Users, Roles, and User Sources
Ignition uses the concept of role-based security throughout. Role-based security is the concept that each user may be assigned to various roles. Security policies are then defined in terms of these roles, rather than defined for specific users. This allows users to be reassigned, removed, and added without affecting the logic of the security policy.
The users and their roles are defined in User Sources. An Ignition Gateway may have many different User Sources defined, each governing the security of different aspects of the Gateway. For example, logging into the Gateway configuration web interface might be governed by one User Source, while the security for a project is governed by another.
There are many different types of User Sources that offer various features. For example, the Internal User Source offers the ultimate in ease-of-use: you simply define the users, their passwords, and the roles within the Ignition Gateway configuration web interface. In contrast, the Active-Directory User Source offers the power of integrating Ignition with a corporate security infrastructure. Users, passwords, and roles would be managed centrally by the IT department.
Security policies can be defined for many different parts of the system. For example:
- You can alter the roles required to log into the Gateway configuration section.
- You can define roles required to write to or even read from a Tag.
- You can define roles required to view a Component.
- You can access the security system in a script to restrict the operation of the script to authorized users.
Which User Source Controls What?
With potentially multiple User Sources defined, you need to understand which User Sources are controlling which aspects of Ignition. To know what kind of User Source is governing what, do the following steps:
- To manage users and passwords for logging into the Gateway Configuration section, you'll need to see what User Source is currently set as the Gateway's User Source. You can check this under Configuration > Gateway Settings by looking at the System User Source field and the Gateway Config Role(s) field.
- To manage users and passwords for logging into the Designer, you follow the same steps as in #1, except that you need to look at the Designer Role(s) field to see what roles are allowed to log into the designer.
- To manage users and passwords for logging into a Vision Client, you go to the Configuration > Projects section. Look at the project in question and you can find its User Source listed there.
- Now that you know what User Source you need to manage, you can find out what kind it is under the Security > Users, Roles section.
Contact Information and Schedules
User Sources are also used for other aspects of the system besides security. For example, the alarm notification system also uses users from User Sources to know who to send alarm notification messages to. For this reason, more information can be associated with a user. Contact info can be added to support the alarm notification system. A schedule can be defined on a user which can control when they are able to log in and receive alarm notification messages. Language preferences can be defined on a per-user basis to better support individual user's preferred language.
User Sources support managing the users and roles from within Ignition to varying degrees. Some User Sources are fully manageable, meaning that you can administer the users, roles, contact info, and so on from within the Ignition Gateway, as well as inside a Vision Client. Other User Sources do not support this at all, while yet others only partially support it. Make sure you understand how and where the administration takes place before you choose a User Source type.
For User Sources that support it, you can manage the users and roles from within the Ignition Gateway's web config interface under Configure > Security > Users, Roles. Click on the manage link next to the User Source you want to administer.
Often it is desirable to let some management or administrative users of a Vision project manage other users without having to log into the Gateway's Configure section. To do this for a User Source that supports being managed, you can simply use the built-in User Management Panel that comes with the Vision Module.
In this section ...