User roles

The base framework of the PLC does not know any users, but only roles. Therefore, the further description deals with the meaning of the roles.
An application (e.g. TcHmiBa) defines users and then assigns them a corresponding role.
According to the role of a logged-in user, functions are made available in the application or not.

Roles

Different access rights are provided for different users:

Role	Description
Guest	Lowest access permissions. Users cannot change parameters and can only read current values that are in the Tc3_XBA under VAR_INPUT CONSTANT PERSISTENT. Recommended for standard accesses without user login (e.g. generally accessible control panels).
Basic	Restricted access permissions. Users can view rudimentary parameters and hardly change any values. Recommended for operators with little knowledge of the system.
Advanced	Extended access rights. Users have insight into various parameters and e.g. authorization to change setpoints or timer programs. Recommended for operators with basic plant knowledge and instruction to supervise these plants.
Expert	Full access rights. Recommended for commissioning and for service personnel, as more in-depth interventions (e.g. adjustment of controller parameters) are also possible.
Internal	For Beckhoff support only.

	The user's access area is evaluated at different points in the application to enable or hide certain functions.

Adjustment of access rights from the PLC

It is possible to define access rights from the PLC.

However, this only works initially, i.e. not at runtime, and then refers to all objects that have this property.

To do this, an instance of FB_BA_Param is created in a suitable part of the program, preferably in MAIN, and pre-initialized with the corresponding write and read rights.

	The initialization is sufficient - there is no further call in the actual program part.

Sample:

In the following sample, the read and write rights are to be changed for two parameters:

Acknowledge (bAcknowledgeRm): Read from Basic role, write from Expert role.
DefaultValue (bDefaultValue, fDefaultValue, nDefaultValue): Read from Internal role, write from Advanced role.

This adjustment requires the instantiation of a FB_BA_Param, here called Parameters, which is structured as follows:

Parameters : FB_BA_Param :=  (DefReadAccess := F_BA_ParameterRolesBuilder()
            .Set(E_BA_Parameter.eAcknowledgeRm, E_BA_Role.eBasic)
            .Set(E_BA_Parameter.eDefaultValue, E_BA_Role.eInternal)
            .Build(),

        DefWriteAccess := F_BA_ParameterRolesBuilder()
            .Set(E_BA_Parameter.eAcknowledgeRm, E_BA_Role.eExpert)
            .Set(E_BA_Parameter.eDefaultValue, E_BA_Role.eAdvanced)
            .Build());

The DefReadAccess and DefWriteAccess properties each represent an array of the various parameters with the associated roles as minimum access and are only used to change the roles, which are, however, already predefined.

The Set methods change the minimum access role (E_BA_Role) for a specific parameter (E_BA_Parameter). A Set method must be added for each parameter whose access right is to be changed.

The parameterization of the properties is completed by calling the Build method. This applies to both the DefReadAccess read access property and the DefWriteAccess write access property.

The above implementation changes the read and write access of all objects that have the properties bAcknowledgeRm and DefaultValue (bDefaultValue, fDefaultValue, nDefaultValue). It is also possible to change only the read or only the write access; the change does not have to be made in pairs.

Using the example of an AV object, the change in the Site Explorer is as follows: