User rights
Default user
PLCnext Controls are supplied with a preset admin user and a default password that is printed on the controller's housing.
Security note: Use the default
admin
password only for initial access and change it as soon as possible!
admin
user
When a user logs onto a PLCnext Control with the admin
user, the user is also recognized with the same name and password by the Linux® system. The user is therefore assigned to the plcnext
group of the Linux® system. Files that this user may read, write to and/or execute are assigned to the plcnext
group file system.
plcnext_firmware
user
The plcnext_firmware
user is another major user in the Linux® system. It is permanently integrated and is used for starting the plcnext_firmware
processes. In the Linux® system, this user can to execute all the operations required.
In addition to the Linux® user rights, the PLCnext Technology firmware also has its own user management, handled by means of the Web‑based Management. Its configuration is described in User Authentication (up to firmware release 2024.6) and in User management (from firmware release 2025.0).
Override with sudo
Executing Linux commands that require higher rights is made possible for the users via sudo
. Which Linux commands the PLCnext users are allowed to execute via sudo
is being configured in the Linux system.
POSIX™ ACLs
On secure-by-default devices, also file and folder permissions/restrictions by means of access control lists (ACLs) can be present. For details see Access control lists.
Default rights settings
The following rights are available:
Rights | plcnext group |
admin | sudo required |
Setting and inspecting IP settings (including ifconfig , ping , netstat , etc.) |
✓ | ✓ | ✓ (for ifconfig ) |
Configuring the firewall | ✓ | ✓ | – |
Starting/stopping the firewall (see firmware scripts) | ✓ | ✓ | ✓ |
Inspecting the firewall with nft |
✓ | ✓ | ✓ |
Configuring VPN (IPsec and OpenVPN™) | – | ✓ | – |
Starting/stopping VPN services (IPsec and OpenVPN™) | – | ✓ | ✓ |
Editing the Default PLCnext folder for individual ACF, ESM, GDS configurations, and *.so | ✓ | ✓ | – |
Starting/stopping the PLCnext Technology firmware processes by shell scripts | – | ✓ | ✓ |
Reading PLCnext log files | ✓ | ✓ | – |
Calling and configuring TOP/HTOP | ✓ | ✓ | – |
Firmware update via update script with sudo update-plcnext (note: only up to firmware 2024.6) |
– | ✓ | ✓ |
Configuring the NTP server | ✓ | ✓ | – |
Setting the root password with passwd |
– | ✓ | ✓ |
Requesting the system time with date |
✓ | ✓ | – |
Setting the system time with sudo date -s |
✓ | ✓ | ✓ |
Restarting/shutting down the controller with reboot or shutdown |
– | ✓ | ✓ |
Write access to /opt/plcnext and /opt/plcnext/projects | ✓ | ✓ | – |
Recording network traces with tcpdump |
✓ | ✓ | ✓ |
Starting the gdbserver with root rights (see C++ remote debugging ) |
– | ✓ | ✓ |
Resetting to factory defaults with sudo recover-plcnext 1 (up to firmware 2024.6, see also Factory reset) |
– | ✓ | ✓ |
Root rights
For some commands you require advanced rights. To this end, the root
user password needs to be set while the root
user itself already exists under the Linux® system.
Risk of personal injury or damage to equipment
With active root
user access, the controller must not be used for live operation.
Before live operation of the controller return to an appropriate user role and remove the root
user password.
root
user access, you can make unlimited changes on the controller. Root rights are therefore only suitable for qualified application programmers and software engineers with relevant experience.
- Avoid making changes to the PLCnext Technology firmware or Operating System itself. If changes are necessary, see Overlay File System for details.
- Do not supply the device with an already set password for the
root
user. - Remove the root password as soon as
root
user access is not required any more.
Setting a root user password
- Connect to the controller via its IP address and log in as
admin
user. The default password for theadmin
user is printed on the controller's housing. - Enter this command:
sudo passwd root
- To authorize this command, enter the
admin
user's password . - Enter a new password for the
root
user (minimum 5 characters, preferably consisting of upper-case and lower-case letters plus numbers). - Confirm the new password by entering it again.
Show the screenshotShow the screenshot
Using the root user
- Connect to the controller via its IP address and log in as
admin
user. The default password for theadmin
user is printed on the controller's housing. - Switch to the
root
user with thesu -
command and theroot
user's password. - Perform the activities that need the
root
user's rights. - Once you have executed all the activities as the
root
user, change back to the previous user role (e.g.,admin
) using theexit
command.
Removing the root password
If the root
user is no longer required, remove the password. This prevents unauthorized users from modifying the firmware.
- Connect to the controller via its IP address and log in as
admin
user. The default password for theadmin
user is printed on the controller's housing.
Security note: Use the default
admin
password only for initial access and change it as soon as possible! - In the shell or command line interface, enter this command:
sudo passwd -dl root
.
After that, the root
user stays present on the controller. Before using it again you have to set a new password.
Recommended: The easiest way to undo changes to the root
user is a reset to default setting type 1. This will also remove the root
user's password.
SSH login as root user
By default, the SSH login as a root
user is prevented for security reasons. Nevertheless, they are some cases where the SSH login as the root
user is necessary to perform commands that are reserved for the root
user under a secure SSH connection.
To log in as a root user, the root user password must be set.
root
user access, you can make unlimited changes on the controller. Root rights are therefore only suitable for qualified application programmers and software engineers with relevant experience.
- Avoid making changes to the PLCnext Technology firmware or Operating System itself. If changes are necessary, see Overlay File System for details.
- Do not supply the device with an already set password for the
root
user. - Remove the root password as soon as
root
user access is not required any more.
To enable or disable direct login via SSH for the root
user, you have to configure this in the sshd_config file as shown here:
Activating SSH login as root user
- Connect to the controller and log in as the
root
user. - Open the /etc/ssh/sshd_config file with a suitable editor.
- In the
# Authentication:
section, enable thePermitRootLogin yes
entry that is commented out by default. - Restart the SSH service with
/etc/init.d/sshd reload
Deactivating SSH login as root user
- Connect to the controller and log in as the
root
user. - Remove the file /etc/rfs/rw/upperdir/etc/ssh/sshd_config from the file system of your controller.
- Reboot the controller.
Other user roles and their rights
Web‑based Management
These are the defaults of visibility and accessibility on WBM 2 pages, valid from firmware release 2025.0.
For information on firmware release up to 2024.6 see User Authentication.
Note: User roles that are not mentioned in a table do not have any access permission in the regarding context.
WBM 2 pages | Page and tab access: | User role | |||||||||||
Overview | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
Device section | General Data | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
Diagnostics section | PROFINET [r] read-only access |
Other tabs | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
NetNames | ✓ | ✓ | ✓ | [r] | [r] | ✓ | ✓ | ✓ | [r] | [r] | [r] | ||
Notifications | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
Axioline | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
INTERBUS | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
Configuration section | Network [r] read-only access [r/s] read access and reset statstics |
IP configuration | ✓ | ✓ | [r/s] | [r/s] | [r/s] | [r/s] | |||||
Netload limiter | ✓ | ✓ | [r/s] | [r] | [r] | ||||||||
Date and Time | ✓ | ✓ | |||||||||||
System Services | ✓ | ✓ | |||||||||||
PLCnext Store | ✓ | ✓ | |||||||||||
Proficloud | ✓ | ✓ | |||||||||||
SPLC | ✓ | ✓ | ✓ | ✓ | |||||||||
Fan Control | ✓ | ✓ | |||||||||||
Web Services | ✓ | ✓ | |||||||||||
Security section |
SD card | ✓ | ✓ | ||||||||||
Firewall | ✓ | ✓ | |||||||||||
Syslog | ✓ | ✓ | |||||||||||
Project integrity [r] read-only access |
✓ | ✓ | [r] | ||||||||||
Certificate management | ✓ | ✓ | ✓ | ||||||||||
User management | ✓ | ✓ | ✓ | ||||||||||
User policies | ✓ | ✓ | |||||||||||
LDAP configuration | ✓ | ✓ | ✓ | ||||||||||
Security Profile | ✓ | ✓ | |||||||||||
System section |
Device maintenance [c] only change the user password [nr] cannot reboot oder reset the device |
✓ | ✓ | ✓ | [c] | [c] | [nr] | [nr] | [nr] | [c] | [c] | [c] | |
App management | ✓ | ✓ | ✓ | ||||||||||
System services | ✓ | ✓ | |||||||||||
Backup & restore | ✓ | ✓ | |||||||||||
License management | ✓ | ✓ | |||||||||||
Update | ✓ | ✓ |
PLCnext Engineer
Note: User roles that are not mentioned in a table do not have any access permission in the mentioned features in PLCnext Engineer.
PLCnext Engineer | Access permission for: | User role | ||||||||||
PLCnext Engineer user interface |
View values in the cockpit (e.g., utilization) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
Transfer a project to the controller | ✓ | ✓ | ✓ | |||||||||
Start (cold/warm restart) or stop the controller | ✓ | ✓ | ✓ | ✓ | ||||||||
Restart the controller (reboot) | ✓ | |||||||||||
Reset the controller to default setting type 1 | ✓ | |||||||||||
View online variable values | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
Overwrite variables | ✓ | ✓ | ✓ | |||||||||
Set and delete breakpoints | ✓ | ✓ | ✓ | |||||||||
Download safety-related programs to the controller | ✓ | ✓ [4] |
✓ [5] |
|||||||||
Start or stop safety-related programs | ✓ | ✓ [4] |
✓ [5] |
|||||||||
Debug safety-related programs | ✓ | ✓ [4] |
✓ [5] |
|||||||||
PLCnext Engineer HMI application |
View online variable values | ✓ | ✓ | ✓ | ✓ | |||||||
Overwrite variables | ✓ | ✓ |
- As of firmware 2023.0 LTS, safety permissions for the Engineer user role are always enabled. As of the firmware 2023.0.1 LTS hotfix: if the Security Profile is enabled, safety permissions for the Engineer user role are disabled. If needed, use the SafetyEngineer user role in addition. See detailed description of combined safety user roles.
- Do not use this user role alone. This role is designed for use as an add-on to other user roles, e.g. Engineer. See detailed description of combined safety user roles.
Applications and services
Note: User roles that are not mentioned in a table do not have any access permission in the mentioned applications and services.
Application or service |
Access permission for: | User role | ||||||||||
SD card, parameterization memory |
SFTP access to the file system with an SFTP client [6] |
✓ | ||||||||||
Shell | SSH access to the shell [6] |
✓ | ||||||||||
By means of dedicated tools | Update safety-related firmware on the controller | ✓ | ✓ | |||||||||
OPC UA® access by means of a client application | View online variable values | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
Overwrite variables | ✓ | ✓ | ✓ | ✓ | ||||||||
Read files (OPC UA file transfer must be enabled via PLCnext Engineer) |
✓ | ✓ | ||||||||||
Write files (OPC UA file transfer must be enabled via PLCnext Engineer) |
✓ | ✓ | ||||||||||
Update firmware on the controller | ✓ | ✓ | ||||||||||
Device and Update Management (DaUM) | Update firmware, software and projects | ✓ |
Related Topics