Rockwell Automation 1785-Lx6B,D17856.5.13 MNL. PLC-5 PROTECTED PROCESSOR User Manual
Page 8
Chapter 1
Planning for a Protected System
1-3
Passwords and Privileges
The privilege classes in a PLC-5 processor are not necessarily hierarchical.
Class-1 privileges are considered “higher” than the others only because no
one can remove the privilege to modify privileges from class 1. It would be
logical for you, as system administrator, to treat class 1 as the highest class
and then define privileges accordingly, working down to class 4. Typically,
you should grant the privilege to modify privileges only to the highest level
and never reveal that password to other users. Because of this, you must
anticipate end-user needs and set up passwords and privileges accordingly.
As system administrator, you should protect critical program and data
files according to your needs—e.g., by setting these files to “read only”
or “no read, no write” for all classes other than class 1. This protects
against any modification of your logic and also determines which program
files are screened during download mode. You should also configure all
communications channels—including currently unused channels—to
appropriate privilege classes.
Data-Table Element Protection
The PLC-5 protected processor’s unique security features allow you to define
areas of memory that cannot be altered by anyone other than a class-1 user.
During online programming by end users, the PLC-5 protected processor acts
as a filter to screen and prevent requests to:
•
add ladder code that could write to or otherwise manipulate protected
data-table addresses
•
modify protected
-
data-table words through write operations
-
I/O image elements through I/O forcing
When:
And:
This happens:
The end user is
not authorized to
modify privileges
The processor status file contains the
value for a DTEP file (see page 3-2)
DTEP is enabled
DTEP is enabled
A screened command request is received
by the processor (see page 3-5)
The screening option occurs
during online program editing
Tip
Maintaining control over the
privilege to modify privileges
is critical to the successful use
of the DTEP mechanism.