create and restrict users rslogix 5000

Hi everyone,
i have a problem with people who need to view plc logic also being able to edit and force, i need to restrict certain user groups to viewing only and then allow other user groups to any functions.... i have spent hours setting up users and groups and permissions in factory talk admin console and i do now get a log in box upon opening logix 5000 but once logged in the restrictions i set in FTAC are not working and the user still has full access even when i have set permissions to "logic view" only.
any suggestions on what i may have missed or even any ideas on a simpler method would be much appreciated
thanks

I've never done it, but I believe you also need to enable security in each PLC you wish to protect. This is done from the Control Properties in Logix/Studio

From Help file:

Important:
It may also be that, once you've enabled security on a PLC, you need to browse to that PLC in FTAC (under Networks and Devices), and set the permissions for Routine: Modify Logic on a per-usergroup basis.

HTH
Good luck

Hi, I may not quite understand your post, however in the past I've recommended placing the processors in "run" with the key switch and remove the key. This allows all access, read only. "Remote run" allows all access and edits.
The only drawback would be key control. We did this when I worked for a large water utility; everyone and their brother were accessing the programs and messing things up. The key switch control solved improved this problem about 95%. Hope this helps.

Putting the key in Run is a good start. But it won't prevent forcing or users manually changing data value. But it is an important little step that I find most don't take advantage of.

When you setup your permissions in FTAC did you do that in the Network directory or in the Local directory? The User accounts and permissions come from the Network settings.

When setting permissions, the "Effective Permissions" tab is a great way to see if you have the settings configured properly. It might show that you still have a permission you thought you had removed. For me, I usually find that this is due to a group allow permission that I overlooked.

OG

simmo231 said:

Hi everyone,
i have a problem with people who need to view plc logic also being able to edit and force, i need to restrict certain user groups to viewing only and then allow other user groups to any functions.... i have spent hours setting up users and groups and permissions in factory talk admin console and i do now get a log in box upon opening logix 5000 but once logged in the restrictions i set in FTAC are not working and the user still has full access even when i have set permissions to "logic view" only.
any suggestions on what i may have missed or even any ideas on a simpler method would be much appreciated
thanks

Click to expand...

Hello Simmo231!

Factorytalk security is server based, as in, the factorytalk directory server specified in the individuals laptop controls the user rights.

Do you have a factorytalk directory server running in your plant?
If so, you need to search "Specify factorytalk directory" in your start menu and connect to that server.
From here on, you can create groups of users with various accesses. In the PLC "Security" tab under Controller Properties, you can also mandate that only users who have "Specified factorytalk directory" to the correct directory can actually connect to the PLC. This is dangerous, read and understand items before usage.

Thanks both,
it seems creating user accounts and such through factory talk is more complex than it needs to be, if i can use a keyswitch externaly fitted to the equipment and program it to the run status via an input i think that's possibly my best option as all my processors are inside the cell guarding..

It isn't really that difficult to setup.

To expand on what PreLC said just a little...

Each computer defaults to being its own FactoryTalk Network Directory server. Which is fine if you only have one computer. Otherwise, you would need all of your computers to join a single common FactoryTalk Network Directory. Ideally that is a machine that is always available, like a server. But it doesn't have to be a server. It just needs to be always available.

The Specify tool PreLC mentioned is how you get them all to join this one common FT Network directory. This gives you one place to configure security settings rather than setting up each computer individually.

As for the key...not all Logix controllers have keys. Some have slide switches instead. But if the controls are inside a guarded area that would limit access to be able to change that setting. Those that do have keys all use a common key so you would need to make sure you removed all of the keys.


OG

each of our machine cells are individual, one pc running logix and one plc setup in each, they are not connected to anything else, when i look at the security tab under properties the security authority is grayed out.

simmo231 said:

each of our machine cells are individual, one pc running logix and one plc setup in each, they are not connected to anything else, when i look at the security tab under properties the security authority is grayed out.

Click to expand...

I agree with OG.

If you don't have a networking infrastructure, you can still create a local administration console directory on the PC running studio 5k, then look at this guide to export your policies from one PC, then deploy to all.

Saves some time, but I would highly recommend using one of these computers a 'server' PC and having the others connect to it.

Once you have it done, it'll seem easier. It works fairly well with user logons.

simmo231 said:

when i look at the security tab under properties the security authority is grayed out.

Click to expand...

To change that, you need to go into FTAC, under Policies >> Product Policies >> RSLogix5000 >> Feature Security and add the group you are in to Controller: Secure.

If you refresh the security in Studio (Tools >> Security >> Refresh Privileges), you'll have the ability to change the Controller Properties Security Authority from "No Protection" to "FactoryTalk Security" (with the name of the FTAC server).

And as others have pointed out, that FTAC server should not be your local machine, but the server that administers FT access for the whole network.

Hi all,
with all your help i have managed to setup users and engineers permissions etc. now i need to know if there is an auto log off ? i have seen "logon session lease" in security policies and set to 1 hour but this doesnt seem to be working. any ideas folks ?

thanks

My guess would be the Single Sign-on option is enabled. It allows you to sign in once and as you open and reopen software it keeps you logged in. In other words, it doesn't sign out when you close a package.

In FTAC go to System Policies ==> Security Policy and scroll to the bottom. With SSO disabled you will be prompted to sign in each time you open the software.

OG

simmo231 said:

Hi all,
with all your help i have managed to setup users and engineers permissions etc. now i need to know if there is an auto log off ? i have seen "logon session lease" in security policies and set to 1 hour but this doesnt seem to be working. any ideas folks ?

thanks

Click to expand...

My solution for this was to have the local user in the "Monitoring only" group I had set up, and people who had privileges had to log on through Studio5k.

I had an AutoHotKey script running on my PC, when the mouse was idol for 5 minutes, it would open Studio5k, and gave keystrokes Alt+T,Alt+S, Alt+G, which logs off the privileged users and reverts to the local user.

I'll try to find my script, but this was when I was at an older company, not sure if I developed it at home or at work

What OG had would work if the softwares were being opened/closed, but if the software are always running(Like on a troubleshooting terminal on the floor) AHK works pretty good.