Special Object Reference
These special objects can be used to reference information gathered from the IdP response document, mapped user attributes, or the Security Zone that the user falls under.
Object Type | Reference | Description |
---|
Response Attributes | Varies, see Expression Mappings for syntax info. | References Response Document Attributes directly. |
User Attributes | {user:id} {user:userName} {user:firstName} {user:lastName} {user:email} {user:roles} |
The following feature is new in Ignition version 8.1.5
Click here to check out the other new features
References mapped User Attributes. Relies on mappings configured on the User Attribute Mappings page. The roles attribute can be handled using the containsAll or containsAny. |
Security Zones | {security-zones} | References the collection of security zones that the user currently has. The collection can be handled using one of the unique functions: containsAll or containsAny . |
Security Level Name | {security-level-name} |
The following feature is new in Ignition version 8.1.5
Click here to check out the other new features
References the name of the security level being configured. For example, if the Security Level is "Authenticated/PlantA/Administrator", then the security level name is "Administrator" |
Security Level Path | {security-level-path} |
The following feature is new in Ignition version 8.1.5
Click here to check out the other new features
References the full path to the security level being configured, beginning with the first node below Public. For example, "Authenticated/PlantA/Administrator". |
Note: Response and User Attributes are only available to Security Levels that fall within the Authenticated Security Level. See below under Special Considerations for Rules.
Special Function Reference
When writing an expression to determine Security Level Rules, there are functions available that are not a part of the normal set available to Expression Bindings. These additional functions are:
Function Name | Description | Example |
---|
containsAll(collection, element 0, ..., element N) | Checks to see if all of the listed elements are present in the collection object. The function requires at least two arguments, a collection and an element . |
containsAll(
{security-zones},
'PlantA',
'Floor1',
'Press Room'
)
|
containsAny(collection, element 0, ..., element N) | Checks to see if any of the listed elements are present in the collection object. The function requires at least two arguments, a collection and an element . |
containsAny(
{attribute-source:idTokenClaims:roles},
'Manager',
'Operator'
)
|
Evaluating Tag Values
Tag values can be accessed in the Security Level Rules expression area by encasing the Tag Path (including the Tag Provider) in braces ( "{}" )
{[tagProvider]path/to/tag}

Note: Security Levels are determined on initial login for each session, so if a Security Level is using an expression that references a Tag value, changing the value while the session is running won't change the Security Levels applied to the users already logged in.
Special Considerations for Rules
When defining rules for a Security Level, it is important to notice where in the Security Level tree you are. If you want to access information out of the Identity Provider such as the username, you will need to ensure that the Security Level is located in the Authenticated branch. User information is only captured once a user logs in, so that information will only fall under Security Levels that come from the user being Authenticated. If a Security Level lies outside of the Authenticated branch, then the level will only have access to information such as Tag values and Security Zones.