Managing Users and Roles
Role-based Access
Watch the videoUsers and Roles
Security is based on the roles that are assigned to specific users. Roles do not have any structure or hierarchy by default, but can be created. You can create a hierarchy based on users with a greater role being assigned all matching lesser roles.
There isn't a built-in restriction to the number of roles a user can have, so each user can have access to many roles, or none at all.
It's important to think about the different roles in your project and how they affect the security of your project. For instance, what level of access a particular area of a project needs may determine the functional type roles that you create, and the different users assigned to each role.
You can manage users and roles using either the Gateway interface, or using the User Management component inside the Designer or Client. This section shows how to manage users and roles using the Gateway interface.
When using role-based security in a project, the project stores the name of the role as a string. This means that if you were to modify the name of the role in the gateway, the role-based security in your project will not update to reflect the new name, and instead will try searching for a role with the original name. Be very careful when modifying the names of roles.
Creating a Role
- On the Gateway webpage, go to the Configure section, and choose Security > Users, Roles from the menu on the left. The User Sources page is displayed.
- Click on the manage users link for the User Source you want to manage.
Click the Roles tab, then look for the blue arrow at the bottom, and click the Add Role link.
Name the role by entering it in the Role Name field, and click on the Add Role button. The role is now available to be associated with specific users.
Assigning Roles to Users
- On the Gateway webpage, go to the Configure section, and choose Security > Users, Roles from the menu on the left.
The User Sources page is displayed. - Click on the manage users link for the User Source you want to manage.
- Click the Edit link for the User you want to edit, or click the blue Add User link to add a new user. (When adding a new user, you can also add their roles at the same time).
- If you're creating a new user, the Add User window will open. Enter the user's properties including the roles you want this user to have. If no roles have been created, then follow the instructions in the Creating a Role section from above. If your user already exists and you simply want to modify their roles, the Edit User window will open. (The Edit User window and the Add User window look identical).
To assign a role, there is a Roles property with a list of roles that have already been created. Select the role(s) that you want this user to have. (It's not required for a user to have a role, but be aware that they might not have access to an area of the project that requires them to have a role).
When a project if first created, the Administrator role is the only role available, and no other roles will appear until they are created. When more roles are created, they appear as check boxes just like the Administrator option.
- Click either Add User if you adding a new user, or Save Changes if you are modifying a user's role(s). The user now has the privileges associated with the selected role(s).
Role Hierarchy
Often you might want one role that includes everything in the role below it. ie: Operator 1 can do everything that Operator 2 can, and more. This is possible to set up using the security roles for components in the designer, but is easier to give any Operator 1 both of the Operator 1 and Operator 2 roles.
Managing Users
User Sources support managing the users and roles from within Ignition to varying degrees. Some User Sources are fully manageable, meaning that you can administer the users, roles, contact info, and so on from within the Ignition Gateway, as well as inside a Vision Client. Other User Sources do not support this at all, while yet others only partially support it. Make sure you understand how and where the administration takes place before you choose a User Source type.
For User Sources that support it, you can manage the users and roles from within the Ignition Gateway's web configure interface under Configure > Security > Users, Roles. Click on the manage link next to the User Source you want to administer.
Often, it is desirable to let some management or administrative users of a Vision project manage other users without having to log into the Gateway's Configure section. To do this for a User Source that supports being managed, you can simply use the built-in User Management Panel that comes with the Vision Module.
User Management Component
Ignition has a special User Management component that allows you to add, modify, and delete users and roles (and more) inside the Designer and the Client. This is extremely simple to set up and use.
Using the User Management Component in the Designer and Client
- In Designer, drag a User Management component to your window.
- If you already have some users and roles setup using the Gateway interface, you will see those users and roles in the User Management component. If you don't have any users or roles setup, you can create them here. Use the icons on the right side to add, edit, or delete a user or role.
The image below shows a header and some checkboxes because we are looking at the User Management page from one of the Project Templates.
- To add a new user, put the Designer in Preview Mode. Click the the green plus icon next to the user section.
- The Add User window will open. At a minimum, enter the Username and Password. All other properties are optional. When finished, click Save.
Click the back button to return to the Users section.
- To add a new role, make sure the Designer is in Preview Mode, and click the the green plus icon next to the role.
The Add Role window will open. Enter the name of the new role. Click Save.
Click the back button to return to the Users window.
- Now you can see the user and role that were just added in the User Management window.
Save Failed. You are not authorized...
By default, changes to the system's user source may not be made from this component. This prevents users from locking themselves out of the gateway, or give themselves access to the gateway.
However, this behavior can be overridden from the Gateway: Configure > System > Gateway Settings page, and setting the checkbox for the 'Allow User Admin' property. This allows for the administration of the Gateway's system user source from the Designer and the Client. Unless this is enabled, the Vision Module's User Management component is prevented from modifying the Gateway system's selected user source and you will see an error at the bottom of the component if it is attempted.
Alternatively, you can simply have a separate User Source for the Gateway. This allows you to have a User Source containing all users that should have client access, and a Gateway-specific User Source that allows access to the Gateway and Designer. This would potentially entail changing the System's User Source: Configure > System > Gateway Settings > System User Source in the Gateway Webpage.