Fundamentals
Application
User administration enables you to create and administrate different users with different access rights to various functions of the control. You can assign roles to the various users that reflect their respective tasks, such as machine operator or setup technician.
User administration is inactive in the control's factory default setting. This status is called Legacy-Mode.
Description of function
Users
The user administration offers the following types of users:
- Function users pre-defined by HEIDENHAIN
- Function users pre-defined by the machine manufacturer
- Self-defined users
Depending on the task assigned, you can use one of the pre-defined function users or you have to create a new user.
If you deactivate user administration, the control saves all configured users. Thus they will be available again when user administration is reactivated.
If you want to delete the configured users upon deactivation, you need to set this explicitly when deactivating user administration.
HEIDENHAIN function users
HEIDENHAIN function users are pre-defined users that are automatically created upon activation of user administration. Function users cannot be changed.
HEIDENHAIN provides four different function users in the control's factory default setting.
- useradmin
The useradmin function user is automatically created upon activation of user administration. The useradmin function user allows you to configure and edit user administration.
- sys
The sys function user allows you to access the SYS: drive of the control. This function user is reserved for use by HEIDENHAIN service personnel.
- user
In legacy mode, the user function user is automatically logged on to the system during control startup. When user administration is active, the user function user has no effect. The logged-on user of the type user cannot be changed in legacy mode.
- oem
The oem function user is intended for the machine manufacturer. The oem function user allows you to access the PLC: drive of the control.
The useradmin function user
The useradmin user is comparable to the local administrator of a Windows system.
The useradmin account provides the following functions:
- Creating databases
- Assigning the password data
- Activating the LDAP database
- Exporting LDAP server configuration files
- Importing LDAP server configuration files
- Emergency access if the user database was destroyed
- Retroactive change of the database connection
- Deactivating user administration
Function users pre-defined by the machine manufacturer
Your machine manufacturer can define up to 32 function users, such as for machine maintenance or for setting up and operating external systems.
Function users defined by the machine manufacturer can also be used as a substitute for code numbers. You can use the function users' passwords to enable their additional rights temporarily.
The machine manufacturer's function users can already be active in legacy mode and replace code numbers.
Roles
HEIDENHAIN combines several rights for individual task areas to roles. Different pre-defined roles that you can use to assign rights to your users are available. The tables below describe the individual rights of the different roles.
Advantages of classification in roles:
- Simplified administration
- Different rights are compatible between different software versions of the control and different machine manufacturers.
User administration offers roles for the following tasks:
- Operating system roles: access to functions of the operating system and interfaces
- NC operator roles: access to functions for programming, setting up and running NC programs
- Machine tool builder (PLC) roles: access to functions for configuring and checking the control
Every user should have at least one role from the operating system area and at least one role from the programming area.
HEIDENHAIN recommends permitting more than one person to access an account with the HEROS.Admin role. This ensures that necessary changes to user administration can also be made in the administrator's absence.
Local or remote registration
You can enable a role either for local login or for remote login. With local login, the user directly logs on to the control at the control's screen. A remote login (DNC) is a connection via SSH.
If a role is only enabled for local login, "Local." is added to the role name (e.g., Local.HEROS.Admin instead of HEROS.Admin).
If a role is only enabled for remote login, "Remote." is added to the role name (e.g., Remote.HEROS.Admin instead of HEROS.Admin).
You can therefore also make the rights of a user dependent on the access used to operate the control.
Rights
The user administration is based on the Unix rights management. Access to the control is controlled by means of rights.
Rights gather various functions of the control (e.g., editing the tool table).
User administration offers rights for the following tasks:
- HEROS rights
- NC rights
- PLC rights (machine manufacturer)
If more than one role is assigned to a user, he will be granted all rights contained in these roles.
Ensure that every user is assigned all access rights he needs. The access rights result from the tasks a user performs on the control.
The access rights of HEIDENHAIN function users are already pre-defined in the control's factory default setting.
Password settings
If you use an LDAP database, users with the HEROS.Admin role can define password requirements. For this, the control provides the Password settings tab.
The following parameters are available:
Password lifetime
- Validity period of password:
Here, you can indicate how long the password can be used.
- Warning before expiration:
From the defined time, a warning will be issued that the password will soon expire.
Password quality
- Minimum password length:
Here, you can indicate the minimum password length.
- Minimal number of character classes (upper/lower, digits, special):
Here, you can indicate the minimum number of different character classes required in the password.
- Maximum number of repeated characters:
Here, you can indicate the maximum number of identical successive characters in the password.
- Maximum length of character sequences:
Here, you can indicate the maximum length of the character sequences to be used in the password (e.g., 123).
- Dictionary check (number of matching characters):
Here, you can enable a check whether the password contains known words and specify the allowed number of meaningful characters.
- Minimum number of characters changed compared to previous password:
Here, you can specify how many characters in the new password must be different from the previous one.
You define the values for each parameter on a scale.
For reasons of security, passwords should comply with the following criteria:
- Eight characters minimum
- Letters, numbers, and special characters
- Avoid using whole words or a sequence of characters (e.g., Anna or 123)
If you want to use special characters, pay attention to the keyboard layout. HEROS assumes a US keyboard, the NC software assumes a HEIDENHAIN keyboard. External keyboards can be freely configured.
Additional directories
HOME: drive
When user administration is active, a private HOME: directory, to which you can save your private programs and files, is available to every user.
The HOME: directory can be viewed by the respectively logged-in users as well as users with the HEROS.Admin role.
public directory
Upon the first activation of user administration, the public directory below the TNC: drive will be connected.
The public directory can be accessed by any user.
In the public directory you can, for example, make files available to other users.
Configuring user administration
User administration needs to be configured before you can use it.
Perform the following steps for configuration:
- Open the User administration window
- Activating user administration
- Defining the password for the useradmin function user
- Setting up a database
- Creating a new user
- You can exit the User administration window after each configuration step.
- If you exit the User administration window directly after having activated user administration, the control will prompt you for a restart once.
- When user administration is active, you can set up only secure network connections via SSH or OPC UA (#56-61 / #3-02-1*). If non-secure network connections exist, you must set them up again as secure connections.
Open the User administration window
To open the User administration window:
|
Activating user administration
To activate user administration:
- Select User administration active
- The control shows the message Password for user 'useradmin' missing.
- Retain or reactivate the active status of the Anonymize users in log data function
- The purpose of the Anonymize users in log data function is data privacy; this function is active by default. While this function is active, user data in all log files of the control will be anonymized.
- If you exit the User administration window directly after having activated user administration, the control will prompt you for a restart once.
- When user administration is active, you can set up only secure network connections via SSH or OPC UA (#56-61 / #3-02-1*). If non-secure network connections exist, you must set them up again as secure connections.
Defining the password for the useradmin function user
If you are activating user administration for the first time, you must define a password for the useradmin function user.
To define a password for the useradmin function user:
- Select Password for useradmin
- The control opens the Password for user 'useradmin' pop-up window.
- Enter the password for the useradmin function user
- Repeat the password
- Select Set new password
- The control shows the message Settings and password for 'useradmin' were changed.
Setting up a database
To set up a database:
- Select the database for saving your user data (e.g., Local LDAP database)
- Select Configuration
- The control opens a window for configuring the corresponding database.
- Follow the instructions from the control in the window
- Select APPLY
The following options are available for saving your user data:
- Local LDAP database
- LDAP on remote computer
- Connection to Windows domain
Parallel operation of Windows users and users from an LDAP database is possible.
Creating a new user
To create a new user:
- Select the User administration tab
- Select Create new user
- The control adds a new user to the User list.
- Change the name as needed
- Edit a password as needed
- Define a profile image as needed
- Enter a description as needed
- Select Add role
- The control opens the Add role window.
- Select a role
- Select Add
- Select Close
- The control closes the Add role window.
- Select OK
- Select APPLY
- The control adopts the changes.
- Select END
- The control opens the System reboot required window.
- Select Yes
- The control restarts.
The user must change the password when logging in for the first time.
Deactivating user administration
User administration can be deactivated only by the following function users:
- useradmin
- OEM
- SYS
To deactivate user administration:
|
Notes
If servicing becomes necessary or if the log files need to be transmitted for another reason, the contracting party will be able to view this user data. In this case, it is your responsibility to ensure that all required data protection provisions have been made at your company.
- Retain or reactivate the active status of the Anonymize users in log data function
- Some user administration areas are configured by the machine manufacturer. Refer to your machine manual.
- HEIDENHAIN recommends activating user administration as part of an IT safety concept.
- If both user administration and a screensaver are active, then the current user's password must be entered to unlock the screen.
- If you used Remote Desktop Manager to establish private connections before user administration was activated, these connections are no longer available after the activation of user administration. Save your private connections before activating user administration.