mapp Services V5.16
This section explains terminology relevant to user management as used by this mapp component.
Administrator
The administrator is responsible for managing the other users (adding, blocking, deleting, editing, etc.). Whether a user is an administrator or not is determined by the user group. Which rights the administrator has is defined in the MpUser configuration.
Levels
The level provides information about the access rights for the machine. The higher the level, the more access rights are granted the user. The level is defined for each user group. All users in a group have the same level. If desired, the various functions of the machine and HMI application can be blocked or allowed using levels. The following table provides an example:
Level |
Administrator rights |
Comment |
|
Machine owner |
100 |
Yes |
Can operate the machine without limitations and manage users |
Process technician |
70 |
No |
Has high-level access rights but cannot manage users (no administrator rights) |
Shift supervisor |
50 |
Yes |
The shift supervisor can be create and edit users. This is only possible if the users are at a lower level, however. |
Machine operator |
30 |
No |
Works daily with the machine |
Maintenance technician |
30 |
No |
Operates the machine during maintenance |
Visitor |
3 |
No |
Group that has read access to the HMI application but has no access to any additional functions |
If there are several groups at the same level, they can be differentiated through the assignment of different access rights.
Functions and access rights
The machine where user management is implement has a wide variety of functions. These may include recipe management, process control, alarm management and/or changing process parameters. Various access rights can be assigned for these (and other) functions:
•No rights: The user has no rights to use this function.
•Read access: The user can view data but not edit it.
•Start/Stop access: The user can start or stop a function but has no other influence on the process (e.g. modifying process parameters).
•Full access: The user has read and write access for a certain function.
•Undefined: Used if rights have not been specifically defined. The user also has no rights for the various functions in this case.
One of these rights exists for each function. The functions can be defined as needed. In the example above, two groups have the same level. The difference, however, is in the different access rights assigned for the different functions:
Machine operator |
Maintenance technician |
|
Automatic process control |
Start/Stop access |
No rights |
Recipe management |
No rights |
No rights |
Opening safety doors |
No rights |
Full access |
Manual process control |
Start/Stop access |
Full access |
The functions are part of the machine software and are not defined via mapp. In the configuration it is possible to define which rights apply to which machine functions.
Tokens
Access to a user account can also be granted using a token. Possible tokens include:
•RFID chip
•USB flash drive
Identification numbers are managed internally. A name can be assigned to each token, however.
Logging in using a token is not yet implemented.
Locking a user
Only the administrator has the right to lock and unlock a user (the administrator must have a higher user level than the user).
Other users, including the administrator, will be automatically locked if the password is entered incorrectly too frequently when logging in. How often the password can be entered is defined in the configuration with parameter "Login attempts".
The administrator will be unblocked automatically after an hour. This time can also be changed in the configuration with parameter "Admin unlock time". If this time is set to 0, then the administrator will not be locked automatically.
To unlock the user in this case, the admin can start command "Lock = TRUE" on structure MpUserMgrUIUserType. The unlocking procedure can then be confirmed ("Confirm = TRUE") in the dialog box structure of MpUserMgrUIConnectType ("MessageBox").
A user will also be locked if the associated account is not used for a long period of time.
A locked user can only be unlocked by the administrator. This time is defined in the configuration with parameter "User expiration time". If 0, this function is not used. The account can always be used.