Sign in to follow this  
Followers 0
Joe E.

PanelView+ users and passwords

5 posts in this topic

So, here's the situation. We (controls engineers) are trying very hard to get out of the password business. Folks share them with other folks who aren't supposed to have them and within a month or so they're useless, so we have to change them again. I recently added some user administration screens to a Siemens HMI (an old MP277) that allow an admin user to add and delete users and set and change their passwords. We can download an updated project to the HMI without affecting the passwords.

I'd like to add the same functionality to some of our machines with PanelView Plus HMIs. We have some that are the original PV+, some PV+6 standards, some PV+6 compacts, and some PV+7 standards. Our firmware versions run all the way from 5.0 to 9.0. Our View Studio for ME is v8.20, on a 32-bit VM.

I can add controls to allow a properly logged-in user to change passwords, BUT...when I later download an updated *.mer file, it overwrites the users and passwords with whatever is in the project, which almost completely defeats the purpose of this whole exercise.

On a lot of the machines, the password is stored in the PLC, but there are places where "they" don't want the passwords visible to anyone, including the maintenance staff who have access to the PLC program.

So....

Is there an easy way to do the password management in the PV+ HMI without the passwords being overwritten by downloading an updated *.mer file? If possible, we would like to avoid having to muck about in the Windows desktop of the HMI.

Share this post


Link to post
Share on other sites

Joe, for me, the short answer is no...

Essentially, you are trying to move away from Windows based user id's and password management.  You'll need logic and database in the PLC and then different objects in HMI to manage this.

If you can and want to maintain the Windows User IDs, then your procedure would be upload the mer and restore it to a project, make changes, create new mer and download.

We've also done all the user name and password management in the PLC, but you say "they" don't want anyone to to have access to the passwords, so that's a no go.

We have done some logic "rule based" the calculates a new password everyday, but even that has to be stored in the PLC database.which could be seen by Maintenance.

Maybe it's possible to create a similar "rule based" scheme in a macro, not sure how at the moment, that would store the passwords to internal memory tags.  The minor concern would be that if someone had the program, they could figure out the password if they read and understood the macro. Additionally, even internal tags can be displayed on a screen.  Maybe an admin access only screen.

Longer answer is I'm not aware of a full-proof method.  Maybe some other ideas out there.

Share this post


Link to post
Share on other sites

That's what their support folks came back with too. That's not ideal, but may be where we end up with if we have to implement it (we'll resist it for a while). Another option we thought of is "encrypting" the passwords in the PLC by using a know-how protected block or AOI that does "something weird" with the password string so the visible tags in the tag database are gibberish (maybe something as simple as adding an offset to the ASCII code for each character or something). That would make the HMI side easier, but the PLC side harder.

Share this post


Link to post
Share on other sites

I had a customer that wrote a 128-bit encryption code routine, but still at some point you have to "compare" to something in the tag database that will be visible by Maintenance Staff.

The source protection of the AOI is a possibility, but then someone has to be the gate keeper of that file and kept out of "others" hands.  You'll have to use local tags, but not sure if or who can view the local tags.

FactoryTalk Administration Console is an idea.  I have a customer that we developed a proprietary and patented program.  With enabled security, we secure the various PLCs (CompactLogix in this case) to both a specific Windows User and to the Computer Name.  We maintain a seperate VM, just for this customer, to prevent even opening the application or the program.  But I'm still faced with customer requests to modify passwords at various sites (I have roughly 140 sites and about 225 systems) but still based upon Windows Usernames.

Same procedure, I upload, restore, change user pws to something (along with Windows rules for last three used pws), create mer and download, then store the mer back to a "secure" project file on our server.

Edited by pcmccartney1

Share this post


Link to post
Share on other sites

Upload first then write changes then download?
Rewrite the whole place to work on maple systems? Which has user management in it's templates.
I've never be satisfied with how FactoryTalk handles user management 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0