Need to limit programming access

[coolhand 0]

We just had a situation in the plant where we now want to limit programming access to only two people. We have both RS Logix 5 & 500. Using it as a tool for troubleshooting a machine is invaluable and we don't want to take that away. The PLCs are now password protected, but we still need to give others "viewing rights". What do we need? And what obstacles will we see? Thanks for the help. I'm sure this has been discussed out here several times. If you know of any past discussions please give me a link. Thanks

[gravitar 3]

I was going to suggest that you provide all the "look but don't touch" people with RSLadder and the actual programmers use RSLogix, but I just checked the RSI site and didn't see RSLadder mentioned. I wonder if they discontinued it?

[Mickey 71]

They still have it. It comes bundled with RSLinx Professional or Gateway. Contact your local AB rep. click here, then click on search scroll down to extensions and look for RSLadder 5 and 500 http://www.rockwellautomation.com/rockwell...ware/downloads/ RSLinxMatrix.pdf Edited 22 Jul 2007 by Mickey

[BobLfoot 302]

For Look but Don't touch access RSLadder is a good option. If you are also considering version control and history check out MDT Software AutoSave product. It works rather seamlessly with Rockwell and gives a lot of extra features.

[coolhand 0]

Is RS Ladder processor specific? or will it work with both 5 and 500?

[Mickey 71]

Yes There are two of them RSLadder 5, RSLadder 500

[rpraveenkum 5]

I hopes this helps you http://rockwellautomation.custhelp.com/cgi...amp;p_topview=1

[paulengr 44]

I just went through this. The first thing you're going to hear about is RSMACC or the other version that they sell now. This stores permission information in FactoryTalk and doles out security according to who is logged in. It offers much finer grained control than what I'm about to suggest. It's not cheap but it's slightly less of a pain in the rear in certain cases (access control is much more fine-grained). The second way is using the built-in security in PLC-5's and SLC's/Micrologix. You can have up to 4 "users" at least on the PLC-5, each with different security. With the SLC's, it seems to be more of an all-or-nothing affair. Each "user" is called a privilege class. This is all detailed in the "Protecting Your Programs" chapter of the PLC-5 user manuals (not the instruction set reference manual). The passwords are stored in both the PLC and the documentation file so even if you are editting the file offline, you still have to use the security to make changes to the file. Within each privilege class, you can control virtually every aspect of editting, even to the point of being able to make each program and each data file read only or read/write, and allowing say uploading of a complete new copy of the program but not doing edits, and you can turn forcing on/off. Now, here's the kicker that you really have to plan for. When you connect to the PLC via one of it's ports (Ethernet, serial port, 1A, 1B are all treated differently), you can set it to assign a particular "privilege class" as a default. So you could set all ports to be read-only for troubleshooting with password protection on the "programming access", and your two users could have different passwords with room for a third. The downside is that there's NO way to set passwords via RS-Linx or RS-Linx Enterprise. Outside of writing your own software, only RS-Logix gives you the ability to set a password. So if you are using any sort of an HMI or operator interface that needs to be able to write data to the PLC, those data files MUST remain open. If you did the smart thing with regards to performance in terms of how RS-Linx works, then hopefully all of your data is stored in a single data file so that RS-Linx or whatever is doing the data access will automatically tend to read several bytes at once instead of issuing a separate read for each byte in PLC memory. In that case, you can let the default permissions be read/write for that data file but set read-only for everything else. If you mixed and matched, you may have difficulty locking down specific data files because if you make all your data files read-only, the HMI/operator interface will be denied access, too. A second way around it that I've been able to implement is that all of our Panelviews are using DH+ but we program/troubleshoot via serial port or Ethernet. So I can set privileges to make DH+ default to "wide open" but slam the door shut on the other two ports. Make sure when you do this that you lock up all the older copies of the program that don't have security implemented. Since this all works at the hardware level, there's only one way I know of to spoof the system. You would have to start a new program and carefully copy everything over into the new program except the security setup. Then blank the processor (power down, pull the battery, short the contacts, then replace the battery and power back up), and upload the fresh new copy with security stripped out of it. RSMACC or the other version who's name escapes me works at the software level (RS Asset Security?). It gives you much finer grained control over RS-Logix. You can implement as many security settings as you want and you can control access down to the bit-level. It will work equally well on PLC-5's and SLC/Micrologix. Since it's a software-based security, you won't have the operator interface problem to contend with. You can categorically deny programming access which would stop the above loophole. And it logs everything that anyone does. The spoofing method for this is to get a "rogue" copy of RS-Logix. For instance if I downloaded a copy off the Internet onto a personal laptop and grabbed a copy of your program files, then since I am outside your security domain, I could plug into the PLC and access it without RSMACC or RS Asset Security with everything wide open. The password/privilege method prevents me from using this method since it's done at the hardware level. So either way...you can pay for security or use what's there. Both methods work with various degrees of success. It is possible to get around security, but it depends on how creative and determined someone is to bypass it.