SIMATIC WinCC (TIA Portal) RT - User administration and access protection

Efficient and compliant to GMP


Not all of the functions of a machine or plant may be carried out by every user. Many tasks require special qualifications or are restricted by the process to special user groups. Carrying them out requires rights that are assigned to special user groups and users. WinCC (TIA Portal) supports the user in creating and managing user groups and users and in assigning the required rights in engineering and during runtime.

The separation of authorizations and users allows efficient user administration with reduced engineering effort. In the engineering system, user groups are defined which group together the configured authorizations in a task-oriented way. For example, the user group "Production planning" can change recipe data records, set system parameters, and log process values. The necessary authorizations are assigned to the corresponding objects in the project.

The actual user can then be accepted in the user administration with a user name or user ID and password even during operation and then be assigned to a user group without any further changes to the configuration. In this way, the unambiguous identification of the users - e.g. for Audit Trails - can be managed with minimal engineering effort.

All local operator stations are included in the user administration, as well as the standard and WebNavigator or DataMonitor clients for a SCADA system on the basis of WinCC Runtime Professional. If system-wide user administration is required, the SIMATIC Logon central user administration system can be activated as of Comfort or Multi Panels.

In this case, SIMATIC Logon takes over the user administration from the local operating systems in cooperation with Windows. If communication to the central component SIMATIC Logon is interrupted, the users are then only checked locally on the HMI system. Depending on the target system, SIMATIC Logon can be installed on the HMI system itself or on another remote PC in the network or a domain controller. When SIMATIC Logon is used, the use of a chip card reader for user authentication is also supported.

The integration with SIMATIC Logon provides functions to all usable target systems such as formulation rules for passwords, password aging, automatic logout after a pre-defined time and lock-out after several incorrect entries of the password  and therefore provides maximum operating security. For Comfort Panels, Multi Panels and WinCC Runtime Advanced, comparable functions are already included in the local HMI user administration system. Both solutions therefore fulfill the requirements according to FDA 21 CFR Part 11.