dl-breadcrumbs__homedl-breadcrumb-item__separatorConfiguration and programmingdl-breadcrumb-item__separatorProgramming with CODESYSdl-breadcrumb-item__separatorAutomation Builderdl-breadcrumb-item__separator...dl-breadcrumb-item__separatorReference: User Interface dl-breadcrumb-item__separatorObjects dl-breadcrumb-item__separatorObject: Device, and Generic Device Editor dl-breadcrumb-item__separatorTab: Access Rights dl-breadcrumb-item__separatorOverview of the objects
dl-pagination__prev-inactivedl-pagination__prev-activedl-pagination__next-inactivedl-pagination__next-active
Overview of the objects

Runtime objects  Device

‎Logger‎

Online access to the logger is read only. Therefore, only the “View” access right can be granted or denied here.

‎PlcLogic‎

All IEC applications are inserted here automatically as child objects during download. When an application is deleted, it is removed automatically.

This allows specific control of online access to the application. Access rights can be assigned centrally over all applications in the “PlcLogic”

The “Administrator” and “Developer” user groups have full access to the IEC applications. The “Service” and “Watch” user groups only have read access (for example for read-only monitoring of values).

The following table shows which action is affected in particular when a specific access right is granted for an IEC application.

x : The permission has to be set explicitly.

-: The permission is not relevant.

‎Application‎

Operation

Permission

“Add/Remove”

“Execute”

“Modify”

“View”

Login

‎-‎

‎-‎

‎-‎

‎x‎

Create

‎x‎

‎-‎

‎-‎

‎-‎

Create child object

‎x‎

‎-‎

‎-‎

‎-‎

Delete

‎x‎

‎-‎

‎-‎

‎-‎

Download / online change

‎x‎

‎-‎

‎-‎

‎-‎

Create Boot Application

‎x‎

‎-‎

‎-‎

‎-‎

Read variable

‎-‎

‎-‎

‎-‎

‎x‎

Write Variable

‎-‎

‎-‎

‎x‎

‎x‎

Force Variable

‎-‎

‎-‎

‎x‎

‎x‎

Set and delete breakpoint

‎-‎

‎x‎

‎x‎

‎-‎

Set Next Statement

‎-‎

‎x‎

‎x‎

‎-‎

Read call stack

‎-‎

‎-‎

‎-‎

‎x‎

Single Cycle

‎-‎

‎x‎

‎-‎

‎-‎

Switch on flow control

‎-‎

‎x‎

‎x‎

‎-‎

Start / Stop

‎-‎

‎x‎

‎-‎

‎-‎

Reset

‎-‎

‎x‎

‎-‎

‎-‎

Restore retain variables

‎-‎

‎x‎

‎-‎

‎-‎

Save retain variables

‎-‎

‎-‎

‎-‎

‎x‎

‎PLCShell‎

Only the “Modify” permission is evaluated at this time. This means that only when the “Modify” permission has been granted to a user group can PLC shell commands also be evaluated.

‎RemoteConnections‎

Additional external connections to the controller can be configured below this node. Currently, access to the OPCUA server can be configured here.

‎Settings‎

This is the online access to the configuration settings of a controller. By default, access to “Modify” is granted only to the administrator.

‎UserManagement‎

This is the online access to the user management of a controller. By default, read/write access is granted only to the administrator.

Access_rights.png

  • ‎Access Rights‎: When this object is selected, permissions can be configured on the permissions management in the “Rights” view. That means you can configure which user group is allowed to simply read the permissions management, and which user group is allowed to change the permissions management as well.

  • ‎Groups‎: A separate object is automatically created for each user group of the device user management and displayed below “Groups”. When a user group object is selected, the permissions on the user group can be configured. That means you can configure which user group is allowed to read or modify the user group (for example, add new users to the user group).

    By default, objects are available for the following user groups:

    • ‎Administrator‎

    • ‎Developer‎

    • ‎Service‎

    • ‎Watch‎

    This allows graduated or restricted administrator groups to be set up. For example, a visualization administrator group can be set up which can only add existing users to the visualization user group, but cannot create new users or change the passwords of existing users.

  • ‎Users‎: When this object is selected, the permissions of the user group on the users can be configured. That means you can configure which user group is allowed to read, modify, or add users (for example, add new users).

For more information see: ⮫ “Handling of Device User Management ”

‎X509‎

This controls the online access to the X.509 certificates. Two types of access are distinguished here:

  • Read (“View”)

  • Write (“Modify”)

Every operation is assigned to one of these two access rights. Each operation is inserted as a child object below X509. Therefore, access per operation can now be fine-tuned even more.

File system objects  /

All folders from the execution path of the controller are inserted below the "“/”" file system object. This allows you to grant specific rights to each folder of the file system.