Authorization levels

The following five authorization levels are available by default:

  1. Visualization: only visualization allowed.
  2. Normal operator authorization: permits the opening of child panels.

You cannot do anything by using only bit 2. You have to have at least the bit 1 so that you can visualize and open panels through bit 2.

  1. Advanced operator authorization: permits execution of commands, explicit setting of replacement values, input of correction values as well as changes to all value range types.
  2. Administration: permits the use of the PARA.
  3. Acknowledgement: permits acknowledgment of alerts.

The bit 32 allows to set the Single Sign On feature (SSO) for a workstation. Note that the bit 32 is only needed for the SSO on workstation level but not on user level. For more information see chapter login, basics).

Note: For users with an administrative role in the system, the bit bit 32 (SSO) should not be set.
Figure 1. Authorization levels

You can define further authorization levels in addition to the standard levels in the above panel. The entries are transferred to the User Management panel by clicking on OK.

The authorization levels are used throughout WinCC OA. The levels can be used, for example, in the panel topology, for system authorizations, for data point configs and in the getUserPermission() function.

In the panel topology, the users who have, for example, the visualization authorization can open panels the users without this authorization cannot. In the same way, you can set other authorization levels.

The system authorizations allow defining different authorization levels for different actions such as creating, changing or deleting data point types. This means that only the users that have the rights for the set authorization level can create, change or delete data point types. See chapter system authorizations for more information.

The authorization levels can be also be defined for the data point configs. This means that you assign a level to a config and only the users with the authorization for this level can change this config.

If the authorization level 5 would, for example, be set for the _alert_hdl config, only the users with the authorization level 5 could change the _alert_hdl config. See chapter _auth (Authorization) for more information.

The control function getUserPermission() allows checking the user rights. You can, for example, check if a specific user has a specific authorization level and open a panel only if the user has the required level. The control function getUserPermissionForArea() checks if the user has the authorization for a specific authorization level of a specific area.

You can never change the functionality of the 5 predefined authorization levels or their authorization bits. You can, however, change the text (description) of these levels.