Ignition 8
Ignition 7.9
Ignition 7.8
Sepasoft - MES Modules
Cirrus Link - MQTT Modules
Inductive University
Ignition Demo Project
Knowledge Base Articles
Forum
IA Support
Deprecated Pages
SDK Documentation
FactoryPMI Reporting Manual
FactorySQL
Ignition 8.1. Offline Version (04/2021)
With Security Levels, you define a hierarchy for access inside a Perspective Session or Vision Client. This authorization system provides a way for you to map roles from an Identity Provider (IdP) to Ignition roles. Any IdP can be used to provide roles, and security levels are independent of the type of IdP being used. Any role from the IdP is automatically granted to the user as a role, but only roles in your Security Levels are available to the security screens in the Designer. You can also use the User Grants option to grant additional access for each user.
Security Levels are defined at the Gateway and they are arranged in a tree structure. Each child (nested) level of the tree inherits the security of its parent levels. There are four reserved Security Levels in the platform:
To access Security Levels, go to the Gateway Webpage under the Config tab, and choose Security > Security Levels.
The reserved security levels are mostly created for you, and have special rules that determine when a user is granted that level. They can't be renamed or deleted.
All users are always granted the Public security level, even if they are not authenticated (logged in). Public security level indicates open access and the least amount of security. A session that only has the Public security level is not authenticated. This is similar to being a guest or anonymous. Unless another security level is required, guest access will be allowed. The Public security level is the ancestor of all other security levels in the hierarchy.
The Authenticated Security Level is a child of the Public Security Level. If a session has authenticated against the configured IdP successfully, the Authenticated Security Level is granted. Users are required to be logged in in order to have access to this level.
The Roles level is a special level which itself has no special rules, but it acts as a parent placeholder for potential roles returned from the IdP. This particular level is not configurable; however there can be levels added underneath the Roles level as children. These levels should correspond to the names of roles that would be expected from the IdP. If the IdP provides role information, these roles are automatically mapped to the child security levels underneath Authenticated/Roles. The names of the roles must match exactly for them to be correctly mapped to. For example, if you authenticate against the Ignition IdP configured to delegate to the Internal user source, and your user was granted the roles “A”, and “B”, you would have (at a minimum) the following security levels granted to you:
Note: You can only add one level of children to the Roles Security Level. Custom Roles can be nested as deeply as you want.
The SecurityZones level is another special placeholder level that itself has no rules but is a parent for all of the Security Zones on the Gateway. Security Zones are automatically pulled in from the Gateway. A Security Zone is a list of Gateways, Computers, or IP addresses that are defined and grouped together. This group is a zone on the Gateway Network, which can have additional policies and restrictions placed on it. Security Zones provide a way to bridge the IdP method of permissions with location-based permission modeling. You cannot add, edit, or remove the SecurityZones node or any node in the SecurityZones sub-tree.
Custom Security Levels can be added to almost anywhere within the tree. When these levels are granted to a user is determined by the Security Level Rules, which can pull information from the IdP, Security Zones, and even Tags. The placement of custom Security Levels can affect when they may be potentially granted to a user. Any custom levels set under the Public level, but not within Authenticated, do not need to have a user authenticate against the IdP to be granted to a user. However, custom levels within Authenticated do need to have the user authenticate to be granted to the user, even if the rule for that level does not use any of the IdP attributes.
In the Security Level Details screen area, enter the Name for the level.
Note: Security Level names within the same parent must be unique.
The path for the parent is filled in automatically. Use the Parent dropdown list if you want to change the parent for this new level.
to return the tree view to its currently saved configuration.In the Security Level Tree, select the level that you want to edit.
to return the tree view to its currently saved configuration.
Caution: When you delete a Security Level, all children under that level will also be deleted.
In the confirmation box, click Delete to confirm the delete.
.Choose Import on the confirmation screen.
Choose a security levels configuration file to import.
Click Open.
.The security levels configuration will be saved as a .json file with a unique number, for example:
