Protecting and Saving Projects

General information about write and access protection

You can protect a project against unintentional changes by means of access and write protection. You can also provide it with read protection (knowledge protection).

Write protection:

The following options are available for providing the entire project with simple write protection:

  • Select the Open read-only option when opening the project.
  • You set the Released status in the Project Information.
  • You activate the option ‘Read-Only’ in the properties of the project file in the local file system.

In order to protect only certain objects in a project against changes, or to allow access only to certain users, you can use a user and access rights management (see below). Some target devices similarly support user and rights management. The access of CODESYS to objects and files of the target device can thus be restricted.

However, write protection and access protection do not serve as protection of expertise of the POUs. Both CODESYS itself, automation platform plug-ins and persons with knowledge of the project file format can view or modify function blocks created with CODESYS.

Knowledge protection:

Knowledge protection of a project is done by encrypting the project file. Either with a project password, the CODESYS Security Key (dongle), or a certificate. We recommend protection by means of the key or the certificate because in this case no secret needs to be shared between authorized users. The desired type of project encryption is enabled in the project settings.

You can attain knowledge protection of a library by providing it as a target-system-independent “protected library” (*.compiled-library). The library file no longer contains source code in this format, but only encrypted precompile context. The compiler is still able to interpret these data. Whether access by other CODESYS components or additional plug-ins is possible depends on their functionality and is to be observed in individual cases.

Knowledge protection and copy protection of a boot application can be done by means of a runtime system dongle (simple or licensed) or encryption with a certificate. One of these options is enabled in the object properties of the application.

See also

Encryption with certificates

In CODESYS, projects and applications can be encrypted with certificates and signed in order to protect them from unauthorized access.

To do this, you can configure specific security settings for each individual user profile. These settings are always used automatically when the user works with CODESYS projects. Therefore, they do not have to be redone for each project. The general configuration of the security features for a user profile is done in the Security Screen view of CODESYS. See the individual instructions below.

You can also encrypt a project file or an application for download or online change directly with a certificate:

  • User-independent encryption for the current project is configured in the Security category of the Project Settings.
  • User-independent encryption of the application is configured in the Properties dialog of the application object.

Hint

When you encrypt a project, an application, or online code with a certificate, you will always require the certificate with a private key in order to open the object again.

Note

If the CODESYS Security Agent add-on product is installed, then the Security Screen view provides an additional tab: Devices. This allows for the configuration of certificates for the encrypted communication with controllers.

Certificates, Windows Certificate Store

All available certificates are located in the Windows Certificate Store (certmgr) on your computer. There are two types of keys:

  • Certificates with private keys
    • for file decryption
    • for digital signatures
  • Certificates with public keys
    • for file encryption
    • for verifying digital signatures

The local Windows Certificate Store is usually filled with certificates by the IT administrator of the computer. Certificates are either created using special tools or the creation is requested by a trusted certification authority (CA).

If you receive a certificate file that you need to install yourself in the Windows Certificate Store, then double-click the file in the store directory. Depending on the type (certificate with private or public key only), the appropriate import wizard will appear.

See also

User management and password manager

User accounts with different rights can be managed in CODESYS. For each account you can define the actions with which the user can access a project object.

The user management is configured in the Project settings in the category Users and Groups.

Before the creation of users and groups, please note the following:

  • Rights can only be assigned to user groups. Therefore, you must assign each user to a group.

  • There is automatically always a group Everyone and by default every user and every other group is initially a member of this group. Thus each user account is automatically equipped with at least the defined standard rights.

    You cannot delete the group Everyone, you can only rename it, and you cannot remove members from this group.

    Caution: by default Everyone does not have the right to change the current user, group and rights configuration!

  • There is automatically always a group Owner containing a user Owner. From V3.5 only the Owner initially has the right to change the current user, group and rights configuration in a new project! Hence, only Owner can assign this right to another group.

    Initially the Owner can log in with user name Owner and an empty password.

    You can add further users to the group Owner or remove users from it, but at least one member must be retained. Like Everyone, you cannot delete the group Owner and it always possesses all access rights. This prevents a project from being rendered unusable by denying all access rights to all groups.

    You can rename both the group Owner and the user Owner.

  • If the programming system or a project is restarted, no user is initially logged in to the project. However, the user can then log in via a certain user account with user name and password in order to obtain the access rights defined for the account.

  • Each project has its own user management! Therefore, in order to obtain certain access rights to a library integrated into the project, for example, the user must explicitly log in to the library project.

    Users and groups defined in different projects are not the same, even if they have the same names.

  • A user management in a project only makes sense if it is connected with corresponding rights assignment for the access to project and objects. The project rights are generally managed in the dialog box Rights of the User Management. You can also change the access rights to an individual project object on the Access control tab of the Properties of the object.

  • There are standard menu commands under Project ‣ User Management for logging into and out of a project as a defined user. A password manager permits the management of the login data on your computer.

Note

From V3.5 only the Owner initially has the right to change the current user, group and rights configuration in a new project! Hence, only Owner can assign this right to another group.

Hint

CODESYS stores the user passwords inaccessibly. If you forget a password, the user account becomes unusable. If you forget the Owner password, the entire project may become unusable!

Password manager

The password manager enables you to save login data records that you enter during the login procedures for projects. It is accessible via a button in the login dialog box and offers fast access to the login data currently required. This can be helpful, for example, if you are working in parallel on several library projects that are protected by different passwords.

The password manager itself is protected by an individual master password. If you wish to use the password manager for the first time, CODESYS requests you to define this password in the password manager configuration dialog box. CODESYS notes the master password until you terminate the current CODESYS session. You must always input the password when you wish to log in to the password manager for the first time during a new session, or after you have changed it.

See also

Rights management

Rights management for access to a project and objects in a project is necessary in order to make a user management meaningful.

The rights for a project are generally managed in the Rights editor of the User Management. You can also change the access rights to an individual project object on the Access control tab of the Properties dialog box of the object.

Before assigning rights, please observe the following:

  • In a new project CODESYS always sets all rights for the execution of actions on objects with the default value ‘allowed’ (standard right). The only exception to this is the right to change the current user, group and rights configuration. Initially only the ‘Owner’ group has this right.
  • If you are member of a group that is permitted to change rights, you can do this at any time for each right when working further on a project. You change a right by switching between ‘allowed’ and ‘forbidden’ or by resetting to the default.

See also

Filing, saving

Provide the project file with the desired protection before saving it in the file system; see above. For a read-only project file you are given various options so that you can still save the file, depending on the type of write protection.

If the project is to be opened later in an older CODESYS version, it makes sense to save the project for precisely this version (file type), since CODESYS will also inform you immediately about possible losses of data in the course of saving it.

If you wish to save library projects, please observe the rules for the creation of libraries. Also consider the possibility of installing a library directly in a library repository.

If you wish to continue to use a project on another computer, it makes sense not only to save the project file, but also to create a project archive from all relevant auxiliary files.

You can make a setting so that a backup copy of this project is created each time the project is saved. In addition you can configure CODESYS so that projects are generally automatically saved at certain time intervals.

If you wish to keep projects in a source control system, observe the corresponding add-ons for CODESYS. For example, the link to SVN is supported.

See also