PLCnext roles and rights list

User roles and their assigned access permissions in the various applications

The following overview shows the user roles implemented in the firmware and their access permission for different purposes. Some user roles have been introduced only with recent firmware updates.

Note: User roles that are not mentioned in a table do not have any access permission in the regarding context. 

Web-based Management 2 (WBM 2)

Note: Visibility of WBM 2 pages depends on the device and firmware release in use.
In addition, some WBM 2 pages could have been deactivated by settings in the System Services WBM 2 page.
WBM 2 pages Access permission for: User role
Admin SecurityEngineer SecurityAuditor CertificateManager UserManager Engineer Commissioner Service DataViewer DataChanger Viewer
Information or Overview section General Data
Network configuration    
Cockpit
[1]

[1]

[2]

[2]

[2]

[1]

[1]

[1]
Diagnostics section PROFINET
Local Bus
Notifications
Integrated UPS
Configuration section Network -
LAN Interfaces tab

read-
only
   
read-
only

read-
only

read-only
     
Network -
Netload Limiter tab

read-
only
   
read, reset

read, reset
     
Date and Time [3]
read-
only

read-
only

read-
only

read-
only

read-
only

read-
only

read-
only

read-
only

read-
only
System Services                  
PLCnext Store                  
Proficloud 
(legacy platform)
                   
Proficloud Services
(V3 platform)
                 
SPLC              
Fan Control                  
Web Services                  
Security
section
Security Profile                  
User Authentication                
LDAP configuration                
Firewall                  
SD Card                  
Certificate Authentication                
Syslog Configuration                  
System
section
Firmware Update                  
PLCnext Apps [4]                
License Management                  
  1. These user roles can only change the user password.
  2. These user roles cannot reboot or reset.
  3. These user roles can access the Date and Time page with "read-only" rights:
    1. FileReader
    2. FileWriter
    3. EHmiLevel1 to EHMILevel10
    4. EHmiViewer
    5. EHmiChanger
    6. SoftwareUpdate
    7. SafetyEngineer
    8. SafetyFirmwareUpdater
  4. This WBM 2 page can be inaccessible if the App Manager has been deactivated in the System → System services WBM 2 page.

PLCnext Engineer

All roles not reported in this table do not have access permissions for features in PLCnext Engineer.

PLCnext Engineer Access permission for: User role
Admin SecurityEngineer CertificateManager UserManager Engineer Commissioner Service DataViewer DataChanger Viewer EHmiViewer EHmiChanger SafetyEngineer
PLCnext Engineer 
user interface
View values in the cockpit (e.g., utilization)      
Transfer a project to the controller                    
Start (cold/warm restart) or stop the controller                  
Restart the controller (reboot)                        
Reset the controller to default setting type 1                        
View online variable values            
Overwrite variables                    
Set and delete breakpoints                    
Download safety-related programs to the controller      
[5]
             
[6]
Start or stop safety-related programs      
[5]
             
[6]
Debug safety-related programs       
[5]
             
[6]
PLCnext Engineer
HMI application
View online variable values                  
Overwrite variables                      
  1. As of firmware 2023.0 LTS, safety permissions for the Engineer user role are always enabled. As of the firmware 2023.0.1 LTS hotfix: if the Security Profile is enabled, safety permissions for the Engineer user role are disabled. If needed, use the SafetyEngineer user role in addition. See detailed description of combined safety user roles.
  2. Do not use this user role alone. This role is designed for use as an add-on to other user roles, e.g. Engineer. See detailed description of combined safety user roles.

Applications and services

All unreported roles in this table do not have access permissions for the mentioned applications and services.

Note: Additional roles may be necessary, e.g. for use with the Device and Update Management.
Application or
service
Access permission for: User role
Admin SecurityEngineer Engineer Service DataViewer DataChanger Viewer FileReader FileWriter SoftwareUpdate SafetyUpdater
SD card,
parameterization memory
SFTP access to the file system with an SFTP client
[7]
                   
Shell SSH access to the shell
[7]
                   
By means of dedicated tools Update safety-related firmware on the controller                  
OPC UA® access by means of a client application View online variable values        
Overwrite variables              
Read files
(OPC UA file transfer must be enabled via PLCnext Engineer)
                 
Write files
(OPC UA file transfer must be enabled via PLCnext Engineer)
                 
Update firmware on the controller                  
Device and Update Management (DaUM) Update firmware, software and projects                    
  1. Authentication with a user name and password is always required for SSH or SFTP access, even if user authentication is disabled.

 

 


• Published/reviewed: 2025-06-27 • Revision 018 •