I've found the onboard user administration in the PV+ and the Siemens MP/Comfort platforms to be fine...until "they" want to add/edit users at runtime. With the PV+ (as I recall...) you can just upload the MER and decompile it to keep the users they've added, as long as that option is enabled and the runtime is new enough. You can't do that with the MP/Comfort (or at least I've never had access to an MMC with enough memory to save the project onto the HMI). I came up with a pretty bad kludge on the MPs where it tries to back up the user configuration to USB every time it's changed but it was very unreliable. At least with WinCC Flex/Comfort, you can uncheck the option to overwrite user security when you download an update to the HMI. You just have to remember to uncheck it. You can also use their backup/restore tool to make a backup of the user administration, but that's another separate step you have to do that isn't available if the HMI dies.
Frankly, IMHO, they all suck. The "best" I've seen was also a little klunky but that was at least partially due to an imperfect implementation. It used Euchner RFID key fob tags and a reader. You could add users/etc. at runtime and the data was stored in the PLC. It mostly worked.