Web-based Management 2:
Security - User management
Valid from firmware release 2025.0 - for earlier firmware see WBM User Authentication
By default, on a PLCnext Control only a single user is configured and assigned to the Admin user role.
Of course, other users and user roles need to be assigned, once the controller is put into production, which is done by means of the User management WBM 2 page. The procedure is designed to be mostly selfexplanatory: By clicking the 
icon, you'll be led through a step-by-step configuration.
Please note the guidelines in our PLCnext Technology ‑ Security Info Center.For developing secure-by-design, IEC 62443‑2 compliant applications with PLCnext Technology, get a good grasp of the concepts used in the Security context.
Existing user roles and their permissions
User roles on Web‑based Management 2 pages
In addition, some WBM 2 pages could have been deactivated by settings in the System Services WBM 2 page.
| WBM 2 pages | Page and tab access: | User role | |||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|||
| Overview | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Device section | General Data | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Diagnostics section | PROFINET [r] read-only access |
Other tabs | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| NetNames | ✓ | ✓ | ✓ | [r] | [r] | ✓ | ✓ | ✓ | [r] | [r] | [r] | ||
| Notifications | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Axioline | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| INTERBUS | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Configuration section | Network [r] read-only access [r/s] read access and reset statstics |
IP configuration | ✓ | ✓ | [r/s] | [r/s] | [r/s] | [r/s] | |||||
| Netload limiter | ✓ | ✓ | [r/s] | [r] | [r] | ||||||||
| Date and Time | ✓ | ✓ | |||||||||||
| PLCnext Store | ✓ | ✓ | |||||||||||
| Proficloud | ✓ | ✓ | |||||||||||
| SPLC | ✓ | ✓ | ✓ | ✓ | |||||||||
| Fan Control | ✓ | ✓ | |||||||||||
| Web Services | ✓ | ✓ | |||||||||||
| Security section |
SD card | ✓ | ✓ | ||||||||||
| Firewall | ✓ | ✓ | |||||||||||
| Syslog | ✓ | ✓ | |||||||||||
| Project integrity [r] read-only access |
✓ | ✓ | [r] | ||||||||||
| Certificate management | ✓ | ✓ | ✓ | ||||||||||
| User management | ✓ | ✓ | ✓ | ||||||||||
| User policies | ✓ | ✓ | |||||||||||
| LDAP configuration | ✓ | ✓ | ✓ | ||||||||||
| Security Profile | ✓ | ✓ | |||||||||||
| System section |
Device maintenance [c] can only change the user password [nr] cannot reboot oder reset the device |
✓ | ✓ | ✓ | [c] | [c] | [nr] | [nr] | [nr] | [c] | [c] | [c] | |
| App management | ✓ | ✓ | ✓ | ||||||||||
| System services | ✓ | ✓ | |||||||||||
| Backup & restore | ✓ | ✓ | |||||||||||
| License management | ✓ | ✓ | |||||||||||
| Update | ✓ | ✓ | |||||||||||
Known issue
Known for firmware 2025.0 on AXC F x152 , RFC 4072S, and BPC 9102S
With firmware 2025.0, the user role SecurityAdmin has been renamed to SecurityEngineer but the permissions stayed the same. With this release, a minor issue is present: The SecurityEngineer user role must be used together with the Admin user role. This will be rectified in the next firmware release.
User roles in other context
PLCnext Engineer
Note: User roles that are not mentioned in a table do not have any access permission in the mentioned features in PLCnext Engineer.
| PLCnext Engineer | Access permission for: | User role | ||||||||||
|
 |
|
|
|
|
|
|
 |
 |
 |
||
| PLCnext Engineer user interface |
View values in the cockpit (e.g., utilization) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
| Transfer a project to the controller | ✓ | ✓ | ✓ | |||||||||
| Start (cold/warm restart) or stop the controller | ✓ | ✓ | ✓ | ✓ | ||||||||
| Restart the controller (reboot) | ✓ | |||||||||||
| Reset the controller to default setting type 1 | ✓ | |||||||||||
| View online variable values | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Overwrite variables | ✓ | ✓ | ✓ | |||||||||
| Set and delete breakpoints | ✓ | ✓ | ✓ | |||||||||
| Download safety-related programs to the controller | ✓ | ✓ [4] |
✓ [5] |
|||||||||
| Start or stop safety-related programs | ✓ | ✓ [4] |
✓ [5] |
|||||||||
| Debug safety-related programs | ✓ | ✓ [4] |
✓ [5] |
|||||||||
| PLCnext Engineer HMI application |
View online variable values | ✓ | ✓ | ✓ | ✓ | |||||||
| Overwrite variables | ✓ | ✓ | ||||||||||
- As of firmware 2023.0 LTS, safety permissions for the Engineer user role are always enabled. As of the firmware 2023.0.1 LTS hotfix: if the Security Profile is enabled, safety permissions for the Engineer user role are disabled. If needed, use the SafetyEngineer user role in addition. See detailed description of combined safety user roles.
- Do not use this user role alone. This role is designed for use as an add-on to other user roles, e.g. Engineer. See detailed description of combined safety user roles.
Applications and services
Note: User roles that are not mentioned in a table do not have any access permission in the mentioned applications and services.
| Application or service |
Access permission for: | User role | ||||||||||
|
|
|
|
|
|
|
 |
 |
 |
 |
||
| SD card, parameterization memory |
SFTP access to the file system with an SFTP client [6] |
✓ | ||||||||||
| Shell | SSH access to the shell [6] |
✓ | ||||||||||
| By means of dedicated tools | Update safety-related firmware on the controller | ✓ | ✓ | |||||||||
| OPC UA® access by means of a client application | View online variable values | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
| Overwrite variables | ✓ | ✓ | ✓ | ✓ | ||||||||
| Read files (OPC UA file transfer must be enabled via PLCnext Engineer) |
✓ | ✓ | ||||||||||
| Write files (OPC UA file transfer must be enabled via PLCnext Engineer) |
✓ | ✓ | ||||||||||
| Update firmware on the controller | ✓ | ✓ | ||||||||||
| Device and Update Management (DaUM) | Update firmware, software and projects | ✓ | ||||||||||