the actual user in detail. In the tab “Change log” an overview of who changed what at which time is provided.
V2.0
02.06.08
34/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
2.8
26639558
SIMATIC Engineering System As of the new version PCS 7 V7.0 SP1 the ES is integrated with the SIMATIC logon software in order to protect projects and subcomponents. Due to this integration the SIMATIC Logon service STEP 7 software provided in the last Integration Pack V6.1 SP1 HF4 is no longer provided in the Integration Pack 2007 as separate setup.
Access Protection As of STEP 7 V5.4, you have the option of restricting access to projects and libraries by assigning a password to them. In order to do this, you must have installed "SIMATIC Logon". You can also enable, disable and display a change log.
Copyright © Siemens AG 2008 All rights reserved
If SIMATIC Logon is installed on your computer, you will have access to the following menu commands in the SIMATIC Manager. You can use these commands to manage access protection for a project or library: •
Access Protection > Enable
•
Access Protection > Disable
•
Access Protection > Manage Users
•
Access Protection > Adjust in Multiproject
•
Access Protection > Remove Access Protection und Change Log
You activate access protection in SIMATIC Manager with the “Options > Access Protection > Enable” menu command. Figure 2-30 Enable access protection
V2.0
02.06.08
35/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
If you enable access protection for the first time with this menu command, a dialog opens in which you will need to log on with SIMATIC Logon. You will then be prompted to assign a project password. The relevant project or library can then only be edited as authenticated user or after entering the project password. The “Remove Access Protection and Change Log” menu command removes access protection as well as the change log for a passwordprotected project or library. After having removed the access protection you can once again edit projects with a STEP 7 version prior to V5.4. When you open access-protected projects, STEP 7 implicitly requests a logon with user name and password. When the project is closed, there is an automatic logoff from the project. As an alternative, you can log on or change to a different logon in STEP 7 with the menu command “Options > SIMATIC Logon Service…” in the SIMATIC Manager.
Copyright © Siemens AG 2008 All rights reserved
Notes
V2.0
•
To enable or disable access protection, you must be authorized in SIMATIC Logon as project administrator.
•
The first time you enable access protection, the project format is changed. You will receive a message indicating that the modified project can no longer be edited with older STEP 7 versions.
•
The “Options > Access Protection > Remove Access Protection and Change Log” function allows the project or the library to be used with a STEP 7 version lower than V5.4. You do, however, loose the information on the users that are allowed access to this project or library and all change logs.
•
The user currently logged on is displayed in the status bar of the SIMATIC Manager.
•
The currently logged on Logon user who enables access protection is entered as the project administrator and is requested to assign the project password the first time access protection is enabled.
•
To open an access-protected project, you must be authenticated in SIMATIC Logon as project administrator or project user or you must know the password.
•
Remember that a logged-on user is entered in the project as project administrator when the user opens a project with the project password.
02.06.08
36/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
As we installed the SIMATIC Logon software on the engineering system as a result it is possible to use SIMATIC Logon on the ES computer. An additional use on the SIMATIC ES is the Version Trail where you can version your projects. You open the Version trail in the path: “File > Versioned Project > Archive…”
Copyright © Siemens AG 2008 All rights reserved
Figure 2-31: Version trail inside SIMATIC Manager
Once you want to retrieve a versioned project you have to logon to do this. Figure 2-32 Version trail inside SIMATIC Manager
V2.0
02.06.08
37/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
2.9
26639558
SIMATIC IT Servers To configure SIMATIC IT with SIMATIC Logon, start the SIMATIC Logon Import Tool. This tool imports the Windows groups from the domain. Start the SIMATIC Logon Import Tool via the menu command “Tools > SIMATIC Logon Import Tool”.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-33 Start of the SIMATIC Logon Import Tool
V2.0
02.06.08
38/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
In the start page you can enable/ disable SIMATIC Logon in SIMATIC IT. Enable the usage of the SIMATIC Logon.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-34 SIMATIC Logon Import Tool – Enable/ Disable
Continue with “Next” after acknowledging the message that SIMATIC IT has to be restarted in order for the changes to take effect. Figure 2-35 SIMATIC Logon Import Tool
V2.0
02.06.08
39/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
Choose the validation type you want to apply. Choose the “Windows Domain User validation (SIMATIC Logon needed)”.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-36 SIMATIC Logon Import Tool
Continue with the “Next >” button.
V2.0
02.06.08
40/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
Copyright © Siemens AG 2008 All rights reserved
Figure 2-37 SIMATIC Logon Import Tool
Continue with the “Add” button. Figure 2-38 SIMATIC Logon Import Tool
Open the extended input option with the button “Advanced…”
V2.0
02.06.08
41/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
Enter in the field “From this location” the right domain directory and use the button “Find Now”. A list with all users and groups of the domain will be displayed.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-39 SIMATIC Logon Import Tool
From this display select the users to add. As in an earlier chapter mentioned the users and groups were created with the name matching the predefined group names of SIMATIC IT. Therefore it is possible to filter all possible users and groups inside this dialog. Continue with the “OK” button.
V2.0
02.06.08
42/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
The selected groups are shown in the following picture.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-40 SIMATIC Logon Import Tool
Continue with the “OK” button.
V2.0
02.06.08
43/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
Copyright © Siemens AG 2008 All rights reserved
Figure 2-41 SIMATIC Logon Import Tool
Continue with the “Proceed” button. A message is shown that no Administrators were found. You are asked if you want to assign one of the listed users to the Administrator group. Figure 2-42 SIMATIC Logon Import Tool
Press the “Yes” button.
V2.0
02.06.08
44/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
Figure 2-43 SIMATIC Logon Import Tool
Copyright © Siemens AG 2008 All rights reserved
Choose an administrator and press “OK”.
V2.0
02.06.08
45/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
At the end of the import you have a summary in the window text.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-44 SIMATIC Logon Import Tool
Press the “Finish” button. As previous the message box appeared to restart SIMATIC IT we should restart the system now.
V2.0
02.06.08
46/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
After the reboot of the computer, start the User Manager in SIMATIC IT. “Tools > User Manager”
Copyright © Siemens AG 2008 All rights reserved
Figure 2-45 User Manager
Figure 2-46 User Manager – User View
The users in red are imported from the Windows active directory domain while the user “Manager” is the build in user. If you want to use the build in user you have to disable the SIMATIC Logon inside of SIMATIC IT.
V2.0
02.06.08
47/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
It is possible to modify the group membership and user rights using the “Modify” menu.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-47 User Manager
V2.0
02.06.08
48/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
In the tab Group membership you can choose one of the available groups.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-48 User Manager – Modify user
V2.0
02.06.08
49/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
From the SIMATIC User Manager you can display the predefined groups for SIMATIC IT.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-49 User Manager – Group view
If the predefined groups do not match your needs, it is possible to add a new group. After assigning all imported users to a group it might look like that. Figure 2-50 User Manager – Imported users
V2.0
02.06.08
50/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
NOTE
26639558
In order to log in with the created users, use “SHIFT + ESC” keys – this opens the login Box.
If you try to log on with a user e.g. the Low level op…
Copyright © Siemens AG 2008 All rights reserved
Figure 2-51 SIMATIC Logon Service – One-time logon
… you cannot do this on the servers as the needed rights are not assigned. Figure 2-52 Resource Access Control – User Logon message
NOTE
V2.0
Make sure to check if the predefined rights meet your needs – otherwise create your own groups with the needed settings.
02.06.08
51/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
In SIMATIC IT you can configure local resources for managing the access to different functions – see online help for detailed info.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-53 SIMATIC IT configuration of local resources
You can use this for the creation of new groups inside SIMATIC IT.
CAUTION
V2.0
The Login Box does not appear automatically. You have to use the “SHIFT + ESC” keys to activate the login Box.
02.06.08
52/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
2.10
Important notes
2.10.1
User for SIMATIC BATCH and SIMATIC PCS 7 OS Multiclient If you have an operator, engineer or superuser that needs to work on a SIMATIC PCS 7 OS Multiclient that is also a SIMATIC BATCH Client, you have to make sure that the user has the needed SIMATIC PCS 7 OS and SIMATIC BATCH rights.
NOTE
If you use on a computer the SIMATIC logon software and you log on as “UserX” - every installed SIMATIC software on this computer - which is using SIMATIC logon - is using this “UserX”. If you log off in one application the “UserX” this user is logged off in all applications on this computer.
Copyright © Siemens AG 2008 All rights reserved
As in SIMATIC BATCH, only one user group or one user can be assigned to a role, this influences the chosen strategy. We created general groups inside the domain: •
superusers
•
operators
•
engineers
•
…..
Figure 2-54 properties of the group superusers
V2.0
02.06.08
53/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
We assigned in the “superusers” group the users “CCsuperuser” and “SBsuperuser”. This allows us to configure the SIMATIC BATCH “Super user” predefined role with this “superusers” group.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-55 Configuring SIMATIC BATCH
Then we also configure the SIMATIC PCS 7 OS Multiclient with this “superusers” group. In that way also on a mixed installation it is possible to log on using either the “CCsuperuser” or the “SBsuperuser” user and both applications are operable. The same strategy can be applied to the other groups (operators, engineers,…). Figure 2-56 Configuring SIMATIC PCS 7 OS
V2.0
02.06.08
54/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
2.10.2
26639558
Display name of the user SIMATIC BATCH displays the full name (if available) as the username on the Windows screen. Keep this in mind especially on machines with SIMATIC PCS 7 OS Multiclient and SIMATIC BATCH Client installed. It is possible that the SIMATIC BATCH Client shows the full name while the SIMATIC PCS 7 OS Multiclient shows only the name (you can define the behaviour from the OS project editor).
Copyright © Siemens AG 2008 All rights reserved
Figure 2-57 OS project editor setting Display “Username” and “User ID”
V2.0
02.06.08
55/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
Choosing “User ID” in the Display option of the project editor the name is displayed as followed: Figure 2-58 Name of the domain user
Copyright © Siemens AG 2008 All rights reserved
If you choose “User name” instead the display shows the Display name of the domain user: Figure 2-59 Display name of the domain user
V2.0
02.06.08
56/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
This is simply due to the settings inside the domain.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-60 Settings inside the domain
2.10.3
Domain Policies As we are working in a domain the policies of the domain will be applied to the computers in the domain. You will e.g. find the settings for the passwords in the following path of a GPO: “Default domain policy\Windows setting\security settings\account policies\password policy”. This means that e.g. the settings from: •
Enforce password history
•
Maximum password age
•
Minimum password age
•
Minimum password length
•
Password must meet complexity requirements
•
Store passwords using reversible encryption
will be applied from there. If the standard settings apply you can change e.g. the password only once a day.
V2.0
02.06.08
57/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
2.10.4
26639558
Backup Licenses before moving computer from domain to workgroup If you are upgrading computers from the previous Integration Pack version to the new version you have already some licenses on the hard disk. If you put the computers out of the domain to bring a fresh Windows installation onto your system make sure to save your licenses before removing the computer out of the domain as from the workgroup you might have no access anymore to the licenses due to the fact that the user is not recognized anymore.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-61 Automation License Manager
V2.0
02.06.08
58/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
2.10.5
26639558
Using the Default User option from SIMATIC Logon In the general settings of the SIMATIC Logon you can set the login with a DefaultGroup and a Default User.
Copyright © Siemens AG 2008 All rights reserved
Figure 2-62 Default User
NOTE
In contrast to all other users, the "Default group" and the "Default user" cannot be listed in the Windows User Management. The "Default user" is a member of the "Default group" and "Emergency_operator" groups. You specify the rights of these roles in the specific applications.
You can use this setting for your applications in the following way. Login on to SIMATIC IT with a default user To use this feature on a SIMATIC IT computer in the domain you have to add the used “Default User” login locally to the User Manager of SIMATIC IT. In the User view you have to add the “Default User” and give him the appropriate group membership. Once you start the SIMATIC IT management console this “Default User” is taken automatically and logs in with the assigned rights to SIMATIC IT.
V2.0
02.06.08
59/66
SIMATIC Logon Configuration SIMATIC Logon in a domain
26639558
NOTE
As this user is logged in automatically every person who has physically access to this computer has the rights which are assigned to this “Default User”. This might be a security issue.
NOTE
The name “Default User” can be whatever name you like. The same applies to the “DefaultGroup”.
Login on to SIMATIC PCS 7 OS/ SIMATIC BATCH with a default user
Copyright © Siemens AG 2008 All rights reserved
You can use this feature on a SIMATIC PCS 7 OS/ SIMATIC BATCH computer in the domain to have a user logged in after starting the system automatically up. This user has no rights in SIMATIC BATCH.
V2.0
02.06.08
60/66
Adding a new user SIMATIC Logon in a domain
3
26639558
Adding a new user The following steps are used to assign a new user with appropriate permissions to access the different SIMATIC software with SIMATIC Logon. A new SIMATIC User named “New.User” needs to have the following access: •
SIMATIC PCS 7 OS (as CCsuperuser)
•
SIMATIC IT (as Developer)
•
SIMATIC BATCH (as SBengineer)
All users in your plant might be located in an active directory organizational unit called “Plantusers”. There you have to create the user.
Copyright © Siemens AG 2008 All rights reserved
Figure 3-1 Properties of the New.User
The user has to be created with the appropriate settings and naming conventions for your plant.
V2.0
02.06.08
61/66
Adding a new user SIMATIC Logon in a domain
26639558
Add the new user to the appropriate windows groups. In our case the New.User is a member of the CCsuperusers, Developers and SBengineers. The Domain Users group is applied automatically from Active Directory.
Copyright © Siemens AG 2008 All rights reserved
Figure 3-2 Properties of the New.User
V2.0
02.06.08
62/66
Adding a new user SIMATIC Logon in a domain
26639558
This new user can be used immediately to logon to the SIMATIC software with the appropriate rights assigned prior. In this example, the new user is performing the logon in SIMATIC BATCH.
Copyright © Siemens AG 2008 All rights reserved
Figure 3-3 Logon with the new account
Of course the domain specific settings apply to the new login, e.g. password expiration, user has to change password at first login (recommended). Figure 3-4 Logon with the new account
V2.0
02.06.08
63/66
Adding a new user SIMATIC Logon in a domain
26639558
After the logon is done for SIMATIC BATCH the user “New.User” is also logged in into SIMATIC PCS 7 Multiclient.
Copyright © Siemens AG 2008 All rights reserved
Figure 3-5 Logon with the new account
V2.0
02.06.08
64/66
References SIMATIC Logon in a domain
4
26639558
References The following documents help files and FAQ were used in setting up the test environment. World Wide Web http://www.fda.gov SIMATIC Logon Electronic Signature http://support.automation.siemens.com/WW/view/en/22657587 Security Handbook
Copyright © Siemens AG 2008 All rights reserved
http://support.automation.siemens.com/WW/view/en/26462131 (English) SIMATIC Logon readme and manuals C:\Program Files\SIEMENS\SimaticLogon\manuals\* C:\Program Files\SIEMENS\SimaticLogon\* SIEMENS online help bfhelp_b.chm ps7bas_b.chm slhelp_b.chm WinCCInformationSystem.chm
V2.0
02.06.08
65/66
Abbreviations SIMATIC Logon in a domain
5
26639558
Abbreviations In this manual are used several abbreviations. Please find here the corresponding complete name. Table 5-1
Copyright © Siemens AG 2008 All rights reserved
Abbreviation
V2.0
Complete name
AD
Active Directory
ALM
Authorization License Manager
BCC
Batch Control Center
CAB
Client Application Builder
CFR
Code of Federal Regulations
CP
Communication Processor
DB
Data Base
DHCP
Dynamic Host Configuration Protocol
DNS
Domain Name Service
ES
Engineering System
FAQ
Frequent Asked Question
FDA
Food and Drug Administration
HF
Hot Fix
HMI
Human Machine Interface
IP
Internet Protocol
MUI
Multilanguage User Interface
OS
Operator Station
PLC
Programmable Logical Controller
SIT
SIMATIC IT
SQL
Structured Query Language
SP
Service Pack
WINS
Windows Internet Naming Service
02.06.08
66/66
