Siemens SIMATIC S7-1500 System Manual page 240

Protection
11.3 Local user management
Users, roles and function rights - details of new features
Users and roles were already being managed in the predecessor version by TIA Portal under
"Security settings > Users and roles". In addition to the existing user management for HMI
devices, for example, you can also manage all CPU function rights via this editor as of TIA
Portal Version V19.
The CPU function rights are valid during runtime. Therefore, these rights are located in the
"Runtime rights" tab in the editor for users and roles. For each CPU in the project, there is a
section with all CPU function rights to choose from - separated according to CPU services such
as PG/HMI communication (engineering access, access levels), CPU web server and OPC UA.
In addition to the user management for projects, there were additional user managements
for CPU web servers and OPC UA servers (static user management for CPUs up to FW version
V3.0) in the properties of the CPU:
• User for the OPC UA server (authentication)
• User for the CPU web server (authentication and access control)
These additional user managements are integrated in the local user management in the
project tree as of TIA Portal V19 and as of CPU FW version V3.1.
Introduction to the local user management and access control
For SIMATIC Drive Controllers up to CPU firmware version V3.0, you have managed the users
separately according to services such as "Web server" and "OPC UA" under the respective CPU
properties. Web server users were parameterized in the "Web server" area, OPC UA users in
the "OPC UA" area.
To restrict the PG/HMI access to the CPU at different levels, you configured passwords for the
corresponding access levels. With this procedure, for example, HMI accesses could be
permitted without restriction, but write accesses could be made dependent on the
knowledge of a password. You have agreed passwords for the different access levels in the
"Protection & Security" area of the CPU properties. The access protection therefore always
related to groups that have the appropriate passwords - not to individual users.
With the introduction of the local user management and access control from TIA Portal
version V19 onwards, you can use the "Security settings > Users and roles" area in TIA Portal
in the project tree for all users and their roles and function rights of a CPU. This also applies to
the access protection for engineering/HMI access, which as of TIA Portal version V19 no
longer works via access levels with password protection by default, but also via user
management.
You can find more information about the new access protection in the section From the
access level to the function right of users (Page 242).
As already introduced for engineering rights, for example, you use the role assignments for
combining individual function rights. In a further step, you assign the roles to individual
users. All the function rights which were assigned to a user via roles and which the user can
exercise for the corresponding CPU are listed In the "Assigned rights" tab.
238
SIMATIC Drive Controller
System Manual, 11/2023, A5E46600094-AD