User rights

Default user

PLCnext Controls are supplied with a preset admin user and a default password that is printed on the controller's housing. 
Security shield Security note: Use the default admin password only for initial access and change it as soon as possible!

admin user

When a user logs onto a PLCnext Control with the admin user, the user is also recognized with the same name and password by the Linux® system. The user is therefore assigned to the plcnext group of the Linux® system. Files that this user may read, write to and/or execute are assigned to the plcnext group file system.

plcnext_firmware user

The plcnext_firmware user is another major user in the Linux® system. It is permanently integrated and is used for starting the plcnext_firmware processes. In the Linux® system, this user can to execute all the operations required.
In addition to the Linux® user rights, the PLCnext Technology firmware also has its own user management, handled by means of the Web‑based Management. Its configuration is described in User Authentication (up to firmware release 2024.6) and in User management (from firmware release 2025.0).

Override with sudo

Executing Linux commands that require higher rights is made possible for the users via sudo. Which Linux commands the PLCnext users are allowed to execute via sudo is being configured in the Linux system.

POSIX™ ACLs

On secure-by-default devices, also file and folder permissions/restrictions by means of access control lists (ACLs) can be present. For details see Access control lists.

Default rights settings

The following rights are available:

Rights plcnext group admin sudo required
Setting and inspecting IP settings (including ifconfig, ping, netstat, etc.)
(for ifconfig)
Configuring the firewall
Starting/stopping the firewall (see firmware scripts)
Inspecting the firewall with nft
Configuring VPN (IPsec and OpenVPN™)
Starting/stopping VPN services (IPsec and OpenVPN™)
Editing the Default PLCnext folder for individual ACF, ESM, GDS configurations, and *.so
Starting/stopping the PLCnext Technology firmware processes by shell scripts
Reading PLCnext log files
Calling and configuring TOP/HTOP
Firmware update via update script with sudo update-plcnext(note: only up to firmware 2024.6)
Configuring the NTP server
Setting the root password with passwd
Requesting the system time with date
Setting the system time with sudo date -s
Restarting/shutting down the controller with reboot or shutdown
Write access to /opt/plcnext and /opt/plcnext/projects
Recording network traces with tcpdump
Starting the gdbserver with root rights (see C++ remote debugging )
Resetting to factory defaults with sudo recover-plcnext 1 (up to firmware 2024.6, see also Factory reset)

Root rights

For some commands you require advanced rights. To this end, the root user password needs to be set while the root user itself already exists under the Linux® system.

Risk of personal injury or damage to equipment

With active root user access, the controller must not be used for live operation.

Before live operation of the controller return to an appropriate user role and remove the root user password.

Security Note: With root user access, you can make unlimited changes on the controller. Root rights are therefore only suitable for qualified application programmers and software engineers with relevant experience.
  • Avoid making changes to the PLCnext Technology firmware or Operating System itself. If changes are necessary, see Overlay File System for details.
  • Do not supply the device with an already set password for the root user.
  • Remove the root password as soon as root user access is not required any more.

Setting a root user password

  • Connect to the controller via its IP address and log in as admin user. The default password for the admin user is printed on the controller's housing.
  • Enter this command:
    sudo passwd root
  • To authorize this command, enter the admin user's password .
  • Enter a new password for the root user (minimum 5 characters, preferably consisting of upper-case and lower-case letters plus numbers).
  • Confirm the new password by entering it again.
    Show the screenshotShow the screenshot
    console2

Using the root user

  • Connect to the controller via its IP address and log in as admin user. The default password for the admin user is printed on the controller's housing.
  • Switch to the root user with the su - command and the root user's password.
  • Perform the activities that need the root user's rights.
  • Once you have executed all the activities as the root user, change back to the previous user role (e.g., admin) using the exit command.

Removing the root password

If the root user is no longer required, remove the password. This prevents unauthorized users from modifying the firmware.

  • Connect to the controller via its IP address and log in as admin user. The default password for the admin user is printed on the controller's housing.
    Security shield Security note: Use the default admin password only for initial access and change it as soon as possible!
  • In the shell or command line interface, enter this command: sudo passwd -dl root.

After that, the root user stays present on the controller. Before using it again you have to set a new password.

Recommended: The easiest way to undo changes to the root user is a reset to default setting type 1. This will also remove the root user's password.

SSH login as root user

By default, the SSH login as a root user is prevented for security reasons. Nevertheless, they are some cases where the SSH login as the root user is necessary to perform commands that are reserved for the root user under a secure SSH connection.

To log in as a root user, the root user password must be set.

Security Note: With root user access, you can make unlimited changes on the controller. Root rights are therefore only suitable for qualified application programmers and software engineers with relevant experience.
  • Avoid making changes to the PLCnext Technology firmware or Operating System itself. If changes are necessary, see Overlay File System for details.
  • Do not supply the device with an already set password for the root user.
  • Remove the root password as soon as root user access is not required any more.

To enable or disable direct login via SSH for the root user, you have to configure this in the sshd_config file as shown here:

Activating SSH login as root user

  • Connect to the controller and log in as the root user.
  • Open the /etc/ssh/sshd_config file with a suitable editor.
  • In the # Authentication: section, enable the PermitRootLogin yes entry that is commented out by default.
  • Restart the SSH service with /etc/init.d/sshd reload

Deactivating SSH login as root user

  • Connect to the controller and log in as the root user.
  • Remove the file /etc/rfs/rw/upperdir/etc/ssh/sshd_config from the file system of your controller.
  • Reboot the controller. 

Other user roles and their rights

Web‑based Management

These are the defaults of visibility and accessibility on WBM 2 pages, valid from firmware release 2025.0.
For information on firmware release up to 2024.6 see User Authentication.

Note: User roles that are not mentioned in a table do not have any access permission in the regarding context. 

WBM 2 pages Page and tab access: User role
Admin SecurityEngineer SecurityAuditor CertificateManager UserManager Engineer Commissioner Service DataViewer DataChanger Viewer
Overview
Device section General Data
Diagnostics section PROFINET
[r] read-only access 		Other tabs
NetNames [r] [r] [r] [r] [r]
Notifications
Axioline
INTERBUS
Configuration section Network
[r] read-only access
[r/s] read access and 
reset statstics 		IP configuration [r/s]     [r/s] [r/s] [r/s]      
Netload limiter [r/s]       [r] [r]      
Date and Time                  
System Services                  
PLCnext Store                  
Proficloud                  
SPLC              
Fan Control                  
Web Services                  
Security
section		 SD card                  
Firewall                  
Syslog                  
Project integrity 
[r] read-only access		       [r]          
Certificate management                
User management                
User policies                  
LDAP configuration                
Security Profile                  
System
section		 Device maintenance
[c] only change the user password
[nr] cannot reboot oder reset the device 		[c] [c] [nr] [nr] [nr] [c] [c] [c]
App management                
System services                  
Backup & restore                  
License management                  
Update                  

PLCnext Engineer

Note: User roles that are not mentioned in a table do not have any access permission in the mentioned features in PLCnext Engineer.

PLCnext Engineer Access permission for: User role
Admin SecurityAdmin Engineer Commissioner Service DataViewer DataChanger Viewer EHmiViewer EHmiChanger SafetyEngineer
PLCnext Engineer 
user interface		 View values in the cockpit (e.g., utilization)      
Transfer a project to the controller                
Start (cold/warm restart) or stop the controller              
Restart the controller (reboot)                    
Reset the controller to default setting type 1                    
View online variable values        
Overwrite variables                
Set and delete breakpoints                
Download safety-related programs to the controller  
[4] 		             
[5]
Start or stop safety-related programs  
[4] 		             
[5]
Debug safety-related programs   
[4] 		             
[5]
PLCnext Engineer
HMI application		 View online variable values              
Overwrite variables                  
  1. As of firmware 2023.0 LTS, safety permissions for the Engineer user role are always enabled. As of the firmware 2023.0.1 LTS hotfix: if the Security Profile is enabled, safety permissions for the Engineer user role are disabled. If needed, use the SafetyEngineer user role in addition. See detailed description of combined safety user roles.
  2. Do not use this user role alone. This role is designed for use as an add-on to other user roles, e.g. Engineer. See detailed description of combined safety user roles.

Applications and services

Note: User roles that are not mentioned in a table do not have any access permission in the mentioned applications and services.

Note: Additional roles may be necessary, e.g. for use with the Device and Update Management.
Application or
service		 Access permission for: User role
Admin SecurityAdmin Engineer Service DataViewer DataChanger Viewer FileReader FileWriter SoftwareUpdate SafetyUpdater
SD card,
parameterization memory		 SFTP access to the file system with an SFTP client
[6] 		                   
Shell SSH access to the shell
[6] 		                   
By means of dedicated tools Update safety-related firmware on the controller                  
OPC UA® access by means of a client application View online variable values        
Overwrite variables              
Read files
(OPC UA file transfer must be enabled via PLCnext Engineer) 		                 
Write files
(OPC UA file transfer must be enabled via PLCnext Engineer) 		                 
Update firmware on the controller                  
Device and Update Management (DaUM) Update firmware, software and projects                    
  1. Authentication with a user name and password is always required for SSH or SFTP access, even if user authentication is disabled.

 

Related Topics

  1. Connecting to the controller
  2. Authentication failure handling

 

 

• Published/reviewed: 2025-07-04  ✿  Revision 081 •