Protect Intellectual Property and
Manage PLC Access at Scale
T-IA Connect gives you programmatic control over the full security stack in TIA Portal: block know-how protection, CPU access level passwords, project-level user roles, OPC UA authentication, and web server access - all via 13+ MCP tools and REST endpoints.
Comprehensive Security Management
Every security layer in TIA Portal, exposed through a consistent API
Block Know-How Protection
Protect individual blocks or apply batch protection across your entire project. Password-based encryption prevents reverse engineering of proprietary algorithms and control logic. Unprotect selectively for maintenance or updates.
CPU Password Management
Set and manage access level passwords for FullAccess, ReadAccess, HmiAccess, and NoAccess levels. Configure display passwords and master secrets programmatically - no manual TIA Portal GUI interaction required.
UMAC User Management
Create and delete project-level users, define custom roles, and assign or revoke role memberships. Implement role-based access control (RBAC) directly in TIA Portal projects through automation scripts.
OPC UA Authentication
Create and delete OPC UA users on the CPU OPC UA server. Manage client certificates and authentication credentials to control which systems and applications can subscribe to process data.
Web Server Access Control
Manage CPU web server users for the built-in S7-1500 web interface. Create accounts with specific privileges and delete them when access should be revoked - integrated into your onboarding and offboarding workflows.
Unified Security Configuration
Apply a complete security posture in one operation with configure_security. Audit the current state with get_security_summary - a single call that returns protection status, active users, access levels, and role assignments.
CPU Access Levels
Four tiers of access control, all configurable via API
Security Best Practices
Patterns that teams automate with T-IA Connect
Automated Protection Pipeline
Run this sequence at the end of every release build
Compile project and verify zero errors
Export all blocks as SCL source for Git archival
Apply batch know-how protection to all production blocks
Set CPU passwords for the target access level
Generate security summary report and attach to release
Access Control Checklist
Verify these points before any machine ships
All proprietary FB/FC blocks are know-how protected
FullAccess password is set and stored in the secrets vault
HmiAccess password is distinct from FullAccess
NoAccess level enabled on machines with no on-site maintenance
OPC UA users are limited to read-only where applicable
Web server users are provisioned per-person, not shared accounts
UMAC roles follow the principle of least privilege
MCP Tools Reference
13+ security tools available via MCP and REST API
Block Protection
protect_block, unprotect_block, protect_blocks (batch), get_block_protection_status
CPU Passwords
set_plc_password, reset_plc_password, set_display_password, manage_master_secret
UMAC & Roles
create_project_user, delete_project_user, create_custom_role, delete_custom_role, assign_role_to_user, remove_role_from_user, get_project_users, get_project_roles
OPC UA & Web Server
create_opcua_user, delete_opcua_user, get_opcua_config, create_webserver_user, delete_webserver_user, get_webserver_config
Online Authentication
set_online_auth_password, clear_online_auth_password, get_online_auth_status - persist credentials for automated connections to password-protected CPUs
Security Summary
configure_security, get_security_summary - apply a complete security configuration or audit the current state in a single API call
Frequently Asked Questions
Can I apply know-how protection to all blocks at once?
Yes. The protect_blocks tool applies password-based protection to all selected blocks in a single call. You can target the entire project or a specific folder, making it practical to run at the end of a build pipeline before a machine ships.
Is the CPU password stored anywhere by T-IA Connect?
No. T-IA Connect passes the password to TIA Portal Openness in memory during the API call. It is never written to disk or logged by the server. Manage your passwords in your own secrets vault (Infisical, HashiCorp Vault, etc.) and inject them at runtime.
What is the difference between know-how protection and access level passwords?
Know-how protection encrypts individual blocks so their source code cannot be read or exported - it protects your intellectual property inside the TIA Portal project file. CPU access level passwords control who can connect to the physical or virtual CPU over the network. Both layers are independent and complementary.
Can I automate user provisioning when a new engineer joins the project?
Yes. The UMAC tools (create_project_user, create_custom_role, assign_role_to_user) can be called from any script or CI pipeline. Integrate them with your HR system or identity provider to provision TIA Portal access automatically when a new team member is added to a project.