User Administration in

WinCC Professional

SIMATIC WinCC Professional V15.1 / SIMATIC WinCC

Siemens
Runtime Professional V15.1 / SIMATIC Logon Industry
Online
https://support.industry.siemens.com/cs/ww/en/view/109767591 Support
 Legal information

Legal information
Use of application examples
Application examples illustrate the solution of automation tasks through an interaction of several
components in the form of text, graphics and/or software modules. The application examples are
a free service by Siemens AG and/or a subsidiary of Siemens AG (“Siemens”). They are non-
binding and make no claim to completeness or functionality regarding configuration and
equipment. The application examples merely offer help with typical tasks; they do not constitute
customer-specific solutions. You yourself are responsible for the proper and safe operation of the
products in accordance with applicable regulations and must also check the function of the
respective application example and customize it for your system.
Siemens grants you the non-exclusive, non-sublicensable and non-transferable right to have the
application examples used by technically trained personnel. Any change to the application
examples is your responsibility. Sharing the application examples with third parties or copying the
application examples or excerpts thereof is permitted only in combination with your own products.
The application examples are not required to undergo the customary tests and quality inspections
of a chargeable product; they may have functional and performance defects as well as errors. It is
your responsibility to use them in such a manner that any malfunctions that may occur do not
result in property damage or injury to persons.

Disclaimer of liability
Siemens shall not assume any liability, for any legal reason whatsoever, including, without
limitation, liability for the usability, availability, completeness and freedom from defects of the
application examples as well as for related information, configuration and performance data and
any damage caused thereby. This shall not apply in cases of mandatory liability, for example
under the German Product Liability Act, or in cases of intent, gross negligence, or culpable loss of
life, bodily injury or damage to health, non-compliance with a guarantee, fraudulent
non-disclosure of a defect, or culpable breach of material contractual obligations. Claims for
damages arising from a breach of material contractual obligations shall however be limited to the
© Siemens AG 2019 All rights reserved

foreseeable damage typical of the type of agreement, unless liability arises from intent or gross
negligence or is based on loss of life, bodily injury or damage to health. The foregoing provisions
do not imply any change in the burden of proof to your detriment. You shall indemnify Siemens
against existing or future claims of third parties in this connection except where Siemens is
mandatorily liable.
By using the application examples you acknowledge that Siemens cannot be held liable for any
damage beyond the liability provisions described.

Other information
Siemens reserves the right to make changes to the application examples at any time without
notice. In case of discrepancies between the suggestions in the application examples and other
Siemens publications such as catalogs, the content of the other documentation shall have
precedence.
The Siemens terms of use (https://support.industry.siemens.com) shall also apply.

Security information
Siemens provides products and solutions with industrial security functions that support the secure
operation of plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is necessary
to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept.
Siemens’ products and solutions constitute one element of such a concept.
Customers are responsible for preventing unauthorized access to their plants, systems, machines
and networks. Such systems, machines and components should only be connected to an
enterprise network or the Internet if and to the extent such a connection is necessary and only
when appropriate security measures (e.g. firewalls and/or network segmentation) are in place.
For additional information on industrial security measures that may be implemented, please visit
https://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them more secure.
Siemens strongly recommends that product updates are applied as soon as they are available
and that the latest product versions are used. Use of product versions that are no longer
supported, and failure to apply the latest updates may increase customer’s exposure to cyber
threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed
at: https://www.siemens.com/industrialsecurity.

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 2
 Table of contents

Table of contents
Legal information ......................................................................................................... 2
1 Task ..................................................................................................................... 4
1.1 Overview............................................................................................... 4
1.2 Requirements ....................................................................................... 4
2 Solution............................................................................................................... 5
2.1 Overview............................................................................................... 5
2.2 Hardware and software components ................................................... 6
3 Basics ................................................................................................................. 7
3.1 User administration (general) ............................................................... 7
3.2 Users, User Groups, and Authorizations .............................................. 7
3.2.1 User ...................................................................................................... 7
3.2.2 User groups .......................................................................................... 8
3.2.3 Authorizations ....................................................................................... 8
3.2.4 Performance features depending on operating unit ............................. 9
3.3 Functions in the Runtime.................................................................... 10
3.3.1 Access protection ............................................................................... 10
3.3.2 Logon and logoff via system functions ............................................... 10
3.3.3 User login with RFID card reader ....................................................... 11
3.3.4 Manage users via user display ........................................................... 11
3.4 Central user administration (WinCC Professional) ............................ 13
© Siemens AG 2019 All rights reserved

3.5 Central user administration ("SIMATIC Logon")................................. 14

3.5.1 Access protection with "SIMATIC Logon" Service ............................. 14
3.5.2 License protection with "SIMATIC Logon" Role administration ......... 16
4 Configuration and project engineering ......................................................... 17
4.1 Hardware setup .................................................................................. 17
4.1.1 Central user administration with a WinCC server .............................. 17
4.2 Project engineering of users, user groups and authorizations ........... 18
4.2.1 Project engineering of users .............................................................. 19
4.2.2 Project engineering and assignment of user groups .......................... 22
4.2.3 Project engineering and assignment of authorizations ...................... 25
4.2.4 Optional: Dynamic logon .................................................................... 31
4.3 Project engineering of access protection and user display ................ 33
4.3.1 Project engineering of access protection ........................................... 33
4.3.2 Login and logout with system functions ............................................. 34
4.3.3 Display of the currently logged in users ............................................. 35
4.3.4 User display and operation................................................................. 36
5 Appendix .......................................................................................................... 41
5.1 Service and support ........................................................................... 41
5.2 Links and literature ............................................................................. 42
5.3 Change documentation ...................................................................... 42

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 3
 1 Task

1 Task
1.1 Overview
Introduction
Automation systems are high-precision and high-availability systems that play an
essential role in the production of a company. The increasing communication within
a plant and across several plants also increases the complexity of the overall
system. In order to be able to monitor and operate these systems accordingly, the
processes are visualized via HMI operating devices.
If the system is operated by unauthorized personnel, production malfunctions may
occur. Furthermore, manipulations and theft of know-how by unauthorized persons
can be carried out directly on the systems.
To avoid this, it is important to protect all equipment from unauthorized personnel.
With WinCC (TIA Portal) you can implement this with the integrated user
administration and thus increase plant safety.

1.2 Requirements
The following figure gives you an overview of the requirements of the automation
task.
Here it must be ensured that
© Siemens AG 2019 All rights reserved

• authorized employees can log in.

• Several employees can be logged in at the same time (larger systems).
• Employees have access to the functions and data according to their
authorizations.
• Authorized employees are automatically logged out after a specified period of
inactivity.
• unauthorized persons are denied access to the facility and data.
Figure 1-1

****

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 4
 2 Solution

2 Solution
2.1 Overview
Core contents of the application
In this application example you will learn:
• Basic information about users, user groups, and permissions.
• How you can improve your plant safety with an appropriate user management.
• The difference between central user administration with "WinCC Professional"
and central user administration with "WinCC Professional" in conjunction with
""SIMATIC Logon"".
• Which configuration steps are necessary to successfully implement a user
administration.

Diagram
Figure 2-1
Administrator Shift manager Service personnel Fitter Operator Quality Manager
© Siemens AG 2019 All rights reserved

Login via user administration with

different authorizations
Controller
(e.g. S7-1500)

Operating device
(e.g. SIMATIC IPC)

Advantage
The user administration content described here has the following advantages:
• Save time and money with detailed step-by-step instructions.
• Overview of the possible user administration concepts.
• Selection aids, which type of user administration makes sense when.

Delimitation
This application does not contain a description of the basic programming of an HMI
in TIA Portal or the user administration under Windows operating systems.

Required knowledge
Basic knowledge of the project engineering of WinCC (TIA Portal) as well as basic
information on user administration under Windows operating systems is required.

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 5
 2 Solution

2.2 Hardware and software components

The application has been created with the following components:

Software components
Table 2-1
Components Qty. Article number Note
WinCC Engineering 1 6ES7822-1..05-..
V15.1
WinCC Runtime 1 6AV2105-....5-0
Professional V15.1
SIMATIC LogonV1.6 1 6ES7658-7BX61-0YA0
Windows 10 LTSB 1 Microsoft
© Siemens AG 2019 All rights reserved

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 6
 3 Basics

3 Basics
3.1 User administration (general)
Goal
The goal of user administration is to have access protection to data and functions
within the runtime and thus to protect the applications from unauthorized operators.

Example project
In addition to pure plant operation, there are a number of other applications in
which users have to perform different tasks on the plant.
Example:
• An administrator can have access to the user administration. However, he
or she must not be able to change the recipe data of the product.
• A quality manager can monitor the system values, but is not allowed to
operate the system.
How the individual application cases will look at the respective end customer is
usually not determined until the commissioning on site. The user administration in
WinCC Professional with users, user groups and their authorizations helps you to
realize the selected cases.
© Siemens AG 2019 All rights reserved

3.2 Users, User Groups, and Authorizations

3.2.1 User

General
The users in WinCC (TIA Portal) represent the basis of user administration. The
first step is to create a "user" in the user administration. The name and password of
the user are stored in the user administration. The user "Admin" is already
predefined in WinCC (TIA Portal)
For better illustration, the functionality of the user administration is explained below
using an example. Section 4 describes the project engineering using this example
scenario.

Example project
A company has several production facilities and employees. In the company, the
employees Müller, Meier, Schulz, Schmidt, Schneider and Fischer are responsible
for "Production Plant A".
Figure 3-1

Müller Meier Schulz Schmidt Schneider Fischer

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 7
 3 Basics

3.2.2 User groups

General
For a user to be assigned an authorization, it must belong to a user group. By
default, in WinCC (TIA Portal) the user groups "Administrators Group" and "Users"
are predefined.
In addition to the predefined user groups, other groups can also be created and
edited, e.g. group "Production plant A", "Maintenance employee", "Setter", etc.
Each user must be assigned to a user group and can also belong to only one
group.

Sample project (user groups)

In user administration, the six employees (Müller, Meier, Schulz, Schmidt,
Schneider and Fischer) are created as users. Each of these employees has
different areas of responsibility, as shown in the figure below.

Figure 3-2
Administrator Shift manager Service personnel Fitter User Quality Manager

Müller Meier Schulz Schmidt Schneider Fischer

© Siemens AG 2019 All rights reserved

According to the responsibilities of the employees, the corresponding user groups

(administrator, shift leader, maintenance technician, setter, user, quality manager)
are now created in WinCC (TIA Portal) and the employees are assigned to the
groups.

3.2.3 Authorizations

General
Permissions are used in WinCC (TIA Portal) to define the access rights of user
groups. You can use these authorizations to select the respective access
authorizations later. On the system side, three authorizations ("user
administration", "monitoring" and "operation") have already been created. These
can be renamed during project engineering, but not deleted. You can also create
additional authorizations.
Once all authorizations have been created, you can assign the appropriate
authorizations to each user group. A group can have several authorizations at the
same time.

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 8
 3 Basics

Example (Authorizations)
In the example scenario, three additional authorizations (maintenance, changing
recipes, changing parameters) are defined in addition to the predefined
authorizations.
In the next step, the permissions from Section 3.2.2 are assigned to the user
groups according to the following table.
Table 3-1
Authorizations

management

parameters
Monitoring

Operating

Changing
Change
Service

recipes
User

User groups
Administrator X
Shift manager X X X X
Service personnel X X
Fitter X X X
Operator X X
Quality Manager X
© Siemens AG 2019 All rights reserved

The user administration is thus completely created and forms the basis for later
access protection.

Note The creation of a user administration does not mean that the data and functions
are already protected against unauthorized access. The access protection only
becomes effective in connection with the assignment to the objects.

How to create users, user groups, and permissions in TIA Portal is described in
detail in Section 4.2

3.2.4 Performance features depending on operating unit

You can create a maximum of 200 users in Runtime Professional.

For more information about user management in TIA Portal, see the following link.
https://support.industry.siemens.com/cs/ww/de/view/109755202/115245877643

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 9
 3 Basics

3.3 Functions in the Runtime

After you have created the user administration with different user groups and
authorizations, you can assign the authorizations to objects (for example, a button).
This makes it possible to increase system protection.

3.3.1 Access protection

In order to set up access protection for security-relevant functions and data in a

plant, this must be taken into account when the project is created. Via the
properties of the respective control, you can enter the respective authorization
under "Properties > Security > Security in Runtime". They thus restrict the
operation of the safety-relevant functions to the respective user groups.

Note Within the WinCC Runtime, you can no longer change or extend the access
protection.

Runtime operation
If the objects (e.g. a button) are pressed in the runtime, a login dialog appears and
the user is prompted to authorize himself with his user name and password.
These entries are compared by the system with the data in the user administration
and, if they match, the operation is permitted. If the authorization is incorrect, no
© Siemens AG 2019 All rights reserved

operation is possible. A message "Invalid password or user name Login failed."

appears in the message display.

Project and operating system protection

According to this principle described above, a wide variety of safety concepts can
now be developed for operator panels, projects and complete systems. The
protection of projects and operating systems plays an important role here.
In principle, the termination of the runtime should be provided with access
protection. Unauthorized operators are therefore not granted access to the
operating system of the operating device.

Note Access protection does not protect against operating errors. You yourself must
ensure that only suitably trained and authorized personnel construct,
commission, operate and maintain plants and machines.

How to configure access protection for functions is described in a step-by-step

guide in Section 4.3 "Project engineering of access protection and user display".

3.3.2 Logon and logoff via system functions

You have provided and protected all security-relevant functions and data in your
project with access protection. Now you want to see who is currently logged in
during plant operation in order to change the user if necessary.

System functions "Log in" / "Log off"

To generally log a user on and off, for example before and after a shift, you can
use the system function "ShowLogon Dialog". A login window is opened in which
the user can enter his user name and password.

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 10
 3 Basics

When the login button is pressed, these values are read in and compared with the
user administration data. If these match, the user is logged in. The user can log out
again via the logout button.

The corresponding configuration of the system function "ShowLogon Dialog" is

described in Section 4.3.2

Another useful system function for user administration in WinCC Runtime

Professional is the "ExportImportUser Administration" function.
This exports the user administration of the project into the specified file or imports it
from the file into the project.
More information about the system functions of the user administration in WinCC
Runtime Professional can be found under the following link.
https://support.industry.siemens.com/cs/ww/en/view/109755202/85576993547

3.3.3 User login with RFID card reader

In addition to the conventional registration via the registration dialog, it is also

possible to register via RFID card reader. More information on this topic can be
found under the following link.
https://support.industry.siemens.com/cs/ww/en/view/99808171
© Siemens AG 2019 All rights reserved

3.3.4 Manage users via user display

Goal
The User View control offers a selection of the most important functions required
during plant operation so that user management can be adapted quickly and easily
during plant operation.
Depending on the user group you belong to, you can make different settings in the
user display.
Figure 3-3

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 11
 3 Basics

Administrators
All user groups with the authorization "User administration" (preset for the
"Administrators group") can now:
• Add and delete users
• Edit all user names and passwords (document in writing if necessary)
• Change group memberships
• Adjust all logoff times

Further user groups

All other user groups that do not have the "User administration" authorization have
the option in the user display:
• Change password
• Edit own logoff time.

The configuration of the user display and the user administration in Runtime can be
found from Section 4.3.3.
© Siemens AG 2019 All rights reserved

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 12
 3 Basics

3.4 Central user administration (WinCC Professional)

field of application
For widely distributed systems with many operating devices, a WinCC server/client
structure with central user administration is recommended. Here the user
administration is configured on the WinCC server. The WinCC clients are assigned
to the server and access the central user data via it.
When a user logs on to an operating device, the access data is compared with the
user administration of the WinCC server. If the authentication is correct, the user is
then logged in.
How to configure a central user administration in WinCC (Professional) can be
found in Section 4.2.

Principle
Figure 3-4

WinCC server
User management (WinCC Prof.)
➢ User
➢ User groups

➢ Configuration of the
© Siemens AG 2019 All rights reserved

User Administration

➢ Assign to WinCC
server

WinCC clients WinCC

Configuration PC

Benefits
• Simple project engineering in TIA Portal
• User management for all operator interfaces can be centrally configured
• Uniform user administration for all operator panels
• Easily manage and edit users

Disadvantages
• No individualized user administration for individual operating devices

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 13
 3 Basics

3.5 Central user administration ("SIMATIC Logon")

General
The WinCC (TIA Portal) option package "SIMATIC Logon" is for central user
administration and consists of five software components:
1. SIMATIC Logon Service
SIMATIC Logon Service is the central access protection for SIMATIC
applications and plant areas (see Section 0).
2. SIMATIC Logon Role Administration
You can use the SIMATIC Logon Role Administration to administrate the roles
of an application and assign them to Windows groups, including assigning
authorizations (see Section 3.5.2).
3. SIMATIC Logon Eventlog Viewer
The SIMATIC Logon Eventlog Viewer is a component that records and
displays events (e.g. manual operations in the process).
4. SIMATIC Electronic Signature
Using Electronic Signature, you can create electronic signatures for state
transitions in the process and for interventions in the process. (see also Good
Manufacturing Practice)
5. SIMATIC Logon Development Kit
The Development Kit is intended for programmers who want to integrate
© Siemens AG 2019 All rights reserved

SIMATIC Logon into a customer application.

Access protection
Access protection with ""SIMATIC Logon"" can be implemented with the two
software components ""SIMATIC Logon" Service" and "SIMATIC Logon" Role
Management". Since this is directly related to user administration, these two
subpackages are described in more detail in the following two subchapters.

Additional information
Further information on the individual software components can be found in the
project engineering manual of "SIMATIC Logon" under the section
https://support.industry.siemens.com/cs/de/en/view/34519648/5952314507, and in
the "SIMATIC STEP 7 Basic/Professional V15.1 and SIMATIC WinCC V15.1"
manual in the section
https://support.industry.siemens.com/cs/ww/en/view/109755202/87519205131.

3.5.1 Access protection with "SIMATIC Logon" Service

Goal
"SIMATIC Logon" Service" enables a central and plant-wide user administration,
based on the Windows user administration of a logon server.
With "SIMATIC Logon" you can bundle the user administration of several local
(panels) and central systems (WinCC servers). It is also possible to directly access
the user administration of a domain controller and use its user structure for the
rights management of your automation system.

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 14
 3 Basics

Principle of operation
The user data is created and managed on a central logon server via the user
administration of the Windows operating system.
You still configure the user groups and the permissions in the user administration
of WinCC (TIA Portal). In addition, you create user groups with the same names on
the logon server in the user administration. The configured authorization is
assigned to each user group in the runtime because the names are identical.
You only have to create the users on the logon server and not in WinCC (TIA
Portal), since these users are dynamically transferred from the server during the
logon process.
The user can now change his password on the operating device and this is taken
over directly by the logon server if the Windows user has the corresponding
authorization.
A detailed description of how to configure "SIMATIC Logon" as central user
administration can be found in Section 4.3.3.

Requirement
• "SIMATIC Logon" is installed and configured on the logon server.
• Each user interface has its own license for "SIMATIC Logon", which is stored
centrally on the logon server.

Diagram
© Siemens AG 2019 All rights reserved

Figure 3-5
Logon server
(SIMATIC Logon Server)

User administration (Windows)

➢ User
➢ User groups1

User management (WinCC)

➢ User groups1
➢ Authorizations

WinCC server/Client systems WinCC

(SIMATIC Logon Clients) Configuration PC
1 User groups must have the same name.

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 15
 3 Basics

Field of application
For more complex automation projects and systems with several operator panels, a
central user administration with "SIMATIC Logon" is the ideal solution.

Benefits
• User data is created and managed via Windows operating system
• Central administration of all access data
• Simple subsequent addition of a user
• Quickly customize plant-wide permissions, groups, and users
• Uniform, plant-wide access data (synchronization of user data)

Disadvantages
• User administration of Basic Panels is not possible via "SIMATIC Logon"

3.5.2 License protection with "SIMATIC Logon" Role administration

Description
You administrate roles using the role administration of "SIMATIC Logon". A role is
the authorization of a group or a user to perform a certain action (e.g. transfer
© Siemens AG 2019 All rights reserved

licenses).
These are not permissions of the WinCC (TIA Portal) project, but more general
application functions, such as user access control to the Automation License
Manager (ALM).
With the role management of "SIMATIC Logon" you can develop a simple concept
for the protection of licenses in the SIMATIC environment.

Example FAQ
How to use the Automation License Manager in conjunction with the role
administration of "SIMATIC Logon" is described in the FAQ
https://support.industry.siemens.com/cs/ww/en/view/25619729.

Traceability
As an additional option, all logon and logoff attempts, user authentications and
password changes are recorded in the supplied software component ""SIMATIC
Logon" Eventlog Viewer". This allows logon times and important operator entries to
be traced back.

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 16
 4 Configuration and project engineering

4 Configuration and project engineering

These Sections describes in detail which projects and configurations you must
carry out in order to implement a user administration in WinCC Professional (TIA
Portal).

4.1 Hardware setup

4.1.1 Central user administration with a WinCC server

The following figure shows the structure of the application example in connection
with the central user administration on a WinCC server.
An example configuration is shown in the following figure.
Figure 4-1
SIMATIC
Field PG

SCALANCE
X208
PROFINET IE
© Siemens AG 2019 All rights reserved

SIMATIC Rack
IPC547E
CPU WINCC-Server)
1513-1PN WinCC-Clients

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 17
 4 Configuration and project engineering

4.2 Project engineering of users, user groups and

authorizations
In order to design the user administration project in a practical manner, the
application example from the basics in the section 3 is implemented.
The following table shows a summary of all users, user groups, and authorizations
that are relevant for the following steps.

Note Before creating the user administration, obtain an overview of the necessary
users, user groups, and authorizations. The following table is one way of making
this clear.
Optionally an extension of this table with a further column for the passwords of
the individual operators is conceivable. However, you must ensure that sensitive
data is only accessible to authorized personnel.

Table 4-1
User Authorizations

managemen

parameters
Monitoring
Schneider

Operating

Changing
Schmidt

Change
Fischer

Service

recipes
Schulz
Müller

Meier

User
© Siemens AG 2019 All rights reserved

User groups
t
X Administrator X
X Shift manager X X X X
Service
X X X
personnel
X Fitter X X X
X User X X
Quality
X X
Manager

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 18
 4 Configuration and project engineering

4.2.1 Project engineering of users

The following instructions show you which project engineering and configuration
steps are necessary for a new user.

1. Open the WinCC server configuration via the project navigation. Then double-
click on "User administration" to open it.
Figure 4-2
© Siemens AG 2019 All rights reserved

2. In the workspace, select the Users tab (1) and double-click Add new in the
Users table (2). A new user with preset user data is automatically created.
Figure 4-3:

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 19
 4 Configuration and project engineering

3. Rename the new user according to the

© Siemens AG 2019 All rights reserved

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 20
 4 Configuration and project engineering

4. Table 4-1 (1). Change the password of the user. To confirm the password,
enter it again (3). Confirm the entry with the green checkmarks (4).
Figure 4-4

5. Optional:
You can activate and adjust the preset parameters "Automatic logoff", "Logoff
time", "Number", "Comment" and the settings of the user's web applications
("WebNavigator" and "WebUX") as required.
In this example, all preset user data is left.
Figure 4-5
© Siemens AG 2019 All rights reserved

6. Add all other users and adjust their properties.

Figure 4-6

7. Save your project.

Result
The project engineering of the users for your WinCC server/client system is
completed.

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 21
 4 Configuration and project engineering

4.2.2 Project engineering and assignment of user groups

Creation of user groups

The following instructions show you which project engineering and configuration
steps must be carried out in order to create user groups.
1. Open the WinCC server configuration via the project navigation. Then double-
click on "User administration" to open it.
Figure 4-7
© Siemens AG 2019 All rights reserved

2. In the workspace, select the "User groups" tab (1). In the Groups table, double-
click Add new (2) to create a new user group.

Note The user groups "Administrators Group" and "Users" are preconfigured and can
only be renamed, but not deleted.

Figure 4-8

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 22
 4 Configuration and project engineering

3. Change the name of the newly created user group to "Shift Supervisor".
Figure 4-9

4. Create three additional user groups as described in steps 2 and 3. Rename the
groups to "Maintenance technician", "Setup technician" and "Quality manager".
Figure 4-10:

5. Save your project.

© Siemens AG 2019 All rights reserved

Result
The creation of the user groups is hereby completed.

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 23
 4 Configuration and project engineering

Assigning user groups

The following instructions show you which project engineering and configuration
steps you must carry out in order to assign user groups.
The prerequisite for assigning user groups is that you have already created users
and user groups in your project.
1. Open the WinCC server project engineering via the "Project tree". Then
double-click on "User administration" to open it.
Figure 4-11
© Siemens AG 2019 All rights reserved

2. On the Users tab (1), select the Mueller user (2). In the "Group" table, you can
see the current user group to which the "Miller" user is assigned.

Note All newly created users are assigned to the "Users" group by default.

Figure 4-12

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 24
 4 Configuration and project engineering

3. Select the "Administrators Group" radio button to assign the Müller user to this
group.

Note Users can only ever be members of one user group.

Figure 4-13

4. Then select the other users ("Meier", "Schmidt", "Schulz", "Schneider" and
"Fischer") one after the other and also assign the intended user groups to
them, see
5. Table 4-1
© Siemens AG 2019 All rights reserved

6. Save your project.

Result
The assignment of the members to the user groups is hereby completed.

4.2.3 Project engineering and assignment of authorizations

Creating authorizations
The following instructions show you how to create authorizations for user groups.
1. Open the WinCC server configuration via the project navigation. Then double-
click on "User administration" to open it.

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 25
 4 Configuration and project engineering

Figure 4-14

2. In the workspace, select the "User groups" tab (1). In the Authorizations table,
double-click Add new (2) to create a new privilege set.
A new authorization "Authorization_1" is created automatically.

Note The "User administration", "Monitoring" and "Operating" authorizations have

already been assigned. They can be renamed but not deleted.
© Siemens AG 2019 All rights reserved

Figure 4-15

3. Change the "Name" (1) and "Display name" (2) of the new privilege set to
"Service".

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 26
 4 Configuration and project engineering

Figure 4-16

4. Create two more authorizations and name them "Change recipes" and
"Change parameters".
© Siemens AG 2019 All rights reserved

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 27
 4 Configuration and project engineering

Figure 4-17

Result
All authorizations for the example project are thus created and the project
engineering of the authorizations is completed.
© Siemens AG 2019 All rights reserved

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 28
 4 Configuration and project engineering

Assigning authorizations
The following instructions show you how to assign authorizations to a user group.
The prerequisite for assigning authorizations is that user groups and authorizations
have already been created.
1. Open the WinCC server configuration via the project navigation. Then double-
click on "User administration" to open it.
Figure 4-18
© Siemens AG 2019 All rights reserved

2. On the "User groups" tab (1), select the "Shift leader" group (2).
In the table "Authorizations" you can see the currently assigned authorization
"Operate".

Note All newly created user groups are assigned the "Operate" authorization by
default.

Figure 4-19

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 29
 4 Configuration and project engineering

3. Assign the following permissions to the Shift Supervisor user group by clicking
the option boxes next to the labels:
– Monitoring
– Change recipes
– Changing parameters

Note Pressing the option box again deactivates the authorization again.

Figure 4-20
© Siemens AG 2019 All rights reserved

Note The "User Administration" authorization is the first authorization number by

default. User groups with this authorization can manage all users in Runtime via
the "User Control".

4. Then select the other user groups one after the other and assign them the
corresponding authorizations, see
5. Table 4-1.
6. Save your project.

Result
The configuration of the user administration is now complete.

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 30
 4 Configuration and project engineering

4.2.4 Optional: Dynamic logon

In WinCC TIA Portal it is possible to activate "Dynamic Login".

This logon procedure is used to automatically log on a user by setting a system
variable on the user interface.
For example, you could create a user with dynamic logon for your maintenance
personnel. The corresponding system variable could be set by a key switch for
which only the responsible maintenance personnel have the keys.
The maintenance staff can thus log on quickly when the system arrives, perform
their tasks and log off automatically by deactivating the key switch.
To configure the "Dynamic Logon" of your system, carry out the following
configuration steps.

Note Make sure that the "Dynamic Logon" can only be configured for the individual
devices if the HMI and Ethernet connections have been set up correctly.

1. Create an internal variable of type "Integer" for each HMI in the variable
household of your server. (see Fehler! Verweisquelle konnte nicht
gefunden werden. )

Note The variables used must be binary coded and have at least 8 characters.
© Siemens AG 2019 All rights reserved

Figure 4-21

2. Open the "Runtime settings" of your WinCC server via the project navigation.
Figure 4-22

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 31
 4 Configuration and project engineering

3. Click on "User administration" in the area navigation (1). In the field "Dynamic
Logon" in the first column "HMI device", assign the devices that you want to
enable for dynamic logon. In the column "Variable" ("Tag"), select the variables
that you have created for the individual devices (2).
Figure 4-23

2
© Siemens AG 2019 All rights reserved

4. You must then activate the users for dynamic login and give them a specific
"User-ID".
Open the user configuration under "User administration > Users". Activate the
option box for dynamic logon for the user (1). The "User ID" is used to identify
the user. If necessary, you can also change these.
Figure 4-24

The user is automatically logged on to the corresponding device if one of the

variables that you assigned to the HMI operator interfaces in step 3 corresponds to
the value of the user ID of the user. You then have to set and reset these with an
event. A key switch, for example, is recommended for this purpose.

Note The user remains logged in as long as the variable for the "Dynamic Logon" of
the HMI has the value of his "User ID". If the value 0 is assigned to the variable,
no user is logged on to the device.

Result
The configuration of the dynamic logon is complete.

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 32
 4 Configuration and project engineering

4.3 Project engineering of access protection and user

display
This chapter shows how to create access protection for a function (e.g. operating a
button) and how operators can log on and off using system functions.
In addition, an example will explain how to display the currently logged in user and
how to configure or operate the user display.

Requirement
• Created TIA portal project with at least one configured operating device
• Configured user administration with users, user groups and corresponding
authorizations

4.3.1 Project engineering of access protection

The following table describes how to provide the function of a button with access
protection.
1. Open an image, e.g. the start image, and insert a button from the toolbox.
Figure 4-25
© Siemens AG 2019 All rights reserved

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 33
 4 Configuration and project engineering

2. Select the button by clicking on it (1). In the "Properties" tab (2), open the
"Security" item (3) by clicking it.
Under "Runtime security", click the extension field (4). Select the "User
administration" permission (5) from the context menu.
Confirm your selection with the green tick (6).
Figure 4-26

3. Save your project and transfer it to the operating device.

© Siemens AG 2019 All rights reserved

4.3.2 Login and logout with system functions

The following section describes how to log in and out centrally using the system
functions "ShowLogonDialog" and "Logout".
In order to log on/off a user to the operating device, you need a button that displays
the logon window.
Create another button for this. In the "Properties" (1), open the "Events" tab (2).
Select the event "Click" (3) and assign the function "ShowLogonDialog" (5) from
the predefined functions in the drop-down list (4).
The logon dialog is therefore completely configured.
Figure 4-27

Behavior in Runtime
In the Runtime, press the "Login/Logout" button to open the login dialog. The user
can authorize himself in this dialog. An incorrect logon results in a system message

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 34
 4 Configuration and project engineering

with the following message: "Invalid password or username. Login failed." appears
in the message display.

Note If the logon is successful, there is no feedback of a successful logon at the

operating device by default. This must also be configured, see the following
section 4.3.3.
Figure 4-28

If the user is logged in, he can press the button and execute the function behind it.
If a user without sufficient rights presses the access protected button, the function
is not executed. Instead, the following system message appears: "You do not have
sufficient authorization" ("No operator authorization").
Figure 4-29
© Siemens AG 2019 All rights reserved

To log off the system again, the user clicks the "Login/Logout" button again. If an
authorized user is logged in, the input fields "User name" and "Password" are
grayed out. The previously grayed out button "Logout" is now clearly displayed.
The user can now log out by clicking on the "Logout" button. The device is now free
again for a new login of a user.

Note Only one user can be logged on to a runtime at a time. If another user is logged
in, the previously logged in user is automatically logged out.

Figure 4-30

4.3.3 Display of the currently logged in users

Further configuration steps are required in order to receive feedback from the HMI
device in the runtime as to whether a user has been successfully logged on or
logged off or which user is currently logged on.
The following table describes how you can configure this using an I/O field.

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 35
 4 Configuration and project engineering

Requirement
As a prerequisite the login and logout of a user must already be configured, as
described in section 3.3.2
1. Open your created image with the name "StartScreen" and insert a new
"I/O-Field".
2. Select the field (1). Switch to "Properties > General" (2).
Open the drop-down list of the property "Variable" ("Tag") (3) and select
the variable "@CurrentUser".
Confirm your selection with the green tick (5).
Change the "Display format" to the data type "String" (6).
Figure 4-31
© Siemens AG 2019 All rights reserved

Behavior in Runtime
After successful login, the name of the currently logged in user appears in the "I/O
Field".

Figure 4-32

If the user logs off again, the user name is removed from the "I/O field".

4.3.4 User display and operation

This section shows you how to use the "User view". This control gives you an
overview of the users existing in the project, as well as the possibility to administer
them. For more information, see the "Runtime Behavior" section of this section.

1. Double-click the "Add new screen" button to create a new HMI image (1) and
rename it to "Screen_User_View" (2).

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 36
 4 Configuration and project engineering

Figure 4-33

2. Open the start screen.

Select the button "Userview (Administrator)" (1).
Add the function "ActivateScreen" to the settings of the button under
"Properties > Events > Click" (2). Enter the name of the inserted image
"Screen_User_View" (3) in the parameter "Image name" ("Screen name").
Figure 4-34
© Siemens AG 2019 All rights reserved

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 37
 4 Configuration and project engineering

3. Open the image "Screen_User_View" with a double click.

Figure 4-35

4. Open the Task Card "Toolbox" and expand the Controls palette.
Select the "User view" control and drag and drop it into the image. Adjust the
format and size if necessary.
Figure 4-36
© Siemens AG 2019 All rights reserved

5. Save the project and transfer it to the user interface.

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 38
 4 Configuration and project engineering

Behavior in Runtime
Within the runtime, an administrator can log on and access the user display. As an
administrator, you see all users created in the project. You can change the
associated user data and add or delete new users.

Note Users without administrator rights can also access the user display, but they only
see themselves in the user display. You can double-click on your entry to open a
window in which you can set your password and logoff time.

Figure 4-37
© Siemens AG 2019 All rights reserved

1. Change user data

In the user display, the administrator can change a user's data. A double click on
the user in the user display opens the configuration window with the respective
data. The editable data and permissions are the same as those you have when
creating the project.
Figure 4-38

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 39
 4 Configuration and project engineering

2. Add/Delete User
As an administrator, you can add or remove new users to the user administration
using the user display in the runtime.
To add a new user, double-click an empty row in the user display. A configuration
window opens automatically, in which you can create the new user with password,
logon name and access rights.
After you have created the user, you see his or her entry in the user display.
Figure 4-39
© Siemens AG 2019 All rights reserved

To delete a user from the user administration, select the user by clicking on the
entry in the user display and press the <Del> key. You must then confirm the
removal of the user in a dialog box.
Figure 4-40

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 40
 5 Appendix

5 Appendix
5.1 Service and support
Industry Online Support
Do you have any questions or need assistance?
Siemens Industry Online Support offers round the clock access to our entire
service and support know-how and portfolio.
The Industry Online Support is the central address for information about our
products, solutions and services.
Product information, manuals, downloads, FAQs, application examples and videos
– all information is accessible with just a few mouse clicks:
https://support.industry.siemens.com

Technical Support
The Technical Support of Siemens Industry provides you fast and competent
support regarding all technical queries with numerous tailor-made offers
– ranging from basic support to individual support contracts. Please send queries
to Technical Support via Web form:
www.siemens.com/industry/supportrequest
© Siemens AG 2019 All rights reserved

SITRAIN – Training for Industry

We support you with our globally available training courses for industry with
practical experience, innovative learning methods and a concept that’s tailored to
the customer’s specific needs.

Note You will learn about the products used in this application example in the courses:
• SITRAIN course: SIMATIC WinCC Professional, SCADA in the TIA Portal (Article ID:
109758618)
For more information on our offered trainings and courses, as well as their
locations and dates, refer to our web page:
www.siemens.com/sitrain

Service offer
Our range of services includes the following:
• Plant data services
• Spare parts services
• Repair services
• On-site and maintenance services
• Retrofitting and modernization services
• Service programs and contracts
You can find detailed information on our range of services in the service catalog
web page:
https://support.industry.siemens.com/cs/sc

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 41
 5 Appendix

Industry Online Support app

You will receive optimum support wherever you are with the "Siemens Industry
Online Support" app. The app is available for iOS and Android:
https://support.industry.siemens.com/cs/ww/en/sc/2067

5.2 Links and literature

Table 5-1
No. Topic
\1\ Siemens Industry Online Support
https://support.industry.siemens.com
\2\ Link to the entry page of this application example
https://support.industry.siemens.com/cs/ww/en/view/109767591
\3\ Manual: SIMATIC STEP 7 Basic/Professional V15.1 and SIMATIC WinCC V15.1
https://support.industry.siemens.com/cs/ww/en/view/109755202/115350402059
\4\ Manual: SIMATIC STEP 7 Basic/Professional V15.1 and SIMATIC WinCC V15.1
https://support.industry.siemens.com/cs/ww/en/view/109755202/85576993547
\5\ Application example: User Login to Operator Panels with RFID Card Reader
https://support.industry.siemens.com/cs/ww/en/view/99808171
\7\ Manual: "SIMATIC Logon"
© Siemens AG 2019 All rights reserved

https://support.industry.siemens.com/cs/de/en/view/34519648/5952314507
\8\ FAQ: How is it possible to store licenses on a server and protect them from
unauthorized access?
https://support.industry.siemens.com/cs/de/en/view/25619729
\9\ Application example: Installation and operation of WinCC in a Microsoft domain
environment
https://support.industry.siemens.com/cs/ww/en/view/78346833

5.3 Change documentation

Table 5-2
Version Date Modifications
V1.0 07/2019 First version

User Administration WinCC Prof

Entry-ID: 109767591, V1.0, 07/2019 42