L03 ApplyingIntegratedArchitecture
L03 ApplyingIntegratedArchitecture
L03 ApplyingIntegratedArchitecture
properly using, calibrating, operating, monitoring and maintaining all Products consistent with all Rockwell Automation
or third-party provided instructions, warnings, recommendations and documentation;
ensuring that only properly trained personnel use, operate and maintain the Products at all times;
staying informed of all Product updates and alerts and implementing all updates and fixes; and
all other factors affecting the Products that are outside of the direct control of Rockwell Automation.
Reproduction of the contents of the Documentation, in whole or in part, without written permission of Rockwell Automation is
prohibited.
Throughout this manual we use the following notes to make you aware of safety considerations:
Identifies information about practices or circumstances
that can cause an explosion in a hazardous environment,
which may lead to personal injury or death, property damage, or economic loss.
Identifies information that is critical for successful application and understanding of the product.
Identifies information about practices or circumstances that can lead to personal injury or death, property
damage, or economic loss. Attentions help you:
identify a hazard
avoid a hazard
recognize the consequence
Labels may be located on or inside the drive to alert people that dangerous voltage may be present.
Labels may be located on or inside the drive to alert people that surfaces may be dangerous temperatures.
Contents
Before you begin ........................................................................................................................................... 5
About this lab .................................................................................................................................................................................... 5
Other Automation Fair Labs with Application Specific Security Content ........................................................................................... 5
FactoryTalk Users for Lab................................................................................................................................................................. 5
Tools & Prerequisites ........................................................................................................................................................................ 5
Deploy Initial Logix Designer Project to Controller ....................................................................................... 7
Section 1: Securing RSLogix5000 Projects and Controllers ....................................................................... 11
Bind Logix Designer Project to FactoryTalk Directory .................................................................................................................... 11
Bind Physical Controller Resource to FactoryTalk Security Server ................................................................................................ 18
Manage the Unique Identification Value in FactoryTalk (GUID) ..................................................................................................... 21
Generate a New FactoryTalk Security Authority Identifier .............................................................................................................. 26
Restore a FactoryTalk Security Authority Identification Value ........................................................................................................ 28
Section 2: FactoryTalk View SE Security.................................................................................................... 30
FactoryTalk View SE Application Level Security ............................................................................................................................ 30
FactoryTalk View SE Feature Security ........................................................................................................................................... 36
FactoryTalk View SE Security at Runtime ...................................................................................................................................... 51
Section 3: Securing Controller Data and Data Access ............................................................................... 59
Data Access Control ....................................................................................................................................................................... 59
External Access .............................................................................................................................................................................. 63
Constants ........................................................................................................................................................................................ 69
Section 4: Protecting Logix Designer Source Code .................................................................................... 82
About Logix Designer Source Protection ........................................................................................................................................ 82
Configuring Source Protection on a Logix Designer Application File .............................................................................................. 83
Viewing and editing protected routines ........................................................................................................................................... 92
Instruction Signature ....................................................................................................................................................................... 94
Generating a Signature ................................................................................................................................................................... 95
3 of 130
4 of 130
L11 FactoryTalk View Machine Edition and PanelView Plus: Introductory Lab
Password
rockwell
rockwell
rockwell
rockwell
rockwell
rockwell
Group Membership
Administrators
No Access
Engineers
Maintenance
Operators
Supervisors
5 of 130
6 of 130
2. You will be asked to Log On to FactoryTalk; at this point we are going to login as the FTAdmin user.
Logon Credentials
User: ftadmin
Password: rockwell
7 of 130
4. Click the button that says Download to download this application to the controller
Quick Tip: Take notice that the area boxed in blue. This indicates to us that the controller currently is not
secured. We will review later what it looks like when the controller is secured.
5. Once the application has successfully downloaded, it should ask you to return the controller to
Remote Run. Click Yes
8 of 130
Note: If you dont get the prompt you can set the controller to Run from the controller menu in Logix
Designer.
9 of 130
8. Click the button that says, Set Date, Time, and Zone from Workstation (Circled in Red below).
10 of 130
Design Note: Security binding is on a resource basis. You must enable each project in your system to
communicate with the FactoryTalk directory security model, then link the resource in the FactoryTalk
Directory using the steps below.
11 of 130
Why is the Security Authority field Non-Editable by Default: Since resource security does restrict access
to automation resources, the ability to apply it to Logix Designer projects is prevented at the FactoryTalk
Directory level by default. Users & Groups must be explicitly granted this feature security to enable the
functionality in Logix Designer.
3. Leaving Logix Designer open, open the FactoryTalk Administration Console by clicking on the icon
show below from the desktop:
12 of 130
Logon Credentials
User: ftadmin
Password: rockwell
6. Double click on Feature Security from the System Policies Product Policies RSLogix
5000 container. You will see the dialog shown below:
7. From the Feature Security property dialog open the Configure Security window by clicking on the
button in the Controller: Secure field (shown in the image above in blue).
13 of 130
8. Notice in the Securable Action dialog below that the only group with privileges to secure a controller is
our Engineers group. Therefore we need to login to Logix Designer as the engineer user.
9. Click Cancel on both open windows to close the security configuration windows.
10. Switch back over to Logix Designer.
11. From the Logix Designer Tools Security menu select Log On...
14 of 130
13. If you have the Controller Properties window open you will see that the Security Authority field
becomes editable once we login as the engineer user.
14. From the drop down menu select FactoryTalk Security (FTSEC-DEMO14) and click OK to apply this
change to the project after taking notice of the callouts below.
Design Tip: The Use only the selected Security Authority for Authentication and Authorization box requires
that the unique identification key (GUID) of the FactoryTalk Security server selected match the value
encrypted in this project. We will learn more about this value in the next section.
15 of 130
15. After clicking OK, applying the security configuration for this project, you will receive a dialog alerting
you that applying security will result in a loss of some privileges, acknowledge this warning by clicking
Yes.
16. From the Controller menu select Download, to download the application.
Note: If you were already online and made this change you will not need to re-download to the controller.
17. From the Download dialog take notice that the processor we are downloading to currently is not
security enabled, circled in blue below, and click Download.
16 of 130
18. Once the download completes, you will be asked to change the controller back to Remote Run, click
Yes to initialize the project.
button to apply our changes to the project. If prompted, click Yes to upload tag
Logon Credentials
User: denied
Password: rockwell
23. You should see the message window displayed below that informs the user they are not authorized to
open this project according to our security policy.
17 of 130
18 of 130
4. From the Logical name: field select newly created IF2_DEMO item from the drop down list and click
OK. This logical name was created by Logix Designer when we bound the project to FactoryTalk
Security.
Design Tip: Logical Names can be assigned like above or to a specific area, such as an HMI Area controller
and used for things like resource & action groups.
FactoryTalk uses these logical name assignments to link a resource on the network to the FactoryTalk
Directory.
We have now secured our directory, project, and physical controller resources.
5. From the Networks and Devices Workstation, FTSEC-DEMO14 AB_ETH-1 192.168.1.113
Backplane, right-click on the 1756-L75 LOGIX5575, IF2_DEMO resource and select Security
6. From the Security Settings windows select the Operators group from the top window, expand the
RSLogix5000 container and scroll down to the permission, Project: Download.
19 of 130
You will notice on our IF2_DEMO resource our Operators group does not have permission to
download to this controller.
7. Click Cancel to close the security dialog, and minimize the FactoryTalk Administration Console.
Logon Credentials
User: operator
Password: rockwell
20 of 130
3. From the Controller Status, notice that the Download option is greyed out, as we do not have
permission to download to the selected controller resource.
We have now successfully verified the security on the controller asset and Logix Designer project file.
2. From the Tools menu select the FactoryTalk Security Authority Identifier
21 of 130
3. From the Security Authority Identifier Window click on Backup to retain a copy of our current ID value.
4. From the backup window leave the name set to the default, but change the location of the backup file
to the Desktop (C:\Users\Labuser\Desktop) and click OK to create the backup.
WARNING: Prior to binding Logix Designer applications to a FactoryTalk Security server, you must backup
the FactoryTalk Directory, as we just did, to ensure you retain a copy of this ID value. In the event the
FactoryTalk Security and Directory server is lost, this ID value must be restored to access the bound
applications.
If you do not have a backup of the ID you bind to controller resources, there is no way to recover the ID and
go online with the secured controller.
22 of 130
5. Once the backup process completes, click OK in the success dialog, but leave the Security Authority
Identifier dialog open.
6. Looking back at Logix Designer select the Log On option from the Tools Security Menu.
Logon Credentials
User: engineer
Password: rockwell
23 of 130
9. From the Controller Properties window select the Security tab and check the box under the
Security Authority that says, Use only the selected Security Authority for Authentication and
Authorization. When complete, click OK to apply the changes.
By checking this box, you are telling the controller and Logix Designer application that it should ensure the
FactoryTalk GUID used to secure this project matches each time Logix Designer attempts to access the
application or controller. Without checking this box, the controller and Logix Designer are just ensuring that
the name of the security authority matches and the logical name exists in that directory.
10. From the Controller Status menu select Download, to download the application.
24 of 130
11. From the Download dialog take notice that our processor now indicates that it is indeed bound to our
security server, circled in blue below, and click Download.
12. Once the download completes, you will be asked to change the controller back to Remote Run, click
Yes to initialize the project.
button to apply our changes to the project, and click Yes if prompted to upload tag
25 of 130
4. You will next be asked to confirm this decision, take note of the very important warning message and
click Yes to continue.
5. After the action completes take note of the new ID value circled in blue below, then close the open
dialogs but leave the FactoryTalk Administration Console open.
26 of 130
Logon Credentials
User: engineer
Password: rockwell
8. You should see the below dialog indicating that the security ID of the FactoryTalk Security server
does not match the value in the controller project, therefore Logix Designer cannot open the project.
Design Tip: If we did not have the exclusive binding box checked in the controller property dialog and
change the unique ID of our FactoryTalk Security server, we would have been authorized to open this project
because the name of the FactoryTalk Security server remained the same. If the name of your FactoryTalk
Security server changes and you secured projects and controller resources in Logix Designer you will see
this same error when you try to open a secured project.
27 of 130
3. From the Restore dialog browse to our backup file located on the Desktop:
(C:\Users\Labuser\Desktop\Network 6739169-2578-4849-A.bak)
28 of 130
5. You may see the following dialog asking for a Passphrase to restore the directory. In our case we
checked the box earlier to encrypt the directory but did not enter a password, therefore you can click
OK on this dialog to proceed leaving the passphrase field blank.
6. In the Restore dialog select the radial button that says, Restore security authority identifier only to
only restore our Security Authority ID.
29 of 130
Logon Credentials
User: engineer
Password: rockwell
Logix Designer will now successfully open and we have fully secured both our design editor (Logix
Designer), our application file (IF2_DEMO.ACD), and our physical controller to a single FactoryTalk
Security Authority.
12. Close Logix Designer
This completes the Logix Designer Security integration with FactoryTalk Security section of this lab.
30 of 130
Logon Credentials
User: engineer
Password: rockwell
31 of 130
The engineer does not currently have access to read the application, which blocks FactoryTalk View Studio from
launching the application at all. The next section of the lab will show how to allow access to this user.
6. Click OK to clear the error and Cancel on the Open dialog. FactoryTalk View Studio will now load
the FactoryTalk Network Directory, but not the View application.
Administer FactoryTalk Application Security
The goal of this section is to allow read access to the Operators and Supervisor, restrict tag-write access to the No Access users,
and grant read-write access to the Engineers users.
1. Looking at FactoryTalk View Studio, note that the InstantFizz application is not currently listed in the
FactoryTalk tree:
2. Because the engineer cannot access the application, a different user will have to log in to access the
application security. Log off and log in as our admin user, ftadmin (password: rockwell), from the
File menu of the FactoryTalk View Studio.
Logon Credentials
User: ftadmin
Password: rockwell
32 of 130
33 of 130
Design Tip: All Actions have been denied to this user in the InstantFizz application. Even though at the
higher Network level this users has been granted these privileges, as indicated by the grey check in the
Allow column, the denial at the InstantFizz level takes precedence. Explicit denials always take precedence
over explicit allows in FactoryTalk Security, deny with care.
6. Uncheck the Deny checkboxes All Actions. The engineer will now inherit its permissions from the
Network container, which allows all privileges except managing security.
7. Check the Allow box next to All Actions. This grants our engineer full access to the application.
Design Tip: We have granted our Engineer user all rights to the application, including configuring
application security. If we DID NOT check the Allow - All Actions box our Engineer user in the following
section would receive the below error when trying to modify Runtime Security in FactoryTalk View:
34 of 130
Logon Credentials
User: engineer
Password: rockwell
5. With the proper security privileges in place, the application will now successfully load.
35 of 130
2. A list of all currently configured users will appear in the lower pane:
Design Tip: This list identifies the users that have been configured for use with this FactoryTalk View SE
application. While FactoryTalk View SE security makes use of the accounts created in the FactoryTalk
Directory, it does not automatically import these accounts until the user has specifically configured them.
The All Users group is automatically configured here by default. We have to now configure our user groups and assign their
access levels.
36 of 130
button.
button
7. Select the Supervisors group and click OK to add them to the security list.
Note: Our current user, engineer, is not listed here yet he is logged into this project in View Studio. That is
because the settings above are for Runtime HMI project security, the engineer is inheriting permissions to
manage View Studio from the FactoryTalk Directory privileges the Engineers group was granted.
37 of 130
8. Add the Administrators, Engineers, Maintenance, No Access, and Operators user groups like
you did the Supervisors group.
9. Your Security Settings dialog should now look like the image below
Note: The Supervisors group is also in this list but slightly hidden in the upper field
38 of 130
10. Select the Operators group. In the lower pane, under All Actions, Expand the FactoryTalk View
Security Codes heading.
39 of 130
12. Next, select the Maintenance group, and check the Deny checkbox for C and E.
13. Uncheck the Allow checkbox for D.
14. Finally, select the No Access group, and check the Deny checkbox for All Actions. Then check the
box to Allow code A.
15. Once the new users are added and configured, click OK. A warning may appear in regard to Deny
permissions click Yes to acknowledge it.
Warning: A member of a group will inherit that groups permissions (for instance, Operator inherits all
security codes from the Operators group), but explicitly denying a permission will always take precedence if
the permission has been allowed elsewhere.
Note that the new groups now appear in the Runtime Security list.
16. Click Close, and then Yes to save changes.
40 of 130
Design Note: The security drop-down currently has the asterisk (*) selected:
This means that any user with at least one security code is capable of writing to this tag. HMI tag security
allows for more granular selection of write access, as opposed to the application-level tag write security.
41 of 130
Recall that the Maintenance and Operators groups were both denied the C security code. By selecting C as
the required tag-write code, it denies write privileges to those users.
4. Click Accept, and then click Close.
Configure FactoryTalk View SE Display Security
The goal of this section is to remove the ability for the Operators group to access the Labeling display.
1. Open the med_labeling display:
42 of 130
43 of 130
2. Right-click on the background of the display (as opposed to one of the objects) and select Display
Settings
3. The Security Code drop-down is currently set to the asterisk (*), meaning that any user with any
security code authorization can access this screen. Change the code to B.
Recall that the Operators group was denied the B security code. Requiring the B security code for access to
this display means that the Operators will not be able to open it.
4. Click the OK button to apply this change and close the Display Security dialog.
5. Close the med_labeling display and click Yes to save the changes.
44 of 130
45 of 130
2. Right-click on the SHUTDOWN button, at the far right side of the display, and select Animation
Visibility
46 of 130
6. Click OK.
7. Between the parentheses, type the letter D to indicate that the currently logged in user must have the
security code D for this expression to evaluate as true.
47 of 130
8. Select Logical OR
11. Click OK
48 of 130
12. Between the parentheses, type Maintenance to indicate that the logged in user must be a member
of the Maintenance FactoryTalk Group or have code D for this expression to evaluate as true.
The security feature CurrentUserHasGroup( ) was a new feature enhancement in FactoryTalk View 8.0.
This feature is designed to extend the native FactoryTalk Security functionality to most objects within
FactoryTalk View applications without the need for separate A-P codes.
13. Click OK, to apply this expression to the Exit button object.
14. In the Visibility Animation window, click Apply.
Recall that the Operators group was denied the security code D. Because this expression must evaluate to
True for the Exit button to be visible, and it will only evaluate true if the logged in user has security code D,
the Operators group members will not be able to see this button. We have granted our Maintenance group
access so our Maintenance user will be able to see this button regardless of security codes
49 of 130
2. Select row 2, then click the browse button by the Command text field, circled below.
4. Click Finish
50 of 130
Recall that the Maintenance group was denied the security code E, meaning that user will not be able to
issue the Language command. This means that the Maintenance group members will be unable to change
languages at runtime.
6. Click Accept to apply the changes.
7. Click Close, and then click Yes to save changes
8. Close FactoryTalk View Studio.
51 of 130
2. Log into the client as our supervisor (password: rockwell) and click OK.
3. When the client has finished loading, note that the supervisor user is currently logged in, granting full
rights to the application as a member of the Supervisors group.
Note that the Exit button is visible on the Navigation bar under More this button will not be visible to the
Operators users when they log in.
4. Navigate to the Labeling screen by clicking the security key button on the navigation bar.
Recall that this screen has display level security requiring security code B for viewing. When the Operators
group members log in, this screen will not display for them.
5. Navigate to the Filling screen now.
52 of 130
6. Click the dial one time to change the status from Run to Stop.
Note that the button toggles to the Stop state and the filling line stops. Click the button again to start the line
and toggle it back to the Start state.
7. Click the dial once again to start the filling process again.
8. Finally, select the LANGUAGES display from the MORE menu.
53 of 130
9. When the language selection screen appears, select Spanish. Note that the applications language
switches.
Take note of the fact that the text fields in this display switched to Spanish.
10. Switch back to English (Ingls), then close the Language Switching display.
Exercise InstantFizz Security Configuration
The goal of this section is to log in as various users to observe how the security configuration effects the application at runtime.
1. Select the Login / Logout display from the MORE menu
54 of 130
2. Use the Login button to login as operator with the password: rockwell
3. Once the Operator user is logged in you will see our display indicates that it is restricted:
5. Note that the MORE SHUTDOWN button is now missing from the navigation bar, due to the
visibility animation checking if the user has the proper security code.
6. Try to navigate to the Labeling screen by clicking the Labeling button on the navigation bar.
7. Note that the system does not navigate to the packaging page, and there is an error in the
diagnostics log at the bottom of the screen.
55 of 130
8. Now use the Login/Logout screen to log in as our Maintenance user, with the password: rockwell
10. Notice the MORE SHUTDOWN button reappears, as this user is a member of the allowed group
11. Navigate to the LABELING screen, which will display properly this time.
56 of 130
15. Push the LANGUAGES button from the MORE menu on the navigation bar.
16. Attempt to change the language to Spanish, and note the error message displayed in the message
window:
17. Click the SHUTDOWN button from the MORE menu on the navigation bar.
57 of 130
This completes the FactoryTalk View SE Security Overview section of this lab.
58 of 130
External Access
Constant
The External Access attribute controls how external applications, such as HMIs, can access tags. It has possible values of
Read/Write, Read Only, and None.
The Constant attribute value determines if a tag can be modified by controller logic. Also, by using FactoryTalk Security software,
it is possible to control which users are permitted to change tags designated as constants in Logix Designer software.
By using these two attributes, you can help safeguard tag data by preventing unwanted changes to tag values. Also, by reducing
the number of tags exposed to external applications, you can also reduce the time required to develop HMI screens, and improve
the performance of data servers by reducing the total number of tags on scan.
For more information on Data Access Control see the Logix Designer Controllers I/O and Tag Data Programming Manual
(Publication 1756-PM004C-EN-P):
http://literature.rockwellautomation.com/idc/groups/literature/documents/pm/1756-pm004_-en-p.pdf
QR Code for Direct Link:
59 of 130
Logon Credentials
User: engineer
Password: rockwell
1. From the controller menu select Go Online to go online with the controller.
60 of 130
2. Be sure the controller is in the Run from the controller menu in Logix Designer.
frtad
3. Expand the Controller Organizer tree to Tasks SecurityDemo SecurityDemoProg
Program Tags is visible.
4. Double click on Program Tags
61 of 130
5. If not already selected, click the Edit Tags tab on the bottom of the window.
6. Scroll to the right until you can see the columns External Access and Constant.
The following subsections will explain the External Access & Constant functionality of Logix Designer and how these
enhancements to the Rockwell Automation Integrated Architecture system can be utlized to implement some stronger security
practices in applications.
62 of 130
External Access
About External Access
By using the External Access feature, you can control how external applications and devices access tags.
This feature also can improve system performance by reducing the number of tags the data server (RSLinx in our case) has to
maintain, scan, and cache. Lowering the work load on data servers can improve the performance of related applications such as
an HMI.
External applications and devices include:
Data Servers (In Rockwell Automation solutions these are RSLinx Classic and RSLinx Enterprise)
PC Based HMIs (In Rockwell Automation solutions these are FactoryTalk View Site Edition, Machine Edition Station)
Other controllers (Such as SLC, Micro, MicroLogix, PLC-5, or other vendors controllers)
Panel Based HMIs (In Rockwell Automation solutions these are PanelView and PanelView Plus HMIs)
Data Reporting (FactoryTalk VantagePoint, Transaction Manager, ProductionCentre, Metrics, AssetCentre, etc)
For more information on External Access see the Logix Designer Controllers I/O and Tag Data Programming Manual
(Publication 1756-PM004C-EN-P), link and QR code at the beginning of this section.
Limiting External Access to Tags
1. In the Logix Designer tag editor, notice that the External Access property for the NormalTag, PV,
and TempWorking tags is set to Read/Write.
63 of 130
Default value is
Alias
Out-of-box is Read/Write.
(1) The
Thereafter, when creating a new tag, the default external access tag
retains the value of the users previous choice.(1)
External Access default value for tag creation is stored per Windows login account.
IMPORTANT For Alias type, the External Access box is disabled. You are not allowed to change the external
access of an alias tag. However, the External Access box will update its value to be the same as the external
access of the base target.
2. Launch the InstantFizz application in the FactoryTalk View SE Client from the desktop, leaving Logix
Designer open on Online in the background.
3. Log into the client as our administrator, ftadmin (password: rockwell) and click OK.
64 of 130
4. When the client has finished loading, select the TAG SECURITY display from the MORE menu.
5. Click on Numeric Entry labeled Normal Tag. Type a new value in and hit the Enter key. Watch the
value change in the numeric display to the right.
6. Repeat above step, writing a value to PV and then Temp Working Tag.
7. Switch back to Logix Designer, leaving the InstantFizz ViewSE client open.
65 of 130
8. Change the value of the External Access property for the tags listed below.
Tag
External Access
NormalTag
Read/Write
PV
Read Only
TempWorking
None
11. Click the TAG SECURITY display from the MORE menu.
66 of 130
12. Click on numeric entry labeled Normal Tag. Type a new value in and hit the Enter key. Watch the
value change in the numeric display to the right.
13. Click on numeric entry labeled PV. Type a new value in and hit the Enter key.
Notice that the value doesnt change in the Numeric Display to the right, the input box turns red, and an error is logged to
the Diagnostics List.
67 of 130
14. Notice that the numeric input and numeric display objects that are labeled Temp Working are now
wire-framed.
This completes the External Access section of this lab. Leave both Logix Designer and the InstantFizz View SE Client Open and
proceed to the next section.
68 of 130
Constants
About Constants
In Logix Designer v18 and later, you can designate tags as constants to protect them from being changed programmatically via:
Local tags
A check mark in the Constant box on tag creation dialog boxes and tag editor/monitor windows indicates a constant
designation.
FactoryTalk security is used to control who is permitted to modify values of constants and who can modify the constant attribute
of a tag. To change the value of a constant, you must have the Tag: Modify Constant Tag Values permission. To modify the
constant attribute of a tag, you must have the Tag: Modify Constant Property permission.
For details on setting permissions, see the FactoryTalk Security System Configuration Guide, publication FTSEC-QS001.
For an alias tag, the default constant setting of this tag is the same as its target tag. For all other conditions, the default value is
unchecked, indicating the tag is not a constant value tag.
When you designate an InOut parameter as a constant, it cannot be written to within the Add-On Instruction.
Design Tip: You cannot pass a constant value tag as an argument to an Output parameter of an Add-On
Instruction. You cannot pass a constant tag to an InOut parameter that is not also designated as a constant
value.
69 of 130
2. Return to the InstantFizz View SE Clients Tag Based Security Demo display.
3. Click on Numeric Entry labeled Set Point (Operator Input). Type a new value in and hit the Enter
key. Watch the value change in the numeric display to the right.
4. Click on Numeric Entry labeled Pi (Constant). Type the value 3.14 in and hit the Enter key. Watch
the value change in the numeric display to the right.
5. Click on Numeric Entry labeled Secret Ratio. Type the value .0218 in and hit the Enter key. Watch
the value change in the numeric display to the right.
70 of 130
External Access
Constant
OperSetPoint
Read/Write
Pi
Read Only
SecretRatio
None
71 of 130
10. Click the TAG SECURITY display from the MORE menu.
11. Click on Numeric Entry labeled Set Point (Operator Input). Type a new value in and hit the Enter
key. Watch the value change in the numeric display to the right.
72 of 130
12. Click on Numeric Entry labeled Pi (Constant). Type a new value in and hit the Enter key. Notice that
the value doesnt change in the Numeric Display to the right and an error is logged to the Diagnostics
List.
The value doesnt change
because it was never written to
the controller.
13. Notice that the Numeric Input and Numeric Display objects that are labeled Secret Ratio are now
wire-framed.
These values are wire-framed indicating that there
is no data available for the specified tag. This is
because the External Access property for this tag
was specified as None in the controller.
14. Click the SHUTDOWN button from the MORE menu on the navigation bar.
73 of 130
18. Click on rung 0 and then click on the new rung button.
Click on the Rung button on the toolbar.
74 of 130
19. Use the scroll button ( ) in the instructions toolbar to scroll until you can see the Move/Logical tab.
Click on the Move/Logical tab.
Use the scroll button to scroll to the Move/Logical tab.
20. Click the MOV button on the instruction toolbar to add a new MOV instruction to the rung.
Set the source to NormalTag and the destination as OperSetPoint.
The blue e indicates there is an error on the
rung. This is because the MOV instruction is
trying to use a constant as a destination
on the toolbar.
75 of 130
22. Notice that Logix Designer reports that there is an error with the new rung. This is because a tag that
has been designated as a constant cannot be the destination for any instruction.
76 of 130
2. When prompted to login we will now login as our maintenance user, maintenance with the password,
rockwell.
Logon Credentials
User: maintenance
Password: rockwell
77 of 130
6. Launch the FactoryTalk Administration Console from the Desktop if not already open.
Logon Credentials
User: ftadmin
Password: rockwell
78 of 130
10. In the Security Settings, select the Maintenance group in the top pane. Then scroll down to and
expand the RSLogix5000 group.
79 of 130
11. Scroll down in the permissions list until you see Tag: Modify Constant Property and Tag: Modify
Constant Tag Values under the RSLogix5000 group.
12. Uncheck the Tag: Modify Constant Property and Tag: Modify Constant Tag Values under the
Logix Designer group.
17. Notice that Value field is greyed out for all of the constant tags.
Note: If the fields do not become non-editable you may not have enabled security from section 1 of this lab.
80 of 130
Logon Credentials
User: engineer
Password: rockwell
20. Open the Tag Monitor from the SecurityDemo Program Tags window
21. Change the value of SecretRatio to 0.025
22. Close Logix Designer and save changes, uploading tag values, when prompted.
81 of 130
Add-On Instructions
Routines
o
Ladder
Structured Text
82 of 130
2. Logon as engineer using the password, rockwell. If the application is already open select Log On
from the Tools Security menu of Logix Designer to login as the engineer.
Logon Credentials
User: engineer
Password: rockwell
3. Select Configure Source Protection from the Tools > Security menu.
Design Tip: Source Protection can only be configured on an offline project file.
4. Source Protection requires a Source Key File location to be specified. Click Yes to specify the Source
Key File location.
83 of 130
5. The following dialog will open, enter this path: C:\Lab Files\ into the Source Key File Location: field
and click OK to create the sk.dat key file in this location.
Design Tip: You may want to store this key file in a secured area of FactoryTalk AssetCentre, but it would
have to be downloaded separately to be accessed. Logix Designer cannot access a key file inside the
FactoryTalk AssetCentre archive.
84 of 130
85 of 130
9. Enter VendorCode as the source key. Show Source Key can be enabled to see the value in
plaintext. Click OK to continue.
Design Tip: An ideal key uses all characters available on the keyboard including letters, punctuation,
symbols, and numbers. The greater the variety of characters used, the better.
10. The PFlex_700_AOI routine is now protected with the key VendorCode.
86 of 130
11. Highlight the SIM_PV_AOI routine, and click the Protect button.
Design Tip: You can select the Allow viewing of routine check box on this dialog box to allow a routine to be
viewed, but not edited, from a system that does not have the appropriate source keys. If you leave this box
cleared, the source is not viewable.
Protected routines that do not allow viewing cannot be viewed by systems that do not have the required key
files.
87 of 130
14. The SIM_PV_AOI routine is protected, but can be viewed in a read only mode by sources that do not
have the key file.
15. Highlight the VFD_AOI routine, and click the Protect button.
88 of 130
18. The VFD_AOI routine is protected, and cannot be viewed by sources that do not have the key file.
89 of 130
19. Highlight the SecurityDemoProg MainRoutine routine, and click the Protect button.
20. Select the ProtectedCode as the source key from the drop down. To make the routine viewable,
select Allow Viewing of component(s). Click OK to continue.
21. The MainRoutine routine is protected, but can be viewed in a read only mode by sources that do not
have the key file.
Design Tip: Notice that the same Source Key can be used for multiple routines. You can also make some
routines visible using the same source key as other routines are not visible.
90 of 130
91 of 130
26. When prompted to return the controller back to Remote Run, click Yes.
WARNING: If you export a source-protected Add-On Instruction and want the exported contents encrypted,
you must first remove, rename, or move the source key file (sk.dat). This causes the exported Add-On
Instructions to be encrypted.
3. Move, do not copy, the sk.dat file from the Lab Files folder to the Desktop.
Recall this is our key file that we secured several object with in Logix Designer. Removing this file
from the configured location should secure those objects as we configured.
4. Open Logix Designer once again
Logon Credentials
User: engineer
Password: rockwell
92 of 130
VFD_AOI was protected and not viewable. The tag and code within
the AOI are not viewable on a system that does not contain the key for
the routine; the user cannot modify the routine.
93 of 130
Instruction Signature
About Instruction Signatures
The Instruction Signature is a set of credentials that is generated by the software, which acts as a kind of fingerprint for the
specific revision of the Add-on Instruction.
A signature consists of an ID number (or hash code) that identifies the contents of the Add-On Instruction and a timestamp that
identifies the specific date and time at which the instruction signature was generated or a signature history entry was made
(whichever came last).
A signature can be used to:
Meet audit requirements in regulated industries (Life Sciences, Food and Beverage, etc)
Programmatically verify the validity of an Add-on Instruction before executing in in Logix Designer code.
Instruction signatures should be used when your application calls for a higher level of integrity. Once generated, the instruction
signature seals the Add-On Instruction, preventing it from being edited until the signature is removed. This includes rung
comments, tag descriptions, and any instruction documentation that was created.
94 of 130
Print reports
Copy the Add-on Instruction Definition to another project (the instruction will remain sealed and under source protection
if applicable)
Design Tip: If desired, source protection must be applied prior to generating an instruction signature. You
will need the source key to create a signature history entry. When source protection is enabled, you can still
copy the instruction signature or signature history, if they exist, but you cannot remove the signature, nor edit
the AOI definition without the proper key.
Add-on Instructions that have a signature are often referred to as a High Integrity Add-On Instruction or Sealed Add-On
Instruction.
Generating a Signature
Follow these steps to generate an instruction signature:
1. Open Logix Designer once again logon as our engineering user, engineer.
Logon Credentials
User: engineer
Password: rockwell
95 of 130
Design Tip: You must be offline to perform this procedure. If this is a safety Add-On Instruction, the project
cannot be safety-locked or have a safety task signature.
4. Click on the Signature tab.
96 of 130
Re
This seals the instruction, generates its signature, updates the Last Edit Date, and places the instruction in a read-only state
to prevent edits.
Design Note: If unsaved edits exist on other tabs of the Add-On Instruction dialog box, the prompt reads as
follows: "Unapplied edits exist in the add-on instruction. Do you want to apply edits and generate signature?"
Answering Yes saves those edits and generates a signature.
Create a Signature History Entry
The signature history provides a record of signatures for future reference. A signature history entry consists of the name of the
user, the instruction signature, the timestamp value, and a user-defined description. You can only create a signature history if an
instruction signature exists and you are offline. Creating a signature history changes the Last Edited Date, which becomes the
timestamp shown in the history entry. Up to six history entries may be stored.
1. On the Signature tab of the Add-On Instruction Definition Editor, click the Add to History button.
The Signature ID is an automatically
generated number.
2. You can add a description, up to 512 characters long, for the entry.
Enter the description Revision 1 Initial release for general use. Click OK.
97 of 130
3. The Signature information along with the description you entered is added to the top of the Signature
History Table. Click OK to close the Add-On Instruction Definition dialog.
IMPORTANT: The Generate signature action is lost (along with all other unsaved edits) if the project is not
saved.
98 of 130
3. On the Signature tab of the Add-On Instruction Definition Editor, click the Remove button.
This will unseal the AOI so it can be modified.
99 of 130
Description
Data
Type
Class Name
Instance Name
Attribute Name
AddOnInstructionDefinition
AOI Definition Name
MajorRevision
DINT
MinorRevision
DINT
Name
RevisionExtendedText
String
String
Vendor
String
LastEditDate
LINT
SignatureID
SafetySignatureID
DINT
DINT
100 of 130
Description
3. Use the values below for the new GSV instruction. You will have to type SignatureID into the Dest
field, because the tag does not exist yet.
4. Right click on SignatureID in the Dest field and select New Local Tag SignatureID from the
context menu.
5. In the New Tag dialog box, set the Usage to Output Parameter, and then click OK.
101 of 130
7. On the General tab of the AOI Definition dialog, bump the Minor revision number up by one.
102 of 130
10. You may be prompted to apply unsaved edits, click Yes to commit these changes.
11. If prompted with a warning about signatures, answer Yes to the prompt "Generate instruction
signature?"
12. On the Signature tab of the Add-On Instruction Definition Editor, click the Add to History button.
13. Enter the description Revision 1.1 Added SignatureID as an output parameter. Click OK.
103 of 130
14. The Signature information along with the description you entered is added to the top of the Signature
History Table. Click OK to close the Add-On Instruction Definition dialog.
IMPORTANT: The Generate signature action is lost (along with all other unsaved edits) if the project is not
saved.
104 of 130
105 of 130
Logon Credentials
User: engineer
Password: rockwell
106 of 130
11. Right click on VFD_AOI and click Copy on the context menu.
107 of 130
12. Return to the new Logix Designer project you created. Right click on Add-on Instructions and click
Paste from the context menu.
13. Double click on the newly copied VFD_AOI add-on instruction in your new project.
108 of 130
16. Close both Logix Designer applications. There is no need to save the changes to the new project.
This completes Protecting Logix Designer Source Code section of this lab.
109 of 130
Understand how to use the new Change Detection features in Logix Designer (v20 & greater) & FactoryTalk
AssetCentre (v4.10 & greater).
Logon Credentials
User: engineer
Password: rockwell
110 of 130
4. Once the Controller Properties dialog is open select the Security tab. You should see the window
shown below:
Note: Notice the Changes to Detect field circled in blue above. You will see this value displays all Fs.
This hexadecimal key code is the mechanism that Logix Designer uses to calculate audit changes.
5. Click the Configure button. You will see the list of all the items that can be audited in the
controller, but default all items are selected.
6. Uncheck the Remote mode change check box, shown below:
111 of 130
112 of 130
12. If the controller is not currently in run mode, switch the controller back to Run and stay Online.
13. Open the Controller Properties once again, by clicking the
button, select the Security tab, and
notice how the Audit Value of the Change Detection field is populated and has a unique value. This
value is called the CCUID.
Note: Your value will likely not be the same as the one above, this value is unique.
14. Using the key on the controller change the mode of the processor to from REM to PROG, then PROG
to RUN, then finally back to REM.
113 of 130
15. Look at the Audit value again, notice that it changes from what you noted before.
This is an indication that a change has occurred on the system which has been capured in the
controllers change log.
16. Recalling that we disabled the change detect option for Remote Mode Changes from the Change
Detection configuration, change the processor mode from Run Mode to Program Mode. You will be
prompted with the dialog shown below warning about the change to program mode, click Yes to
acknowledge this warning.
17. Look at the Audit value again, notice that the value did not change from what you last.
Since this change is not tracked it will therefore not be retained as an audit value.
18. Click OK to close the Controller Properties dialog box.
19. Change the mode of the processor back to Run Mode from the Controller Menu.
The change detection feature in Logix Designer monitors all changes to the controller. While online with the controller feel free to
add additional tasks, Add-On Instructions, Data Types, etc and take note of how the Audit Value in the controller property
dialog changes.
114 of 130
2. When prompted to login we will now login as our maintenance user, maintenance with the password,
rockwell.
Logon Credentials
User: maintenance
Password: rockwell
3. Once the client opens, from the menu along the top of the client interface click the Logs button
4. Once inside of the Logs module, select the audit messages by clicking on the button that says,
Audit Logs.
5. You should see several new audit log messages that look similar to the snippet below:
Note: Make special notice of the Source collecting these logs are Logix Designer. Also notice that the
Resource name is the project name running on this particular controller, IF2_DEMO in our case. You will
also note that since the engineer was logged into Logix Designer at the time these changes were made, the
engineer was listed as the user making the change. This drastically simplifies the reporting process for
controller change reports.
115 of 130
2. You will see several pre-configured searches that were already created in the list, we want to create
new one to look at changes in Logix Designer made today.
button
116 of 130
6. Now that the search is created we need a add conditions to the search, in the lower field of the
search display click the Conditions tab.
7. Click the
button
8. From the New Condition dialog select the Relative to date/time report is run radial button
button again
117 of 130
118 of 130
17. You should have a report that looks similar to this, but with todays date:
Audit messaging is an important aspect of system security. FactoryTalk AssetCentre serves as the repository for
audit messages produced in FactoryTalk. All Integrated Architecture branded Rockwell products that utilize the
FactoryTalk Directory produce audit messages, we just looked at one example here Logix Designer.
119 of 130
You will see a schedule that already exists. That schedule is backing up our FactoryTalk View SE HMI server
application and our Logix Designer Application. We wont explore these in this lab, but if you have questions
on these types of schedules ask one of the lab moderators to explain this feature to you.
2. From the asset tree on the left side of the AssetCentre Client window select the container object
called InstantFizz.
120 of 130
3. Click the
4. From the New Schedule Wizard select Device Monitor Change Detect from the Operations menu
5. In the Name: field enter InstantFizz ControlLogix Processor Monitor
The Controller Idle time setting indicates how long AssetCentre should wait for the changes (tracked by that Audit Value in Logix
Designer we previously learned about) to stop occurring before adding those detected changes to the log. We want them to
come in quickly, so we are setting the values very low. Similarly the maximum runtime for the schedule tells AssetCentre how
long it should absolutely wait before taking the current set of changes and submitting them. Once changes are submitted the
schedule will continue and gather more changes.
8. Click Next
121 of 130
9. From the Operations Properties dialog expand the InstantFizz container and select the IF2_Demo
Logix PAC
10. Once the controller is selected on the right side of the screen change the Copy Controller Log to
Audit Log value to True
122 of 130
13. After a few seconds the status will change to Change detect in process. This indicates that
AssetCentre has successfully connected and is waiting changes to occur.
14. Recall from earlier that we set our controller, through Logix Designer, to monitor changes to the key
switch mode. Once again turn the key on the controller from REM to PROG to RUN to REM.
REM
RUN
PROG
REM
15. Wait approximately 1 minute for the Change detect in progress status to disappear from the
AssetCentre schedule.
16. Once the status clears click the Logs tab once again near the top of the screen, and be sure you are
looking at the Audit Log
123 of 130
17. You should now see several new logs, indicated in bold type, similar to the image below:
18. Select the message at the top of the list that says Keyswitch mode change in the message field.
Looking at the details of the audit message you can see what is captured, in many cases, the previous value and the new value
to give context to the user in regards to the change that was made.
19. Switch back to the Logs tab and click the Event Log button
20. Select the entry of the message that says: Change Detect Complete
AssetCentre/InstantFizz/IF2_Demo Logix PAC
21. In the lower field you will see the information about this change detection schedule, such as the
location of the controller on the network and when this entry was made.
22. Double click on the paper clip
124 of 130
button
125 of 130
30. Now that the search is created we need a add conditions to the search, in the lower field of the
search display click the Conditions tab.
126 of 130
button
32. From the New Condition dialog select the Relative to date/time report is run radial button
button again
127 of 130
38. Notice in our condition list the second condition was added with an AND. This is the default
condition you could also add this as an OR or a NOT, but we want AND in our case.
128 of 130
41. You should have a report that looks similar to this, but with todays date:
Design Tip: This report was created in FactoryTalk AssetCentre to grab all the changes on this controller
that occurred today. You could also expand this report by adding the Event Messages for the IF2_DEMO
produced by the RA Disaster Recovery Agent to include details on when backups were performed on this
controller. Additionally, you could configure this report to collect only the changes made in a past few hours,
days, etc. to compare to a previous report.
129 of 130
130 of 130