Limit PLC Access FactoryTalk Security vs Service Edition

bmschedler

Member
B
Join Date
May 2019
Location
Chicago
Posts
5
I am trying to evaluate the differences between using FactoryTalk Security and the Service Edition of Rockwell software to limit access to edit PLCs (upload, download, edit tags) for maintenance personnel while allowing them to view code. (RSLogix 500, 5000, Studio 5000)

I understand the best way to limit this is to send maintenance to training and have them fully understand the severity of editing PLCs, but alas I am still being asked to evaluate limiting the ability via engineering controls.

I do not want to limit editability on a PLC by switching the control to RUN as it limits the engineers from having remote access.

After looking at FactoryTalk Security it seems I can granularly select which things each user has in regards to RSLogix 5, 500, and 5000. How does this work though? Does it make it so that whenever a user accesses a license of one of the previous software they must login? It seems that this could be circumvented by locally going online with the PLC.

The Service Edition looks like a good option since you can lock out upload and download, which forces them to get a copy from AssetCentre. It sucks to have to purchase more licenses, but Rockwel.... Can the Service Edition still edit tag values though?
 
bmschedler said:
I am trying to evaluate the differences between using FactoryTalk Security and the Service Edition of Rockwell software to limit access to edit PLCs (upload, download, edit tags) for maintenance personnel while allowing them to view code. (RSLogix 500, 5000, Studio 5000)

I understand the best way to limit this is to send maintenance to training and have them fully understand the severity of editing PLCs, but alas I am still being asked to evaluate limiting the ability via engineering controls.

I do not want to limit editability on a PLC by switching the control to RUN as it limits the engineers from having remote access.

After looking at FactoryTalk Security it seems I can granularly select which things each user has in regards to RSLogix 5, 500, and 5000. How does this work though? Does it make it so that whenever a user accesses a license of one of the previous software they must login? It seems that this could be circumvented by locally going online with the PLC.

The Service Edition looks like a good option since you can lock out upload and download, which forces them to get a copy from AssetCentre. It sucks to have to purchase more licenses, but Rockwel.... Can the Service Edition still edit tag values though?
Click to expand...

Rockwell security is more or less free. Logging the security though happens through FT Assetcenter.

Do you have the following infrastructure?

1)Capability of getting a Windows Server to host a central Factorytalk Directory which individual computers with programming software can connect to?
2)An active directory at your workplace shared by all PCs?

If your answer is Yes to only (1)
-Get a windows server commissioned for your purposes and install the factorytalk services platform on that PC.
Once you have a factorytalk services platform, specify this server as the directory to your PC. Now, you can change policies from the directory which grey-out your RSLogix buttons based on your logged-in usernames. A list of capabilities are here:
nJlSUAm.png


Once you have this setup done, go to your PLC, and change this drop down to the server name configured above.
rJdNYHB.png


Now your PLCs would force you to be connected to this server if you want to do any operations, and it would limit your operations to your assigned privilege in the server.
 
So if you disconnect from the network since the security in the PLC itself has been changed, it won't allow you to do anything to the PLC? What if you connect directly to the PLC via USB or ethernet or serial port?

Does this work with all PLC versions or does this security setting only go back so far? I would imagine it would stop at the SLC-05/05.
 
If your laptop is offline, there is a cached amount of time that is configurable from the administration console to specify how long before your laptop is disconnected from the directory.
I haven't tried other than ethernet, but I would assume that it has nothing to do with connection protocol, as it's likely verifying a checksum against your PC.

I believe this can also be set to infinite. This is why you see the cache timeout in your "Log on to factorytalk" icon in the system tray.
vlQsUXc.png


It works for all RSLogix5,500,5000.
This is because Rockwell PLCs are 21 cfr part 11 compliant, and enforce well built feature control and data logging.
 
Last edited:

Similar Topics

M
TopWorx limit switch and PLC
OK. I guess I'm getting old and forgetful. Maybe someone can wake my brain up. I have a TopWorx Limit Switch P/N DXP-E20GNEB that has 2 P&F...
Replies
3
Views
982
muusic_man
M
F
High Limit Controller in Electric heating application - can the PLC do it?
Have a customer asking if they can eliminate a High Limit controller from an electric furnace they're building since we now have PLC controls...
Replies
13
Views
5,694
shooter
S
G
limit switch to plc
sir can anyone plz tell me how to connect a limit switch to plc as I am using it for detection and then according gly further action plz help. .
Replies
0
Views
2,451
Ganesh@123
G
K
Current limit of PLC input?
I'm connecting an output from a stepper motor driver to a DC input on my PLC (Micrologix 1500). The control voltage is 24V. As indicated, the...
Replies
4
Views
8,929
kolyur
K
R
AB PLC 5/80C Memory limit
Our AB PLC-5/80C (1785-L80C15) processor memory is full now. only 32words free. now we need to increase the memory. Is there any way to increase...
Replies
6
Views
10,771
lonerog
L
Back
Top Bottom