Project Protection in TIA Portal

An in-depth guide to keeping TIA Portal Projects safe from accidental and malicious changes because your machines are only as secure as their source code.

As industrial devices get more connected, the need for security in industrial automation has increased.

One of the easiest ways to secure your machines and systems is to use an authentication and authorization system to prevent accidental or malicious modifications to the automation software. After all, your machines are only as secure as their source code.

TIA Portal provides powerful tools for user authentication and authorization within a project or across multiple projects.

In this article, I’ll explain:

  • What authentication and authorization are
  • How to enable project protection in TIA Portal
  • How to configure user roles and authorizations
  • How to manage local users in a TIA Portal Project
  • What are the next steps for implementing centralized user management

In practical terms, authentication is the process of verifying who a user is and authorization is the process of verifying what they have access to. Using these authentication and authorization, you can control who has access to a project and what each user is allowed to do in a project.

Image for post
Authentication and Authorization

Enable Project Protection in TIA Portal

In TIA Portal, you can access the Security Settings in the Project Tree. Double click on Settings to open the Settings Editor window.

Image for post
Open the Security Settings Editor window

You can click on ‘Protect this project’ to activate project protection. Note: once project protection is activated, it cannot be undone.

When you activate project protection, you are prompted to create the credentials for a Project Administrator. Every project has to have at least one administrator who defines and manages the users that have access to the project.

Image for post
When you activate project protection, you have to define the credentials for the project administrator

Define the credentials for the project administrator and click OK to activate project protection. The project is now encrypted and additional security features are available to configure:

Image for post
New security features are available

Now, when you try to open the project, you will be prompted for a user name and password

Image for post
When you open a protected project, you are prompted for user name and password

Configure Users and Roles in TIA Portal

Now, there is one user that can access the project. Throughout the life of a TIA Portal Project though, many people need to access the software for commissioning, quality checks and maintenance purposes. As a project administrator, you can define the users that have access to the project and the authorizations that those users have.

Double click on ‘Users and roles’ in the Project Tree to open the Users and Roles Editor window.

Image for post
Open the Users and Roles Editor Window

In this window, you can see all of the users that are configured in the project as well as the roles that they are assigned to.

In the example below, we can see that the user ‘admin’ was created (1) and that this user belongs to the ‘Engineering administrator’ role (2).

Image for post
Users and Roles in the TIA Portal Project

In the ‘Roles’ tab (1), new roles can be created (2).

Image for post
New roles can be created in the Roles tab

Each role has an associated set of authorizations. These authorizations define what a user that belongs to a specific role can do within a project.

These authorizations can be related to the project itself (for example, a user belongs to a role is allowed to open a read-only version of the project).

Image for post
A role may be authorized to open a read-only version of the project

Other authorizations are related to runtime configuration of devices like managed switches and PLCs.

When the project is downloaded, the users and their respective roles configured within a project are automatically loaded to the devices and stored in an encrypted container.

Manage Users in TIA Portal

In the ‘Users’ tab (1), a project administrator can manage users.

An administrator can add or remove users (2) as well as updating a user’s password and assigned roles (3).

Image for post
A project administrator can manage users in the Users tab

It is possible to assign multiple roles to a single user to give them more rights.

A project administrator can monitor the rights that the user has in the ‘Assigned rights’ tab of the bottom pane.

Image for post
The project administrator can see what rights a user has in the ‘Assigned rights’ pane

Conclusion

Siemens has answered the need for greater security in industrial automation with a flexible authentication and authorization system built directly into TIA Portal. Its easier than ever to secure access to your automation software using native tools.

In this article, I have explained how to configure protection for a project and to create local users and roles with varying authorizations.

These users and roles only exist locally in the TIA Portal Project. If you want to define users and roles which exist across multiple projects (and are synchronized with Windows Active Directory) then you need to use the optional User Management Component (UMC) that is available for TIA Portal.

Latest articles

Standardization

How to Analyze Machines to Identify Standard Modules

Part 2 of Software Standardization for OEMs

Read more
Standardization

An Introduction to Software Standardization for OEMs

Part 1 of Software Standardization for OEMs

Read more
Systematization

What's the ROI on Engineering Efficiency?

How Reducing Engineering and Commissioning Costs Can Dramatically Impact Your Profitability

Read more
More Articles