Security & Passwords

Security Overview

Cscape Security

The Security feature in Cscape is used to protect the Cscape program from unwanted user access. The user can restrict access to Cscape programs by granting permission to specific Users. Security is in force from the time the Cscape program is invoked. Cscape 's security is internal; that is, Cscape does not affect any security imposed by the operating system. However, most Cscape files use a proprietary file structure that can be decoded only by Cscape.

Hardware Protection

Cscape also provides a level of hardware security for controllers. This includes the ability to Start or Stop the controller, and the ability to set the controller's Network ID on those controllers that accept this feature.

Security: Tools Menu > Controller Security

Cscape provides up to four (4) levels of system security, one Administrator level and three (3) secondary levels. Unlike some PLC manufacturers, Cscape does not predefine the actions available at the secondary security levels. Instead, the Administrator has the option of selecting which permissions are available at any level, thus providing for a completely customizable security system. While the Administrator has access to all permissions, the User can only access those sections they have access to. For example, it may be necessary for the Administrator to EDIT and SAVE a program, but the User level might only be able to READ it.

A. Security Levels

The Administrator security level has access to all functions, including passwords. Only the Administrator has the capability to change passwords. The Administrator Password can be changed by the Administrator. Cscape provides up to three (3) secondary levels of security. The names and permissions of these levels are completely user definable. The Names, however, are optional, and need not be defined for Cscape security to be in effect. (The security level names are used to generate messages in the Security Log File.)

NOTE: The security level Name is not used as part of the security system. The Name, though, is written to the Security Log.

The "secondary" levels are completely user-definable by a user with Administrator security level. One level might be assigned to a "Programmer", who can read and write files, manipulate controller modes, etc. Yet another might be for the everyday "User", who can monitor the program or change certain key values but cannot change either the source code file or the program within the controller through a download. He might not be able to change the controller mode (Run/Idle).

B. Passwords

Passwords are set by the Administrator. Passwords are numeric and only the characters '0' - '9' are acceptable. There is a limit of six (6) characters per password, so valid passwords range from '1' to '999999'. A value of '0' (zero) indicates NO PASSWORD. NOTE: If ALL passwords are disabled, the user will automatically be given the ability to change passwords and available functions. If passwords have been previously set, then the user will need the password for the Administrator security level that allows access to passwords.

Return to the Top: Security & Passwords

Procedure for Setting Security Levels

Tools > Security

Setup Administrator

Selecting Change Passwords brings up the Security Settings dialog:

Name for Security Level - The Administrator has access to all permission and the ability to change passwords and permissions for the other levels. First, determine and enter a NAME for the security level. Example names are PROGRAMMER, USER, etc. There is a 256-character limit to the length of the name, but for purposes of accurate displays, it would be wise to use no more than 8 - 12 characters. All alphanumeric characters are acceptable for Security Level Names. NOTE: The name for the Administrator Level cannot be changed.

Password for Security Level - Enter the PASSWORD for this security level. Passwords must be numeric, consisting of ONLY the characters '0' - '9'. There is a limit of six (6) characters for the length of the password. A password of '0' indicates a null Null Termination - To place a NULL character (character code 0) at the end of ASCII data. Some functions require NULL Termination to be able to determine the end point of the ASCII data since that data may vary in length from one time to the next. password -- the password for this security level is disabled.

Click on the SETUP button for the desired security permissions. The following permissions can be selected or deselected for each security level:

OPEN -- Allows the file to be opened (and ultimately decoded) by Cscape. If this permission is unchecked, the file cannot be opened by Cscape.

VERIFY -- If unchecked, the users at this security level cannot verify that the program in the controller is the same as the file.

DOWNLOAD -- If unchecked, the users at this security level cannot download this file to a controller.

EDIT -- If unchecked, the users at this security level cannot edit this program.

SAVE -- If unchecked, the program cannot be saved, thus overwriting the previous version of the file on disk.

UPLOAD -- If unchecked, the users at this security level cannot upload a program from a controller.

OEM OEM Code – Original Equipment Manufacturer - Cscape allows user-defined sections of ladder Program Code to be marked as "Original Equipment Manufacturer" (OEM) or "proprietary". Code thus marked can be accessed only by a user with the proper security permissions and password. LADDER -- Cscape allows user-defined sections of code to be marked as OEM or proprietary, if this permission is unchecked then the user can not view or edit these sections of code.

REMOTE TERMINAL - If unchecked, the user cannot access the Remote Terminal functions.

FORCING: If unchecked, the user cannot able to Force a Contact or Coil.

LOCK OEM: It will work with OEM Ladder. If both are unchecked, No one can view OEM section ladder.

ONLINE PROGRAMMING -- If unchecked, the users at this security level will not have access for online programming functionality

SET RUN MODE (CONTROLLER MODE): If unchecked, the users at this security level cannot change the controller mode (i.e. Run, Idle, Do I/O).

SET ID NUMBERS (NODE NUMBER) : Some OCS controllers allow the Node ID Usually refers to the ID of the device on a supported CAN, such as CsCAN, CANopen, etc. Each device must have a unique network ID. Also called Node ID. (Network Address, MACID, etc) to be changed over the network. If this permission is unchecked, the user cannot change the controller's Node ID.

CSCAN Horner APG's proprietary network protocol that runs on the Bosch CAN network specifications. Prior to the advent of the OCS.: This option is to be developed for future use.

Permission at the Administrator Level

NOTE: If a permission is not checked at the Administrator Level, then secondary levels do NOT REQUIRE passwords for this function.

Permissions behave slightly different for the Administrator level:

If the permission is unchecked at the Administrator level, there is no security for this permission, and the permission is available without restriction to all the users.
If the permission is checked at the Administrator level, then security is enabled for the three user levels. The User level passwords are then set for each user level.
It is possible to configure a file that uses passwords for only certain permissions while all others require no password. For maximum security, check all boxes under the Administrator Permissions.

Return to the Top: Security & Passwords

Setting Up Users

Permission at the User Level

Permission must first be enabled at the Administrator level for password to be effective at the User levels. NOTE: If a permission is not enabled at the Administrator level, then there is NO PASSWORD SECURITY for that permission level. Any user may perform this action without entering a password.

NOTE: A box must be checked for password protection to be effective. If the box is not checked, then the security level will not be able to perform the function.

View Passwords

If this button is enabled, then users at this security level can view passwords in their alphanumeric format (instead of asterisks) and can add or edit passwords. If this button is disabled the user sees only asterisks, and password changes are not accepted.

Accepting Security Permissions

Finally, accept the Security Setup by clicking on OK. Alternately, the user can ignore any new settings and revert to the previous setting by clicking CANCEL.

NOTE: User must save the file using File > Save for the security levels and permissions to take effect.

Using Security Levels

Once passwords and permissions have been set, use of system security is mostly automatic.

If “open” is one of the items that is password protected, the user is prompted for a password. The level associated with that password must have the OPEN permission set. Otherwise, the open is not completed. The same happens if the user attempts to SAVE, DOWNLOAD or UPLOAD a file. After the user enters a valid password, they are considered to be logged in. The log-in password is automatically used for those functions that requires it.

In the case that a permission is disabled for a particular function under this security level, the user is prompted to enter a password in order to complete a protected function. The entered password must have the permissions properly set to complete the function. If the user has only his own password, he cannot perform permission that require a higher level of security.

Lost Passwords

Occasionally, passwords are forgotten or lost. If this happens, contact the System Administrator for further instructions.

Return to the Top: Security & Passwords

Login and Logout

Security - This allows user to LOGIN or LOGOUT of the Cscape Security system, change password (if user have the proper security level password), or to view the Cscape Security Log (if user have the proper security password).

Tools > Security > Log In
Tools > Security > Log Out

OEM Sections

NOTE: Not recommended if using an IEC editor.

The OEM OEM Code – Original Equipment Manufacturer - Cscape allows user-defined sections of ladder Program Code to be marked as "Original Equipment Manufacturer" (OEM) or "proprietary". Code thus marked can be accessed only by a user with the proper security permissions and password. section is a unique feature in Cscape, which can be used to mark sections of code in Cscape as proprietary. These sections are then password protected from viewing or editing. By being password protected from view, code secrets can be hidden from unauthorized personnel. NOTE: The use of OEM section requires that this feature be password protected. If OEM section is NOT password protected, then the OEM sections settings are not available.

Tools > Security > OEM Sections

To mark a section of code in program as OEM section:

Right-click on the left power rail at the position desired to start the protected code.
From the pop-up menu, select START OEM SECTION.
Right-click on the left power rail at the position desired to end the protected code.
From the pop-up menu, select END OEM SECTION.

To unmark a section of OEM code:

Right-click on the marker to be removed.
From the pop-up menu, select either Delete OEM Start or Delete OEM End, as appropriate.

To see the OEM code:

Open the file.
In Tools Menu > Change Password > Enable/Check the OEM OEM Code – Original Equipment Manufacturer - Cscape allows user-defined sections of ladder Program Code to be marked as "Original Equipment Manufacturer" (OEM) or "proprietary". Code thus marked can be accessed only by a user with the proper security permissions and password. Sections. If necessary, supply a proper password.

To hide the OEM code:

In Tools Menu > Change Password > Disable/ Clear the OEM Sections.

NOTE: No one can view any OEM sections without a proper password.

Return to the Top: Security & Passwords