1. Field of the Invention
The application generally relates to a method and an access control system for authorizing a user at a field device by a portable communications device.
2. Related Art
The use of role-based access control (RBAC) is being transferred increasingly from the preserve of telecommunications to the automation sector. Role-based access control makes use of the facility to assign a plurality of subjects, in particular real users, to a category, i.e. a role. Subjects assigned to a shared role are thereby assigned shared functions and permissions. Using role-based access control thus simplifies the administration of permissions, for instance on individual field devices in a system. For example, a real user no longer needs to be administered by his permissions but authenticates himself at the field device using an item of role information and associated authorization evidence and can perform actions commensurate with his role. In this regard, the field device now only implements the assignment of roles to permissions.
Existing approaches to providing a device with the authorization evidence belonging to a role include techniques such as the use of USB sticks or smartcards or connection to a downstream infrastructure. However, physical interfaces are needed for each authentication process using USB sticks, smartcards or similar auxiliary authentication. A connection between the auxiliary authentication device and the field device needs to be established, for instance by inserting a smartcard. This is normally followed by clearance by an associated password.
One of the problems here is that field devices, especially those with a relatively old date of manufacture, do not support the technique described above or do not have a suitable interface. In addition, the auxiliary authentication device must always be carried on the person to be authorized, so for instance a USB stick must always be provided for logging onto a device.
Patent DE 10 2007 046 079 A1 discloses using one-off passwords in the automation sector for remote-maintenance access.