dl-breadcrumbs__homedl-breadcrumb-item__separatorConfiguration and programmingdl-breadcrumb-item__separatorProgramming with CODESYSdl-breadcrumb-item__separator...dl-breadcrumb-item__separatorAutomation Builderdl-breadcrumb-item__separatorDownloading an Application to the PLC dl-breadcrumb-item__separatorHandling of Device User Management dl-breadcrumb-item__separatorGeneral information about device user management
dl-pagination__prev-inactivedl-pagination__prev-activedl-pagination__next-inactivedl-pagination__next-active
General information about device user management dl-permalink__symbolPermalink

For the CODESYS Control devices, a user management is enforced by default.

Access rights can be granted to groups only, not individual users. Therefore every user has to be a member of a group.

Access rights can be granted for the following actions which are executed on the individual objects of the controller:

  • Add/Remove

  • Change

  • View

  • Execute

An object on the controller is usually assigned to just one controller component.

Each object can use all of the listed actions, but usually only the permissions for the following actions are needed on an object:

  • “View”

  • “Modify”

The objects are organized in a tree structure. There are two root objects for the two kinds of objects:

  • Runtime objects → Device: In these objects, all objects are managed which have online access in the controller and therefore have to control the permissions. There exists here also a Device → UserManagement object and below it each an Access Rights object, a Groups object, and a Users object. Below the Groups object, there are all defined user groups, to which the permissions for the user groups can then be granted. For more information, see: 

  • File system objects  /: In these objects, the permissions can be granted to folders of the current execution directory of the controller.

The child objects inherit the access rights from the root object (also ‎Device‎ or "‎/‎"). If a permission of a user group is denied or explicitly granted to a parent object, then this affects all child objects.

A single permission can be explicitly granted or denied (green plus sign or red minus sign), or remain "neutral" (light gray character). Neutral means that the permission has been neither explicitly granted nor denied. In this case, the permission of the parent object applies.

If no permission has been explicitly granted or denied in the entire hierarchy of the object, then it is by definition denied. As a result, all permissions are initially denied (exception: the access right for the ‎View‎ action). Initially, this permission is explicitly granted for every user group both on the ‎Device‎ runtime object as well as on the "‎/‎" file system object. This allows read access to all objects, unless it is explicitly denied in child objects.

For an overview table for the objects, see the "Tab: Access Rights" chapter.

See the following instructions for handling the editor for the device user management:

For more information, see: ⮫ “Configuring Devices and I/O Mapping ”, ⮫ “Linking a device input with an existing project variable ("mapping") ”, ⮫ “Mapping a device input to a recently created project variable ”, ⮫ “Linking a device with a function block instance ”, ⮫ “Changing and fixing an address value in the I/O map ”, ⮫ “Configuration of the I/O variable update ”, ⮫ “Monitoring of variables in the I/O map in online mode ”, ⮫ “Generating implicit variables for the forcing of I/Os ”, ⮫ I/O mapping in one dialog for multiple devices ” and ⮫ “Encrypting Communication, Changing Security Settings ”