Instructions: You would like to ensure minimum availability of your operator control and monitoring system after powering up and during operation, without having to use the login box. However, you would also like to retain the login function for higher-order operations. In addition, when an operator, such as the administrator, logs out, a default user is to be logged in automatically and the default user's rights are to be assigned in the User Administrator in accordance with your wishes.
In the WinCC OS project editor, select the Message View tab and in the Message Filter make sure that the default setting "Messages with area-enabling" is selected. In this way, the default user can acknowledge the messages on the message pages if that user or the group that user is member of has the "Enable for area" authorization in the WinCC User Administrator. If the messages are not supposed to be acknowledged by the default user, in the WinCC OS project editor, you must select the setting "Acknowledgeable messages in a separate list" for the Message Filter in the Message View tab. More information is available in the WinCC Online Help under "Options > Options for Process Control > OS Project Editor > Message View tab > Message Filter".
In WinCC V6.0, the message filter settings are in the "Runtime Window" tab of the OS project editor and in the corresponding place in the WinCC Online Help.
The setting is also valid for the "Default User" in SIMATIC Logon.
You can implement this function with the enclosed C-script, which involves the following steps:
Open your project in the WinCC Explorer.
Start the C editor of WinCC and go to the directory "Actions > Global Actions".
Use the "Create new action" button to create a new action in which you enter the following script. SilentLogin.pdf ( 10 KB )
In the line "PWRTSilentLogin ("Login","Password");" you replace the user data with that of your default user.
Compile and save the C script as "SilentLogin.pas".
Set a variable trigger in the script editor to the variable @CurrentUser. Select a cycle of "2 s", for instance. This serves to ensure that the script does not burden the system. In the example shown, the @CurrentUser variable is checked for a change every 2 seconds (it indicates which user is currently logged in). The script is only called if the user has changed, e.g. when the previous user logs out.
Make sure that you have enabled the "Global Script Runtime" in the "Startup" tab in the computer properties.
The following steps are necessary for SIMATIC PCS 7 users (from SIMATIC PCS 7 V6.0 SP1):
Copy the system picture @Welcome.pdl to a safe location in order to restore the original picture.
Open the picture @Welcome.pdl using the Graphics Designer.
Open the C script which is saved in the picture selection ("right click > Properties" and then "Event > Picture object > Other > Picture selection").
Comment out the line "PASSLoginDialog(Screen);" with the prefix //.
Compile the C script.
Save the system picture @Welcome.pdl.
When you run the OS project editor again, ensure that the system picture @Welcome.pdl is not copied from the basic data. For this, the @Welcome.pdl must not be marked in the tab "Basic data > Basic pictures in the object differ from the as-supplied state > Apply as-supply state". If you update to a new version, you must apply the new @Welcome.pdl and integrate the changes made above into the new @Welcome.pdl.
If you are using SIMATIC LOGON from version 1.2, you will not need the "Silentlogin" function because, from this version onwards, SIMATIC LOGON contains its own convenient function for automatic login during WinCC runtime. If you use the "Silentlogin" function and wish to switch to SIMATIC LOGON, please undo the steps listed above.
Procedure in SIMATIC LOGON from version 1.2:
Set up a "Default User" group in your project in the user administration area in WinCC Explorer and perform the appropriate authorization level settings in the group. The only user in this "Default User" group is created automatically and saved in the registry. Parameters may not be assigned to this user.
Go to the "General" tab in the SIMATIC LOGON configuration window and select the function "'Default User' is logged on after user logs off". Click "OK" to close the dialog (Fig. 1).
Fig. 1: Configuration dialog of SIMATIC LOGON V1.2. Dialogs from other versions might be slightly different to this figure.
With these settings, the "Default User" is automatically logged on when WinCC runtime is started and when other users log off.
Silent Login, Auto logon
Using a chip card reader, how can a default user be logged on automatically while the chip card is pulled through?
Description: From SIMATIC Logon V1.2 (WinCC V6.0 SP2 and PCS 7 V6.1) onwards you use the "Default user" function. More information is available in the description of SIMATIC Logon.
In the WinCC OS project editor, select the Message View tab and in the Message Filter make sure that the default setting "Messages with area-enabling" is selected. This permits the "Default User" in SIMATIC Logon to acknowledge the messages on the message pages if that user has the "Enable for area" access authorization. The "Default User" has this authorization when the "Default Group" from SIMATIC Logon in the WinCC User Administrator has the "Enable for area" access authorization.
If the messages are not supposed to be acknowledged by the "Default User", in the WinCC OS project editor, you must select the setting "Acknowledgeable messages in a separate list" for the Message Filter in the Message View tab. More information is available in the WinCC Online Help under "Options > Options for Process Control > OS Project Editor > "Message View > Message Filter" tab".
The following description is only necessary for predecessor versions.
If you pull the chip card out of the chip card reader, the system will log you off. At that moment, no user is logged on to the system. You have the following options to log on a default user during this operation.
1. Automatic log-on of a default user while the card is pulled through
The C script will be called as a global action. Since the chip card has the higher priority, the script will only really become effective, once the chip card is pulled through.
Select the internal variable "@CurrentUser" as trigger for this action. Leave the trigger cycle set to the default cycle value of 2 seconds.
Every 2 seconds, the variable is checked for changes and the script is executed if a change occurs.
Shorter cycle times than the default value of 2 seconds for the trigger variable will lead to a loss of the system performance.
Make sure that you have enabled the "Global Script Runtime" in the "Startup" tab in the computer properties.
2. Log-on a of default user by clicking on a button
The following C script is placed behind a button in the "@Welcome.pdl" picture, for example. This script is then only executed when you press the button.
Instructions: You can use the internal WinCC tags "@CurrentUser" and "@CurrentUserName" to have the user currently logged on displayed in a process picture at Runtime.
The internal WinCC tag "@CurrentUser" contains the logon name of the user currently logged on. This is the name that the user uses to log on. Here it doesn't matter whether or not the WinCC option SIMATIC Logon is used.
"@CurrentUserName" The internal WinCC tag "@CurrentUserName" contains the complete name of the user currently logged on. The complete user name is specified in the Windows user administration.
The internal WinCC tag "@CurrentUserName" is only supplied with a value when the WinCC option SIMATIC Logon is used for logon. However, the "@CurrentUserName" tag is also available for dynamization if SIMATIC Logon is not used. But in this case the "@CurrentUserName" is not supplied with a value.
If SIMATIC Logon is used for logon and the complete user name is not defined in the Windows user administration or contains only empty spaces, then at Runtime the "@CurrentUserName" tag contains the logon name of the user currently logged on.
Using the OS project editor you can define whether the value of the internal tag "@CurrentUser" (current logon name) or "@CurrentUserName" (complete user name) is to be displayed in the overview ("@Overview1.pdl"). This setting in the OS project editor is in the "Layout" tab, in the "Display" area. More information on this topic is available in the WinCC Information System under "Working with WinCC > Structure of the User Administration > WinCC Options for Administrators > Option SIMATIC Logon > How to use the SIMATIC Logon Service with WinCC".
If you use the "@CurrentUserName" tag (complete user name) for displaying the user name in the process picture, but do not use SIMATIC Logon, the "@CurrentUserName" tag is not supplied with the name of the current user. Then an empty character string is display as the user name at Runtime. Please not that display of the complete user name can only be used in combination with SIMATIC Logon.
How can you verify a logged on user at runtime when using SIMATIC Logon (as from V1.3)?
Description The WinCC User Administrator does not provide any functions by default that can be used to verify currently logged on users through password querying. WinCC has functions for triggering and executing a logon procedure. However, this means that there is a new logon even if the current user name is used again for the logon. Logon is usually linked to a picture change (calling the Start picture) and the closing of all faceplates.
Aim Often, just before execution of a switching action, there is a demand for checking the user currently logged on by an additional password query. There is not to be a renewed logon. After successful verification of the user the switching action is to be executed and the operator action stored as an operator input message. This prevents unauthorized operator actions, e.g. when the user currently logged on is absent for a brief time without logging off from the system.
The SIMATIC Logon option permits you to verify a user at runtime. This entry describes the procedure for SIMATIC Logon V1.3 and higher. As from this version of SIMATIC Logon the "SIMATIC Logon Development Kit" is available. Information on this is available in:
the manual "SIMATIC Logon Programming Guide" (after installation this manual is available in the directory: "...\SimaticLogon\developmentkit").
Notes Entry ID 24458070 describes the procedure for SIMATIC Logon up to and including V1.22.
With the "ISLSScripting" interface the "SIMATIC Logon Development Kit" permits you to run a user verification at runtime using VBScript. This entry provides a VBScript (function "SL_VerifyUser") that uses the "GetLogon" and "AuthenticateUser" methods of the "SIMATIC Logon Development Kits" to verify a logged on user at runtime.
Instructions The following table describes the settings required for proper functioning.
Open the Windows "Computer Management" (right-click on "MyComputer" and click on "Administrative Tools") and then click on "System" > "Local Users and Groups".
Create a new user in a new group if necessary in the "Users" and "Groups" folders and then close "Computer Management".
In WinCC, open the "User Administrator" and create the same group (name) and the same user (name) as created in Windows.
Assign the user rights and check the"SIMATIC Logon" check box.
Open the Global VBS editor, create a new project module and save the script from the file SL_VerifyUser.txt (contained in SL_VerifyUser.zip)
Copy the bmo file in the "" folder of the WinCC project, compile and save the script.
Call the "SL_VerifyUser" function before the required operator action and check whether the return value is "true" (current user) or "false" (another user or abort in the Login dialog). Trigger the operator action and any operator input after successful user verification. Verifying the user can be done with an onclick event of a button.
If SL_VerifyUser = TRUE Then
'<operator action> '<operator input>
Else '<error message>
If the user or password is entered incorrectly, the Login dialog reopens.
The Entry ID 24325381 provides detailed information on generating an operator input message.
Function The following table describes the structure and function of this script.
Declaration and initialization In the first part of the script constants are defined and the tags used are declared and initialized. In order to access the SIMATIC Logon interface with WinCC VBScript at runtime the COM interface must be initialized with the call "CreateObject".
Verify the user currently logged on
Using the "GetLogon" method the data of the user currently logged on is acquired.
The "AuthenticateUser" method is used to open the Logon dialog.
In this dialog, the user can interactively enter a user name and password. The Logon dialog is initialized so that the "Change password..." button is not operable and the "Comment" input field is not displayed. The system checks the user's inputs. Upon successful identification the method closed the Logon dialog and returns the logon data as a result. If identification is unsuccessful (incorrect user name or incorrect password), the Logon dialog remains open. A brief error text is displayed and the user can enter the user name and password again. If you press the "Cancel" button, the Logon dialog closes. In this case the method returns an error status that indicates that the Logon dialog has been aborted.
The "AuthenticateUser" method does not permit you to preset the "User name" field with the name of the user currently logged on when the Logon dialog opens. For this reason the "AuthenticateUser" method is called again in a loop when the user verification has been completed successfully, but the user verified is not the user currently logged on.
Therefore the title bar of the Logon dialog also displays the name of the user currently logged on. In this way the user is informed that the user currently logged on is being verified.
A Logon dialog opened with the "AuthenticateUser" method is not automatically closed when there is a simultaneous logoff or new logon on the system. For this reason the second call of the "GetLogon" method ensures that the user verification works properly even when there is a simultaneous logoff or new logon on the system.
The "HMIRuntime.Trace" statements are purely for the output of diagnostics messages in the Global Script diagnostics window or the "Output Window" of APDIAG.
Release resources and close the function In this part the resources used are released again and the function closed. Upon successful user verification the "SL_VerifyUser" function returns the value TRUE, otherwise the value FALSE.
Version These instructions have been tested with the following versions.
Product and version designation
PC operating system
Microsoft Server 2003 SP2
SIMATIC Logon 1.4 SP1
GMP, Pharma, Life Science, Validation, FDA 21 CFR Part 11
How can you verify a logged on user at runtime when using SIMATIC Logon up to version V1.2 SP1?
Instructions: The WinCC User Administrator does not provide any functions by default that can be used to verify currently logged on users through password querying. WinCC has functions for triggering and executing a logon procedure. However, this means that there is a completely new logon even if the current user name is used again for the logon. Logon is usually linked to a picture change (calling the Start picture) and the closing of all faceplates.
Aim: Often, just before execution of a switching action, there is a demand for checking the user currently logged on by an additional password query. There is not to be a renewed logon. After successful verification of the user the switching action is to be executed and the operator action stored as an operator input message. This prevents unauthorized operator actions, e.g. when the user currently logged on is absent for a brief time without logging off from the system.
If you use the SIMATIC Logon option up to version V1.2 SP1, you have the functions of the so-called AUA interface available to access the SIMATIC Logon user administration. This present entry uses the "VerifyUser()" and "GetSignature()" functions of the AUA interface to verify the user currently logged on at runtime.
Warning! Note that the AUA interface is no longer supported as from version SIMATIC Logon V1.3. Entry 24458155 shows how to proceed in that case.
"VerifyUser()" The function is declared as follows:
The "UserID" and "Password" parameters are assigned to the function as character strings. The function checks for the password for the "UserID" (user name) transferred. Once the password has been verified the function returns the character string "ok" and in the case of error it returns an error text.
"GetSignature()" The function is declared as follows:
BOOL (LPCTSTR UserID);
The "UserID" parameter is transferred to the function as a character string. The function opens the "Electronic Signature" dialog and presets the "UserID" field with the "UserID" transferred.
Now the user can enter the relevant password in the "Password" field. Click on the "Sign" button and the function checks the transferred UserID and password. Once the user specified has been verified the dialog closes and the function returns the value "TRUE". If there is an error, the "Electronic Signature" dialog remains open. You can enter the password again. If you press the "Cancel" button, the dialog closes and the function returns the value "FALSE".
This entry provides the script "SimaticLogonVerifyUser()" to execute user verification at runtime. The requirement for the script is the SIMATIC Logon option The following table describes how to use this script and adapt it to your requirements.
Copy the C function for user verification into the WinCC project
The following download contains the "simaticlogonverifyuser.fct" file.
Copy this file into the "library" directory in your WinCC project directory. Open the "Global Script C" editor and execute the "Tools > Regenerate Header" menu command. Then the "SimaticLogonVerifyUser()" function is available as project function. You must execute this step also in the WinCC project of a client(MultiClient) if there is to be operation with user verification on a client.
Note: The structure of the "SimaticLogonVerifyUser()" function is described below.
The function checks whether valid character strings have been transferred in the parameters"pszUserID" and "pszPassword". It transfers the values to the "VerifyUser()" function. If the value "ZERO" has been transferred in the parameter "pszUserID", the user currently logged on is acquired and transferred. Upon successful verification by the "VerifyUser()" function, the function returns the value "TRUE". If the "VerifyUser()" functions detects an error, the "GetSignature()" function is called along with the relevant user. If the user now enters the valid password in the "Electronic Signature" dialog and acknowledges the input with the "Sign" button, the function returns the value "TRUE". If the "Electronic Signature" is aborted, the function returns the value "FALSE".
Use the C function for user verification
You can use the "SimaticLogonVerifyUser()" function directly in the process image or in a faceplate. The following figure shows the call of the function by clicking on a button.
Change this example accordingly to meet your requirements. In this example, after the "SimaticLogonVerifyUser()" function has been called successfully, an operator input message is triggered and the relevant WinCC tag for switching on the pump is set.
The "ISALG_OperationLog()" function is simply used here as an example for generating an operator input message. Entry ID 24325381 provides detailed information on generating an operator input message. Note that when generating an operator input message, the system automatically enters the name of the user currently logged on in the "User Name" system block for display in the WinCC Alarm Control. Therefore in this example the value "ZERO" in the "pszUserID" is transferred purposely to the "SimaticLogonVerifyUser()" function, so that there is no difference between the user currently logged on and the user actually verified.
How can you configure a chip card with SIMATIC Logon, with which you can log onto each local computer?
Instructions: You open the dialog for editing the chip card with "Start > SIMATIC > SIMATIC Logon > Edit smart card". If you enter a computer name in the "Log onto:" selection field, then with this chip card you can only log onto that computer with the configured user name and password. This means that you need an appropriately configured chip card for each computer.
In order to configure a chip card that is valid for all computers you must enter a dot "." in the "Log onto:" selection field.
In this way you can create a chip card for an "Emergency User" with the option of using it to log on locally to the entire system. The requirement for this is that local logon is configured in SIMATIC Logon.
Note: An Emergency User logs on locally to the PC. The Emergency User can be used for logging on when the logon server for SIMATIC Logon cannot be reached.
How can I prevent the SIMATIC Logon window from appearing in CFC
when I want to compile/download the S7 program?
If you have installed SIMATIC Logon on your system, then all the
activities that you run in CFC/SFC will be logged as well. For this
you have to log in to the program with a user name and password
each time you compile or download the program. To avoid this, in
PCS 7 version V6.0 SP2 you can disable the Logon window and define
a fixed user.
This fixed user is then logged on automatically for all PCS 7
applications from the time you start the SIMATIC Manager to the
time you close the SIMATIC Manager. Please note that this automatic
logon is valid for all PCS 7 applications, including some
applications for which you might not wish to grant automatic access
(e.g. OS, License Manager,...).
In the SIMATIC Manager select Options > Simatic Logon
Enter the user name and associated password.
In the Start bar you now see the running SIMATIC Logon Service
including the user logged on.
How do you block a user account after a user-definable number of failed attempts to login?
Description: Since SIMATIC Logon operates with Microsoft Windows users, this operating system's security guidelines are used. If a user logs on locally, these settings have to be configured on each computer. If SIMATIC Logon is used to logon on a central logon computer, the settings only have to be defined there.
In order to set up an account blocking threshold, define the following setting under "Start > Settings > Control Panel > Administrative Tools > Local security guideline".
SIMATIC Logon also works after this with these settings.
Note: Besides activating an account block, the settings for the "Account block duration" and "Reset duration for the account-block counter" may also be useful. This way, the administrator doesn't have to unblock the account each time there are x failed attempts. However, given the set delays, the system is still secure.
How can you have entries generated by SIMATIC Logon in the password-protected file displayed, printed out or exported?
Instructions: Display: With SIMATIC Logon the tool
"SIMATIC Logon Eventlog Viewer" is used to display recorded events.
You can start the program via "Start > SIMATIC >SIMATICLogon
> SIMATICLogon Eventlog Viewer".
Export, Print: You can neither export nor print out these
entries. In the currently valid versions (SIMATIC PCS 7 V6.1 and
SIMATIC Logon V1.2 + SP 1 + HF1) .
How can you restore the WinCC Logon Box in the OS Runtime when SIMATIC Logon is installed on the computer?
Instructions: Starting with PCS 7 V6.1 (WinCC V6.0 SP3), you have the option of activating and deactivating the SIMATIC Logon Box in the WinCC User Administrator. When you deactivate the SIMATIC Logon Box, the WinCC Logon Box is activated automatically.
In all versions prior to PCS 7 V6.1, proceed as follows to restore the WinCC Logon Box:
Using the OS simulation on the ES:
Copy the attached "UserAdmin.ini" file into the path: WinCC_Project\Computer name\PASS
With direct start of OS Runtime:
Copy the attached "UserAdmin.ini" file into the path: WinCC_Project\PASS
Description: This phenomenon can occur when the group
names in the User Administrators of Microsoft Windows and WinCC are
not absolutely identical. The group names must be absolutely
identical also with regard to uppercase/lowercase characters.
Warning: A user is created temporarily in the
"Emergency Operator" group if the associated Windows group does not
exist in the WinCC User Administrator.
When using SIMATIC Logon, why is there a user already logged on after starting WinCC RT?
Description: In this case SIMATIC Logon is already
active in another SIMATIC application (such as STEP 7). Thus, the
active user is transferred to the application that SIMATIC Logon is
using. This procedure is identical to the authentication procedure
in Windows and is designated the "Single Sign On" procedure.
Why, when implementing SIMATIC Logon, is only the logged-on user displayed in the WinCC User Administrator during Runtime?
Description: When implementing SIMATIC Logon, only the logged-on user is displayed in the WinCC User Administrator during Runtime. Through logging on via SIMATIC Logon the user is created temporarily in the WinCC User Administration and deleted again upon logging off or when WinCC Runtime is terminated. If the user changes (when the WinCC User Administrator is open), you must restart the WinCC User Administrator to have the new user displayed.
This behavior applies only for WinCC V6.0 including all service packs and hot fixes. From WinCC V6.2 users logged on through SIMATIC Logon are no longer displayed in the WinCC User Administrator.
Detailed information on SIMATIC Logon is available in the "WinCC Information System" under "Working with WinCC > Structure of the User Administration > WinCC Options for Administrators > Option SIMATIC Logon".
Why does a C script "PWRTSilentLogin" only work with WinCC users and not with SIMATIC Logon users?
Description: The C script access the users created in the WinCC User Administrator.
In SIMATIC Logon V1.2 and higher there is however the possibility in SIMATIC Logon that a "Default User" is logged on automatically when a logged-on user logs off. In this way with a mouse-click you can elegantly save yourself configuring by script. Detailed information on setting the "Default User" is available in the manual "SIMATIC Logon", section 126.96.36.199. The manual is available in Entry ID: 34519648 .