Adding User Authentication to Automation System
Introduction
This example demonstrates how to configure cyber security setting for user authentication to be compliant to IEC 62443-3-3 in an automation system. The example shows how to add a login prompt to HMI and incoming connections with Studio API, add users and user profiles, and set up access permissions.
For detailed help on how to manage users and change cyber security settings, see the Security Configuration.
Project Overview
To demonstrate user authentication, two users are created with different access need:
- Bob, the system operator, only require access to the HMI/GUI
- John, the system administrator, require full access to the complete system, except for the security settings
Roles are used to prevent or allow access to CDP objects, and there are two user roles defined:
- Operator, this role/profile can view and change settings (Browse, Read, Write)
- ConfigureAdmin, this role/profile has full access (Browse, Read, Write, Change)
Users are created in Configure mode by clicking on the Security tab.
Bob and John are assigned to their respective cyber security roles. The simple automation system consists of
- Datasource application, access restriction set to only allowing ConfigureAdmin users
- GUI application, access restriction allowing any logged-in user to access
The access restrictions to applications or objects are set in the RolePermission field, found for most objects in Configure mode by clicking on Table Editor or Block Diagram tab. If the field is empty, the settings inherited from parent or role defaults apply. To restrict specific access to an application, i.e. deny the users with the role Operator, remove all access rights for the role Operator in the pop-up editor for RolePermission by clicking on the checkboxes. The Datasource generates a simple Sine wave which is displayed in a meter in the GUI application. We have now prevented Bob to access the DataSource application while John can access everything.
Note: Notice the LoginRole property specified on CDPBaseMainWindow in Design mode. This is an optional setting to allow access for the specified role. In this demo it has been set to role Operator. Any user that needs to access the GUI must have this role assigned, currently only Bob has the role Operator and is allowed to use the GUI.
How to Run the Example
To run the example from CDP Studio, open Welcome mode and find it under Examples. Next, in Configure mode right-click on the system project and select Run & Connect. See the Running the Example Project tutorial for more information.
Once the system is started you will be prompted for username and password. To login the GUI application, use username "bob" and password "thisismypassword". To login in CDP Studio, either use "bob" or "john" as a username and "thisismypassword" as a password. You can notice that while logging in as bob, you are not allowed to access the DataSource application, while entering as "john" you are. When you log out (by right-clicking on the system name and selecting Disconnect from the context menu) and then log in (by choosing Connect from the same context menu) as bob you notice that "bob" is not allowed to access the DataSource application, while "john" is.
Note: The login prompt can be customized by adding a "logindialog.ui"file with CDP Studio wizard and modifying it.
Get started with CDP Studio today
Let us help you take your great ideas and turn them into the products your customer will love.