InTouch Wonderware Security Access Levels

Ones_Zeros

Member
O
Join Date
Feb 2014
Location
at work
Posts
367
Hello,
I have an InTouch Wonderware question about setting security access of someone going into development (WindowMaker)
I can set access on buttons & tags, but I can't seem to find how to restrict users from being able to go into development.

I'm having issues with some people getting into development when they shouldnt be & i need to set access on this


I appreciate your help.
 
WindowMaker should be on a computer that only the correct people have access to. You should not have WindowMaker on a "user" computer, they should have a run-time license only.
 
You cannot really lockout development mode.
A development license is not really recommended for runtime.
Or you can install "runtime only" installation...which is hard to edit.
 
Agree with the others, if security of the development is required, they should only have a runtime license.

You should only have the development license on a machine you use to develop/deploy the InTouch application.

Having a development license on the end user computer is convenient for someone who might need to make a change, but you compromise on security.
 
Don't totally agree with some of the comments. If you have a single node or if the pc is somewhere accessible by many, locking out development may be needed. I've seen it done a couple ways:

1. Create a popup with a negative y position hiding the Development menu. With a proper access level, you can allow the hiding/showing of the popup.

2. Hide the development menu from the WindowViewer configuration and add a restricted access level button that allows activating WindowsMaker. Look at the startapp function.
 
DaveW said:
Don't totally agree with some of the comments. If you have a single node or if the pc is somewhere accessible by many, locking out development may be needed. I've seen it done a couple ways:

1. Create a popup with a negative y position hiding the Development menu. With a proper access level, you can allow the hiding/showing of the popup.

2. Hide the development menu from the WindowViewer configuration and add a restricted access level button that allows activating WindowsMaker. Look at the startapp function.
Click to expand...

The problem with this is that WindowMaker would still be available from the Start menu...


ETA: you could restrict access to WindowMaker via group policy in a domain, but if you have a domain you are going to have more than 1 node.
 
Last edited:
I usually make a "Time/Date" Screen that covers the top of the window, so they cannot get to the desktop, WindowMaker, or any other files choices.
They have to have above 9000 access to close the Time/Date screen.
 
NetNathan said:
I usually make a "Time/Date" Screen that covers the top of the window, so they cannot get to the desktop, WindowMaker, or any other files choices.
They have to have above 9000 access to close the Time/Date screen.
Click to expand...

When you get a chance, open your application and then press the window key on the keyboard (or Alt-Tab) and you will see that accessing the desktop/start menu/other programs is quite easy.

The only way to guarantee that unauthorized users won't use WindowMaker is to restrict access to the development machine.



Another thought: For those that only have 1 computer, where is your PLC software? You can mess up a little with WindowMaker, but you can mess up a LOT with the PLC....
 
rankhornjp said:
When you get a chance, open your application and then press the window key on the keyboard (or Alt-Tab) and you will see that accessing the desktop/start menu/other programs is quite easy.

The only way to guarantee that unauthorized users won't use WindowMaker is to restrict access to the development machine.



Another thought: For those that only have 1 computer, where is your PLC software? You can mess up a little with WindowMaker, but you can mess up a LOT with the PLC....
Click to expand...

The Cherry keyboards I supply..... specifically do not have the "Windows" key for that reason.
I also disable the "ALT" key and the "Win" key in WindowViewer configuration, which will allow me to use a standard keyboard.

Yes...in a perfect world you should have a Development and a Runtime license. I run a full blown development license and buy Runtime licenses based on tag count.

In a lot of my developments...the customer also purchases a copy of PLC software for me to use when I log in remotely for troubleshooting.
I also keep a backup copy of the logic and copy it down when I troubleshoot. If the logic does not match...the customer gets notified. In some cases I remove the logic from the PC when I am done troubleshooting.
 
Last edited:
I really appreciate you guys feedback on this issue.

I have some thinking to do on this

I have several computers out in the field that have development on them but they run different Wonderware applications on them.

I was just thinking there would be a simple way I could restrict access on them
through Wonderware security so they could not open Windowmaker

Yes, I agree no one has PLC software access but myself they could really mess things up here.

Thanks alot, again for your help
 
rankhornjp said:
The problem with this is that WindowMaker would still be available from the Start menu...


ETA: you could restrict access to WindowMaker via group policy in a domain, but if you have a domain you are going to have more than 1 node.
Click to expand...

Curious, if you can lock out WindowMaker with domain for a single node, why can't you do it for all the nodes?

Also, look up the KeyTrapSet function. It should allow you to disable/enable hot keys.
 
Ones_Zeros said:
I really appreciate you guys feedback on this issue.

I have some thinking to do on this

I have several computers out in the field that have development on them but they run different Wonderware applications on them.

I was just thinking there would be a simple way I could restrict access on them through Wonderware security so they could not open Windowmaker

Yes, I agree no one has PLC software access but myself they could really mess things up here.

Thanks alot, again for your help
Click to expand...

I have a customer with 7 different applications. All applications are developed on the same machine. **Now all of the versions have to be the same in order to do this. You can't run version 10 on some apps and version 11 on others.**

What I do it put all the applicaiton folders in the same shared folder on the network. Then when you open the application manager you can "find applications" and navigate to that shared folder, click OK. Then you should have a list of all the applications in the application manager.

I would put WindowMaker on the same machine that you have your PLC software on and change the rest of the machines to run-time only.


Also, I believe that Development licenses are more expensive than run-time, so your are spending extra money you don't need to spend.
 
DaveW said:
Curious, if you can lock out WindowMaker with domain for a single node, why can't you do it for all the nodes?

Also, look up the KeyTrapSet function. It should allow you to disable/enable hot keys.
Click to expand...

You can for all nodes in a group on a domain. My point was that if you have a domain, you have more than 1 node and therefore shouldn't have this issue cause you should have a dedicated development machine (with limited access) and not have WindowMaker on all of your nodes.


I'll look into the KeyTrapSet function.
 
question about:
I have a customer with 7 different applications. All applications are developed on the same machine. **Now all of the versions have to be the same in order to do this. You can't run version 10 on some apps and version 11 on others.**

What I do it put all the applicaiton folders in the same shared folder on the network. Then when you open the application manager you can "find applications" and navigate to that shared folder, click OK. Then you should have a list of all the applications in the application manager.
Click to expand...

I like this, when you put all you Wonderware applications in one shared folder
and point the nodes to this shared folder, does all your trending & other scripting functions work on these nodes?

thanks
 

Similar Topics

rajy2r
Wonderware InTouch 2017 - User Level Security
I have generally not been required to implement security in InTouch applications, so if there has ever been a need, then have used the InTouch...
Replies
2
Views
2,891
bdossantos
B
C
Wonderware Archestra/Intouch Security
I've got my Intouch Security configured for OS Group Based (ie: Domain) with the appropriate roles defined (matching the Domain) with their access...
Replies
0
Views
2,220
Colt Hero
C
P
Wonderware intouch scada
Hi guys, I have experience with PLC to Excel etc...just starting on using intouch scada screens. I have an Excel sheet that uses mainly...
Replies
1
Views
146
NetNathan
N
M
PROBLEMA WONDERWARE INTOUCH V23 Y DASABCIP
Hola chicos. Tengo un problema con el driver de comucicacion dasabcip 5, y un plc controllogix v34, ya realice la comunicacion pero en ciertos...
Replies
2
Views
158
JeffStadnik
J
M
Wonderware Upgrading (from Intouch WindowMaker 9.5 to Intouch WindowMaker 23)
Hi, I am upgrading a Wonderware SCADA form version 9.5 to version 23. I am able to migrate all the graphic, but when to activate the runtime this...
Replies
8
Views
411
MuHaDa15
M
Back
Top Bottom