application example 03/2016 data storage on … example 03/2016 data storage on windows server or...

https://support.industry.siemens.com/cs/ww/en/view/92346478

Application Example 03/2016

Data Storage on Windows Server or NAS Hard Drives SIMATIC HMI Comfort Panels, Sharing of Network Drives and Folders


Warranty and Liability

Server and Fileserver Access Entry ID: 92346478, V1.0, 03/2016 2

S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

Warranty and Liability

Note The Application Examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The Application Examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These Application Examples do not relieve you of the responsibility to use safe practices in application, installation, operation and maintenance. When using these Application Examples, you recognize that we cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these Application Examples at any time without prior notice. If there are any deviations between the recommendations provided in these Application Examples and other Siemens publications – e.g. Catalogs – the contents of the other documents have priority.

We do not accept any liability for the information contained in this document. Any claims against us – based on whatever legal reason – resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract (“wesentliche Vertragspflichten”). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change of the burden of proof to your detriment. Any form of duplication or distribution of these Application Examples or excerpts hereof is prohibited without the expressed consent of the Siemens AG.

Security informa-tion

Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines and networks. In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept. Siemens’ products and solutions only form one element of such a concept. Customer is responsible to prevent unauthorized access to its plants, systems, machines and networks. Systems, machines and components should only be connected to the enterprise network or the internet if and to the extent necessary and with appropriate security measures (e.g. use of firewalls and network segmentation) in place. Additionally, Siemens’ guidance on appropriate security measures should be taken into account. For more information about industrial security, please visit http://www.siemens.com/industrialsecurity.

Siemens’ products and solutions undergo continuous development to make them more secure. Siemens strongly recommends to apply product updates as soon as available and to always use the latest product versions. Use of product versions that are no longer supported, and failure to apply latest updates may increase customer’s exposure to cyber threats. To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under http://www.siemens.com/industrialsecurity.

http://www.siemens.com/industrialsecurity



Table of Contents


S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

Table of Contents Warranty and Liability ................................................................................................. 2

1 Data Storage on a Windows Server Operating System and File Server (NAS) ....................................................................................................... 4

2 User Administration and Shares ...................................................................... 5

2.1 Concept for folders, folder shares and user rights ............................... 5 2.2 Example................................................................................................ 6 2.3 Creating groups and users ................................................................... 7 2.4 Checking and revising groups/users .................................................. 12 2.5 Sharing folders ................................................................................... 14 2.6 Required settings for folder security ................................................... 20

3 User Log-on to the Panel ................................................................................ 27

3.1 Background information ..................................................................... 27 3.2 Log-on and path information .............................................................. 28 3.2.1 Storing log-on data on the panel ........................................................ 28 3.2.2 Manually calling the log-on dialog ...................................................... 29 3.2.3 System function to reboot the panel ................................................... 29 3.2.4 Configuration: Opening an EXCEL/WORD file via a network ............ 30 3.2.5 Configuration: Specifying the archive path......................................... 31 3.3 Typical questions on the topic “Log-on to the panel” ......................... 32

4 Links & Literature ............................................................................................ 33

5 History............................................................................................................... 33

1 Data Storage on a Windows Server Operating System and File Server (NAS)


S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

1 Data Storage on a Windows Server Operating System and File Server (NAS)

Network access from the panel to a higher-level file folder The principle of network access to a file folder is very similar for a Windows Server operating system, an NAS hard drive1 or a Windows 7 operating system. The syntax for accessing a folder is as follows: \\ComputerName\ShareName

Note All settings (incl. figures) have been made on a Windows 7 operating system. However, they can also be applied to other operating systems without difficulties.

Contents of the following chapters In the following chapters, the following will be described in detail: • Windows 7 operating system

– sharing folders – reading computer names – creating or editing a share name – security settings

• settings required on the panel Figure 1-1

1 NAS hard drive (Network Attached Storage, i. e. a memory integrated into the network) An NAS station basically consists of one or several hard drives. You can create folder or network shares via an integrated proprietary operating system, mostly with a web-based user interface. The shares can be accessed via the network.

2 User Administration and Shares 2.1 Concept for folders, folder shares and user rights


S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

2 User Administration and Shares 2.1 Concept for folders, folder shares and user rights

Create a concept before sharing folders or assigning access rights. Your concept should include the following: • Folder structure

– Which folders shall be accessed from the panel? – Where might be stored sensitive data? – Are there any overlaps?

• List of all users – Which users exist? – Which users have access to the data of the higher-level file system via the

panel? • Defining access permissions

– Which users can be assigned to “Groups”? (User groups all having the same permissions). Advantage: Later, you don’t have to assign a permission to each individual user,

but also to a single group. New users can be quickly assigned to or removed from a group. You can assign a user to different groups and thus assign different

access rights to this user.

NOTICE • You need administrative rights for making changes. • Make sure that administrative rights are assigned only to those users who

actually need them. • Be especially careful when editing your own “account” (user). Otherwise, it

might happen that afterwards you cannot access your system anymore. • Changes to the user management might result in extensive damage due to

“data misuse by unauthorized persons”. Please observe the security recommendations. For more information about Industrial Security, visit http://www.siemens.com/industrialsecurity.

https://www.industry.siemens.com/topics/global/de/industrial-security/Seiten/default.aspx

2 User Administration and Shares 2.2 Example


S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

2.2 Example

The following example shows what a request may look like in practice. For this, possible access restrictions and shares are shown.

Starting point There are three file folders which can be accessed via the network. Main folder: Root directory of the drive (Data (D:)) Subfolder 1: 00_ProductionLine_01 Subfolder 2: 00_Machine_01 File folders: 01_ProductionData 02_MachineDocuments 03_OperatingManuals Figure 2-1

The file folders are to be provided with different user rights. Thus, e. g. only the operation manager shall have access to the “01_ProductionData” folder.

Overview of user rights Table 2-1

Folder name User 1 Operation manager

User 2 Maintenance

personnel

User 3 Operator

01_ProductionData yes no no 02_MachineDocuments yes yes no 03_OperatingManuals yes yes yes

(read only)

2 User Administration and Shares 2.3 Creating groups and users


S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

2.3 Creating groups and users

Calling the users and groups management Table 2-2

No. Action

1. Calling the Computer Management • In the toolbar, click

“Windows Start button > Control Panel”. • Select “Large icons” (1) as view. • Click on “Administrative Tools” (2).

2. “Administrative Tools” view

• Use the “Administrative Tools” view to call the “Computer Management”.

1

2



S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

No. Action

3. “Computer Management” view • Select the “Local Users and Groups” menu.

In the menu, you will find the folders “Users” and “Groups”. In the folders, all stored users and groups are listed.

Creating a new user Table 2-3

No. Action

1. Creating a new user • Right-click on the “Users” folder. • In the context menu, click on “New User...”.



S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

No. Action

2. “New User” window • Enter a new user name into the “User name:” field and fill in the remaining

fields. – In this example:

User name: User01 Password: 111

• Then click “Create”. The new user is created.

• To create another user, enter a new user name into the “User name:” field. • Once you have created all users, close the dialog with the “Close” button.



S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

Creating a new group Table 2-4

No. Action

1. Creating new groups • Right-click on the “Groups” folder. • In the context menu, click on “New Group...”.

2. • In the “New Group” window, enter a group name into the “Group name:”

field. – Then click the “Add...” button (1).

• In the “Select Users” window, click on “Advanced...” (2). • In the next window, click on “Find Now” (3).

– In the “Search results:” list, left-click the user you want to assign to this group. In this example, it is “User01”. (You can select several users at the same time by keeping the “Ctrl” key pressed.)

– Confirm the entry with “OK”.

• To assign further users to this group, click “Advanced...” (2) in the “Select Users” window again. To complete the entry, click “OK”.

• In the “New Group” window, all previously assigned users of the group are displayed in the “Members:” field (4). Click the “Create” button (5) to create the new group.

1

2 3

4

5



S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

No. Action

3. Creating further groups To create another group, repeat sections 1 and 2. In the example, a total of three groups has been created. • Operation manager • Maintenance personnel • Operators

2 User Administration and Shares 2.4 Checking and revising groups/users


S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

2.4 Checking and revising groups/users

The following example shows how to check and revise settings for the groups/users. Table 2-5

No. Action

1. Users Right-click on a user. Via the context menu, you can call/modify different functions such as the password or properties of the user. Via the “Member Of” tab, you can e. g. check to which group(s) the user is assigned. Moreover, via this tab, you can also assign another group to this user. To do this, click the “Add...” button. Note “User02” is assigned to the “Maintenance personnel” group and to the “Users” group. Usually, the “Users” group is added automatically by the operating system. This has to be taken into consideration for the folder menu “Security” (see chapter 2.6).

2 User Administration and Shares 2.4 Checking and revising groups/users


S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

No. Action

2. Groups Right-click on a group. Via the context menu, you can perform different functions and call/modify properties of the group. Via the “Properties” menu, you can e. g. check which user is assigned to this group. Moreover, via this menu, you can also assign further users to this group. To do this, click the “Add...” button. To close the window, click “OK”.

2 User Administration and Shares 2.5 Sharing folders


S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

2.5 Sharing folders

Introduction To access a folder of a PC via a network, this folder needs a “share”. For this, it is irrelevant on which “drive” the folder to be shared is stored or whether it is stored in one or several “subfolders”. If the folder to be shared contains e. g. further subfolders or data, these will be shared as well. Example: D:Folder 1 Folder 1.1 Folder 1.2 Folder 1.3 If you want to create a share for “Folder 1.1”, you will also be able to access “Folder 1.2” and “Folder 1.3” as well as the contents of these folders. Table 2-6

No. Action

1. Opening the properties of the folder Select the file folder you want to share and open the properties of the folder.



S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

No. Action

2. Sharing • Open the “Sharing” tab (1).

Currently, the network path is not shared (2). • Click the “Advanced Sharing…” button (3).

3. Sharing folders

• Check the “Share this folder" option (1). • By default, the name of the selected folder is preselected as share name.

You can keep the name or change it. This will not change the name of the folder (2).

• Specify the number of users who may access the folder simultaneously. In this example: 2

• Click the “Permissions” button.

1

2

1

2

3



S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

No. Action

4. Permissions (existing permission) By default, a user or group is specified in the “Group or user names:” field. In this example, it is the group “Everyone”. You can check the users assigned to this group via the Computer Management (see chapter 2.4). If you do not need the group, you can e. g. set the permissions from “Allow” to “Deny”. Alternatively, you can remove the group using the “Remove” button.

5. Adding permissions

In the example, the group “Everyone” is not required and therefore is deleted. • Select the “Everyone” group and click the “Remove” button. • Then click the “Add…” button.



S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

No. Action

6. • In the “Select Users or Groups” window, click on “Advanced...” (1).

• In the next window, click on “Find Now” (2).

7. Selecting a user / group

• In the “Search results:” list, all stored groups and users are listed. Select the

group to which you want to assign the permission for the folder. In this example, it is the group “Operation manager”.

• Confirm the entry with “OK”.

1

2



S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

No. Action

8. View of the selected “Group” • To add another group, click the “Advanced...” button and repeat step 7. • To complete the process, click "OK".

9. Assigning permissions

In the “Group or User names:” field, all groups/users selected by you are listed. • Select a “group” and assign the corresponding permissions. • Complete the entry with “OK”. Note You can assign different permissions to each “group”.

1



S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

No. Action

10. Complete view of the “Network Path” View of the network path shared. In this case, the complete share name is: \\HH-PC\01_ProductionData Thus, the settings for the folder share are completed. The settings on the “Security” tab are following next. Note As described at the beginning, the name of the network path does not contain any “drive letter” or name of a “subfolder”.

11. Modifying/extending the permissions

Subsequently, you can add further “groups/users” and edit or delete “permissions” already existing. To do this, call the menus as described before.

Note In the “Windows folder”, subsequently check the settings under the “Security” menu item. To do this, refer to chapter 2.6.

2 User Administration and Shares 2.6 Required settings for folder security


S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

2.6 Required settings for folder security

Introduction The previous chapter described the settings required to share a file folder. The settings made there refer to network security. In this chapter, however, the settings for the local permission on the PC are described. For a file folder, the corresponding settings are made in the “Security” menu item. All users stored on the “Security” tab may access this local folder as well as the files contained. Users may only access a “shared folder”, if they are provided with the corresponding permission on the “Security” tab.

Procedure of accessing the shared folder For network access to the shared folder, the security mechanisms configured under “Sharing” and “Security” come into effect. First, the permission set on the “Sharing” tab is checked. Then, the local permissions set on the “Security” tab are checked. Example: On the “Sharing” tab, the “Full control” permission has been assigned to a user. If no permissions have been assigned to this user on the “Security” tab, the user may not access the folder.

Note The “local” permission is decisive for accessing the folder!



S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

Basic information on “Group or user names:” The figure below shows the “Security” tab of a file folder. In the “Group or user names:” field, different users/groups are specified automatically by the system (1). Figure 2-2

What does this mean with regard to security? Due to the listed group “Authenticated Users”, all logged on users of the PC have access to this folder. Due to the listed group “Users”, all logged on users of the PC usually have access to this folder as well. Background: When creating a new user via the “Computer Management” (see chapter 2.3) the operating system automatically assigns the new user to the group “Users”. Which options are available to ensure that only specified users have access to this folder? 1. Computer Management

– In the Computer Management, you can control the properties of the groups listed here and remove e. g. from this group all users not belonging to this group.

2. Creating new group or user names – The easiest way is to remove the groups specified by the system and to

assign your own groups to the folder. Advantage: The default settings in the Computer Management will not be changed. Thus, you always have the possibility to go back to the “old” status (e. g. if you create a new folder, this folder will always have the default settings specified by the system).

In the following chapter, a “2nd method” will be described in detail.

1



S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

Creating a new group assignment Table 2-7

No. Action

1. Opening the properties of the folder Select the file folder for which you want to adjust the group assignment. For this purpose, open the properties of the folder.

2. “Security” tab

• Open the “Security” tab (1). • Then click the “Advanced…” button (2).

1

2



S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

No. Action

3. Advanced Security Settings • Click the “Change Permissions...” button.

4.

• Uncheck the “Include inheritable permissions from this object’s parent” option by clicking on the selected option (1). A security message will be displayed. Please read the message.

• Click the “Remove” button (2).

2

1



S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

No. Action

5. • Now, there are no entries left in the “Permission entries:” field. Click the “Add...” button to add a new permission.

Note In this example, the option “Replace all child object permissions with inheritable permissions from this object” is checked (1).

6. Selecting a group

• In the “Select User or Group” window, click “Advanced...” (1). • In the next window, click “Find Now” and select the desired group in the

“Search results:” field (2). Confirm the entry with “OK”. • After confirmation, the previous screen is displayed again. To add another

group, click the “Advanced...” button again. To complete the process, click "OK".

1

1

2



S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

No. Action

7. Setting permissions Via this window, you can now set the individual permissions in detail. In this case, the assigned group “Operation manager” has full access to the folder. Confirm the entry with “OK”.



S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

No. Action

8. In the “Permission entries:” field, the previously selected “groups” are displayed. • To add another group, click the “Add...” button again. To complete the

process, click "OK". • Click “OK” to close the windows that are still open. Note In this example, the “Administrator” group has been added additionally.

9. View of the folder properties

The figure shows the modified settings in the “Group or user names:” field. (left: before right: after) Thus, the settings regarding “Security” are completed.

3 User Log-on to the Panel 3.1 Background information


S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

3 User Log-on to the Panel 3.1 Background information

Log-on for access to network shares The previous chapters describe how to share a folder in the network with different user rights. To access one of these network shares from the panel, a log-on via the panel is required. For this, the panel provides an operating system function.

Operating system function for log-on to the network There are several options to log on to the network. • If e. g. archiving is done via the network, a log-on screen will be displayed

automatically after starting Runtime. • When opening a file via the network for the first time, a log-on screen is

displayed automatically. • You can store the log-on information in the Device settings of the panel. Thus,

you do not have to fill in the log-on dialog again each time you are switching on the panel.

• You can call the log-on dialog directly from the Runtime using a system function.

Please observe that only one user can be specified for the network shares. If several network shares are used, this user must have permissions for all network shares. For related information, please refer to 3.2.1.

User management of the panel The user management of the panel is independent of the “network shares”. Both functions have to be considered independently of each other. By means of the panel’s user management, you can influence the access to functions of the panel or the way a button is operated.

3 User Log-on to the Panel 3.2 Log-on and path information


S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

3.2 Log-on and path information

3.2.1 Storing log-on data on the panel

When should you store users’ log-on data on the panel?

• If you have specified e. g. a network drive as archive path, the user data have to be stored before starting archiving. If this is not the case, archiving will not be started.

• If you do not want to enter the log-on data time and time again after switching on the power supply.

View of the menu item to store log-on data on the panel • Call the Device settings of the panel. • Click the “Network ID” icon. • Enter the log-on data in the window. • Confirm the entry with “OK”. Figure 3-1

To ensure that the changes made will become effective on the panel, you have to carry out a “reboot” of the panel after having entered the user data. Under the menu item “OP > Device”, click the “Reboot” button to restart the panel. Figure 3-2



S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

3.2.2 Manually calling the log-on dialog

If the log-on data are not stored on the panel, the panel automatically displays a log-on dialog, if you try e. g. to access a network drive. If you e. g. close the log-on dialog unintentionally without completing your entry, you can call the log-on dialog manually using a system function. View of the log-on dialog on the panel Figure 3-3

Configuration: Manually calling the log-on dialog To do so, configure a button. You can call the log-on dialog directly from the Runtime of the operator panel using the system function “StartProgram”. Configuration view Figure 3-4

Program parameters Program name: CTLPNL.exe Program parameters: cplmain.cpl,2

3.2.3 System function to reboot the panel

If you have specified e. g. a network drive as archive path, the user data have to be stored before starting the Panel Runtime. If this is not the case, a log-on dialog will be displayed automatically. To ensure that archiving may start after successful log-on, a restart (reboot) of the panel is required.



S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

To do so, configure a button. Using the system function “StartProgram”, you can call the “OP Properties” directly from the Runtime of the operator panel by means of the “op_apl.cpl” program parameter and execute the “Reboot” function on the “Device” tab. Configuration view Figure 3-5

Program parameters Program name: CTLPNL.exe Program parameters: op_apl.cpl

3.2.4 Configuration: Opening an EXCEL/WORD file via a network

The Comfort Panels are provided with an integrated EXCEL/WORD Viewer. By means of the Viewer, you can view Word documents created e. g. with WORD 2010 via the panel. To ensure that only authorized persons can access the document, protect the function call e. g. via the property of the “Security” button (user management of the panel). You can call the EXCEL/WORD Viewer directly from the Runtime of the operator panel using the system function “StartProgram”. Configuration view Figure 3-6

Program parameters Program name: \\ComputerName\ShareName\NameFile.docx \\hh-pc\01_ProductionData\01_PData.docx



S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

3.2.5 Configuration: Specifying the archive path

If you want to specify a network drive for archiving, the archive path is composed as follows:

\\ComputerName\ShareName In reference to the example:

\\hh-pc\02_MachineDocuments Figure 3-7

3 User Log-on to the Panel 3.3 Typical questions on the topic “Log-on to the panel”


S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

3.3 Typical questions on the topic “Log-on to the panel”

When are the user data stored on the panel? When logging on to the panel for the first time, the user data are immediately stored on the panel without any “reboot” of the panel. How do I delete an existing user? It is not possible to delete a logged-on user directly via a system function. The current user can be overwritten by entering a new user. Afterwards, it is necessary to “reboot” the panel. How do I delete the existing password? It is not possible to delete a password via a system function. The current password can be overwritten by entering a new (invalid) password. Afterwards, it is necessary to “reboot” the panel. What happens after switching off the power supply? The user data are stored in a network failsafe way. How do I implement different network shares? If there are different network shares, the logged-on user must have the user rights for all network shares. Alternatively, you can enter new user data and “reboot” the panel. When does a user have to log on to the panel for network shares? Whenever user rights are stored in the network drive, prior log-on to the panel is required. What happens to the log-on data after a project download? You want to open an Excel file as described in chapter 3.2.4 (“Configuration: Opening an EXCEL/WORD file via a network“). If the log-on data are stored in the Control Panel of the panel, the data will remain even after a project download (see chapter 3.2.1). If you enter log-on data via the “automatic log-on dialog”, the data have to be entered again after a project download.

4 Links & Literature


S

iem

ens

AG 2

016

All r

ight

s re

serv

ed

4 Links & Literature Table 4-1

Topic Title

\1\ Siemens Industry Online Support

http://support.industry.siemens.com

\2\ Download page of the entry


\3\ FAQ How can certain entries of the Control Panel be started directly on a Comfort Panel from the Runtime of the operator panel? https://support.industry.siemens.com/cs/ww/de/view/59885461

5 History Table 5-1

Version Date Modifications

V1.0 03/2016 First version

http://support.industry.siemens.com/


https://support.industry.siemens.com/cs/ww/de/view/59885461