You are here: Start » HMI » Protecting HMI with a Password
Protecting HMI with a Password
It is possible to lock the whole HMI or certain parts of it with a password in order to make sure that only authorized users will be able to modify a running program in the production environment.
PasswordPanel control in the HMI Controls catalog
Creating Password Protected Panels
In order to make some area of HMI locked for unauthorized users you need to add the PasswordPanel control from the Password Protection category to your HMI. Then, you should add all HMI controls that you wish to be password protected into the PasswordPanel (in exactly the same way as you would do with a regular panel). When you run such a program you will see a login screen instead of the content of the PasswordPanel (the controls inside the panel will not be visible) and only when you log in the content of the panel will be unlocked (it will become visible). Please note that you can create several password protected areas in your HMI, each with its own users list, e.g. to distinguish the administration panel from a regular worker's panel. The controls which should be available for everyone without providing a password should be placed in HMI outside of any PasswordPanels.
PasswordPanel's login page
Logging Out
After you log in to the PasswordPanel, you can log out of it (lock its content) in the following ways:
- by clicking the LogoutButton control placed inside PasswordPanel (you can add it from the Password Protection category),
- by clicking the Esc key when keyboard focus is on a control inside PasswordPanel (and when UseEscToLock property of PasswordPanel control is set to True),
- by clicking the Ctrl+L key combination when keyboard focus is on a control inside PasswordPanel.
You will be also automatically logged out after the period of time defined in the AutoLockTimeout property (in seconds) of the PasswordPanel control if the system input has been idle for that period of time (no keystrokes or mouse clicks/moves).
Managing Users and Passwords
Users with access to HMI PasswordPanel are identified by user name and password pairs. User names must be unique and are case insensitive. User password must be at least 4 letters long and is case sensitive. Multiple users identified by different user names can be given access to a single PasswordPanel. Credentials are stored in a separate *.avuser files (stored outside of .avproj project files or .avexe executable files). You need to assign such a file to each PasswordPanel control to determine which users should have access to a given area. You do this by setting the CredentialsFileName property of the PasswordPanel control to the path pointing to the .avuser file. An *.avuser file can be created and edited in the following ways:
- by right clicking the PasswordPanel control in the HMI editor and choosing Edit Credentials... (this will open an existing file assigned to the control, if any, and set the CredentialsFileName property to the newly saved file path),
- by choosing Tools » Edit HMI User Credentials File... in Adaptive Vision Studio's main menu,
- by running the AdaptiveVisionUserCredentialsEditor.exe application from the Adaptive Vision Studio Runtime's catalog.
Please note that user passwords are stored in a hashed form and thus it is not possible to read the current password of a user (it is only possible to set new password for an existing or new user).
Adaptive Vision User Credentials Editor
When moving your project to a different computer, please remember to copy also the *.avuser files and check if their paths are correct (absolute or relative, as set in the CredentialsFileName property). You need to copy these files even when you generate a runtime executable file (*.avexe) from your project because they are not exported to *.avexe files. Ensuring that is crucial as when *.avuser files are not found you will not be able to unlock the password protected area.
It is also possible to share your *.avuser file through network using file sharing (in such case be sure to share files as read-only). This gives ability to quickly edit user access right inside production environment in a single location on a server by a system administrator. To use credentials file shared in a network CredentialsFileName property must be set to an absolute network share path (e.g. "\\MyServer\MyPath\MyCredentialsFile.avuser").
Password Protection in the Production Environment
Please note that it is not enough to just copy your project files (or an *.avexe file) and *.avuser files to the production environment machine to ensure that your program cannot be modified by unauthorized users. This is because *.avuser files and application project files can be modified or overwritten, modifying user credentials or removing password protection. In order to prevent that, you should properly configure the production machine:
- system administrator must have a password,
- a normal non-administrative user (logged in during vision system runtime) should not have permissions to modify the project catalog and the files it contains, including .avuser file.
A simple solution to fulfill these requirements on Microsoft Windows is to place application project files in a folder created with default inherited permissions inside Program Files directory (administrator rights will be required) and to work on production machine using non-administrative user account.
In such configuration it is still possible to edit your *.avuser file by authorized staff (for example to periodically change passwords) when you run AdaptiveVisionUserCredentialsEditor.exe with the system administrator privileges.
| Previous: Saving State of HMI Controls | Next: Creating User Controls |
