×

HMI

Starting in PLC Shift Version 2.0 (May 2025), the PLC Shift runtime implements an integrated HMI. The HMI automatically generates a graphical user interface for your specific PLC Shift system that is accessible through any modern web browser, including tablets, laptops, desktops and mobile devices.
 
The HMI has support for user authentication and can be easily configured so that different users have different levels of access. The configuration is sufficiently flexible to hide or show specific apps, or even just specific tags, to individual users.
 
The HMI has the following features:
  • Support for server certificates.
  • Authentication via local accounts.
  • Authentication via Microsoft Azure Entra (formerly Azure Active Directory) for single sign on (SSO). Corporate credentials can be used to sign into the system.
  • Configuration via a single JSON object.
  • The ability to show or hide specific apps from individual users.
  • The ability to show or hide specific tags from individual users.
  • Suppress the ability to write to entire apps or specific tags for individual users.
 
PLC Shift is complicated system with many moving parts. The complexity arises from flexibility - the system is very flexible and integrates with many different types of automation. The HMI feature allows you hide this complexity and build a view into the system that is tailored to each individual users needs. In other words, when properly configured, the HMI allows you to hide the complexity of the system and give each user exactly what they want, and no more or less.
 
The PLC Shift HMI hides complexity and lets each user only see what they need to see.
 
PLC Shift HMI, Top Level Screen
 
 
PLC Shift HMI, App Detail View
 
The HMI communicates with the PLC Shift runtime via the gRPC interface. The HMI is not a licensed featured, but the gRPC interface is. Every application that appears in the HMI needs a gRPC license.
The HMI relies on the gRPC interface, which is a licensed feature.
 
Application tags are made available in the HMI by selecting their 'gRPC Read' or 'gRPC Write' option. Tags that do not have these options selected will never appear in the HMI.
Select which tags appear in the HMI through the 'gRPC Read' and 'gRPC Write' options on each tag.
 

Device Level Settings

Use the 'Enable Web App' setting to enable the HMI. When the HMI is enabled, it will load its configuration from either the JSON string in the 'Web App Config JSON' parameter or from the '/var/plc-shitf-app/config/webappSettings.json' file on the remote device. The file is preferred and is loaded first.
 
The configuration file contains many settings, including some that should be private, like the server private key. Bypass PLC Shift Manager and load the file on to the remote device directly for higher security.
Load the configuration file directly onto the remote device and bypass PLC Shift Manager for better security.
 

Web App Config JSON

This JSON controls the configuration of the HMI. An example is shown below. Please contact us at support@reverity.io for additional details on how to use this - we're happy to help.
 
 
GrpcSettings Section
This section controls how the HMI connects to the PLC Shift gRPC server. For the sake of simplicity, and since the gRPC server and the HMI app are on the same machine, and in the same process, we recommend that the gRPC server is configured for HTTP. Then the HMI can connect to the gRPC server using an unencrypted connection and we only need to configure the hostname and port.
 
WebAppCommsSettings Section
This section controls the configuration of the web server for the HMI. The server can be configured to use HTTP or HTTPS or both and the port for each service is configurable. A server certificate can be installed when using HTTPS, but a private key is required, so if this feature is used then the configuration file should be copied to the remote device directly instead of being downloaded through PLC Shift Manager.
 
AuthSettings Section
Settings in this section control users and groups. All users of the system are assigned to a group. A user is either assigned to a group explicitly or to the default group. Permissions and overrides are set the group level. There is no limit on the number of groups that you can create, but an user can only be assigned to a single group.
A user can only be assigned to a single group. When a user is not explicitly assigned to a group, the user will be assigned to the default group.
 
The options and subsections in this group include:
  • EnableLocalAccounts. Set this to true to allow local accounts. Local account information is stored on the remote device and has no dependencies on the internet. If local accounts are not allowed, then SSO must be used.
  • AllowSignUp. This option controls whether anyone who comes to the landing page can sign up for an account. When the value is 'true', anyone can sign up and when the value is 'false', no one can sign up. When someone signs up, if their user name is in the 'AllowedUsers' object array, they will get assigned to the configured group for that user. If their user name is not in the array, then they will be assigned to the default group.
  • CreateLocalUsers. Set this option to true to have the app create the users in the 'AllowedUsers' object array when the app first starts. This is normally used when you want local accounts but you don't want to allow sign ups. When the 'CreateLocalUsers' option is true, users must have an initial password. This password can be changed when the user logs in.
  • AllowedUsers. This is an array of user objects. When sign ups are enabled, if a user signs up and there is an entry in this array that matches the new user's user name, the newly signed up user will be assigned to the configured group. 'UserName' values must be an in the format of an email, but at this time, do not have to be a real email address.
  • UserGroups. Each entry in this array represents a single user group. This should contain one default group with reduced permissions (CanWrite) set to false so that users who are not explicitly assigned to a group cannot write to the system.
  • CanRead/CanWrite. For each each group, there are global 'CanRead' and 'CanWrite' permissions.  If the 'CanWrite' permission is set to false, then users in this group will never be able to write any values, regardless of how the tags themselves are configured.
  • AllowAllApps. Set this to false to override the apps that users in this group can see. Put the excluded app names in the 'ExcludedAppNames' array. Users in this group will not see any links or data from excluded apps.
  • AppSpecificSettings. This is an array of JSON objects which each object corresponding to a single app. An entry in this array is only required if you want to override the default behavior or display tables.
  • AppName. This is the name of the app that these settings apply to.
  • ExcludedTagHandles. This is list of strings where each string is the handle of a group of excluded tags. This mechanism allows you to create a set of excluded tags for a specific app type of group and then easily exclude those tags for an app.
  • TableHandles. This is a list of strings where each entry is the handle of a table settings object. Users in a group won't see any tables unless explicitly configured.
  • MicrosoftAzureEntra. Use settings in this group to configure single sign on using Microsft Azure Entra (formerly Azure Active Directory (AAD)). Using SSO requires configuration of settings in the cloud. Please contact us at support@reverity.io if you want to use this feature.
     
A logged in user can change their own password, but in version 1.80, there is no ability reset forgotten passwords or recover accounts where the password was lost. We plan on adding features to do this for admin level users.
 
When experimenting with the authorization options, including single sign on, local accounts, automatic account generation and so on, it is easy to get to a place where accounts exist but their passwords are not known. To start from a clean slate, stop the PLC Shift runtime, delete the '/var/plc-shift-app/config/web-app.db' file, and then start the runtime. This will delete all account information, including information about local accounts and SSO accounts.
 
TableSettings Section
This section is an array of objects. Each object has the following settings:
  • TableHandle. This is the name of this group of settings. Use this handle to refer to these settings on the 'AppSpecificSettings' 'TableHandles' object.
  • TableName. This is the name of the table to display. Table names can be found in the reference material in this manual for the app that you're working with.
  • IncludeAllColumns. Set to true to include all columns for the table and set to false to only include a subset of columns. This should almost always be false and columns to include should be specified explicitly.
  • IncludedColumns. This is an array of strings where each value is the name of a column to include.
 
ExcludedTags Section
 This section is an array of objects. Each object has the following settings:
  • ExcludedTagsHandle. This is the name of this group of settings. Use this handle to refer to these settings on the 'AppSpecificSettings' 'ExcludedTags' object.
  • ExcludedTags_Read. This is an array of strings where each string is the name of tag. Tags in this array will be hidden from the HMI for users that belong to a group that references this group of tags.
  • ExcludedTags_Write. This is an array of strings where each string is the name of tag. Tags in this array will be read-only in the HMI for users that belong to a group that references this group of tags.