Users and roles are stored in a single location. The single-storage users sources are:
- Internal Authentication - Users and roles are stored internally to Ignition.
- Database Authentication - Users and roles are stored in a SQL database. Managing users is done via direct interaction with the database.
- Active Directory Authentication - Users and roles are managed by Active Directory. Users are authenticated through the LDAP protocol.
Users in hybrid user sources authenticate against Active Directory, meaning that user names and passwords are checked against those stored in Active Directory. However, roles are stored either internally in Ignition or in a SQL database, so it is possible to make a role change without have to contact your Active Directory administrator. This way, Active Directory can be consulted to see if a user is valid, but the management of roles does not require coordination with the IT department, who typically control the Active Directory system. This "best of both worlds" approach is popular for many users of Active Directory.
- Active Directory-Internal Hybrid - Users managed by Active Directory and roles stored to Ignition internally.
- Active Directory-Database Hybrid - Users managed by Active Directory and roles stored in an SQL database.
This User Source was developed specifically for a system that is using Local Client Fallback, and allows you to cache the login credentials from a remote user source. This means your users can still log in with their normal username/password on a Local Client Fallback project, even when the network connection is unavailable.
More information can be found on the Fallback Cache Authentication page.
Creating a User Source
All of the described User Source types can be created by navigating to the Config > Security > Users, Roles section of the Gateway. To begin the process, select Create new User Source... and choose the User Source type you need. Once you've finished entering the User Source properties, click Create New User Source.
The User Source page also includes a link to Verify a User Source... See the Verify a User on a User Source page for information on how to verify an existing user's profile.
Regardless of type, all User Sources have the following functionality:
- Failover Source: If the User Source is unavailable for authentication, then a backup User Source can be specified. The type of the fail-over User Source can differ from the primary, so configurations where an internal-type fails over to a database-type are possible.
- Schedule Restrictions: The User Source can prevent users from logging in when they are off schedule, meaning that the schedule assigned to the user determines when the user may login.
All User Sources have a section of Main properties that are listed before their unique type properties. Below are the descriptions of the Main properties. See the individual User Source pages for the remaining property descriptions.
|Name||The name of the User Source. This is how other systems in Ignition reference the user source. Note that every User Source must have a unique name.|
|Description||An optional description of the user source. Useful for noting which database connection or AD server the User Source may be referencing.|
Disabling a User Source profile will prevent it from being used completely, including authentication and user/role management. User Sources are enabled by default.
Forces schedule restrictions on users. If true, users are only able to log in when their assigned schedule is active. This means a login will fail for users attempting to log into a client while they are off schedule.
Allows authentication attempts against this User Source to failover to another User Source in the event of a network outage, or some other connection issue. Useful with database or Active Directory user sources, as connection failures to the database/AD server will prevent users from logging in.
This property is initially set to None, meaning a failover User Source is not configured.
When a Failover Source is configured, this property determines when the failover User Source should be consulted. The following options are available:
Hard: The Failover User Source is only consulted when this User Source is unreachable.
Soft: The Failover User Source will be consulted if the user's credentials fail authentication, meaning that the user typed in credentials that are unrecognized or incorrect.
|Cache Validation Timeout|
The amount of time between cache updates of the User Source. If you set this value to -1, the cache validation timeout is turned off.
Lock out a user's account after more than the maximum allowed number of failed authentication attempts occur within the lockout window. Default is true.
Note that access can be restored to all locked out users by editing the user source, and clicking the Save Changes button.
Maximum number of failed authentication attempts allowed within the lockout window before locking the user out. Default is 5. If this value is set to something less than zero (for example, -1), then the lockout functionality will be entirely disabled, regardless of what the Lockout Enabled property is set to.
The duration of the lockout window in minutes. Default is 15. Setting this property to a value of less than zero (for example, -1) will disable the lockout functionality entirely, regardless of what the Lockout Enabled property is set to.
Details on the Password Policy Properties can be found on the Internal Authentication page.
Add a new row under Description upon 8.1.27 release
The Default User Source
When Ignition is installed for the first time, an internal User Source named 'default' is created. You can manage the default User Source by navigating to the Config > Security > Users, Roles section of the Gateway.
The manage users option under the 'default' user source More dropdown allows you to add new users, modify roles and passwords for existing users, remove users, and add/remove roles from the user source.
When you open the 'default' user source for the first time, you will see the first user that was created at installation. This is the administrator account that has full privileges. If this user source has been modified before, a list of existing users is displayed.
Editing a User
Clicking Edit on the User Source > More > manage users page will access the corresponding User Properties page, which allows you to make any necessary changes to that user.
Fill out the fields for that user then click Save Changes.
|Username||The name of the user.|
Check this box to change the existing password.
The password policies set for the internal User Source this user belongs to will be listed under the password field for better requirement visibility when creating user passwords. If any password requirement changes are desired, they must be made to the User Source.
|Password||Re-type password for verification.|
|First Name||First name of the user.|
|Last Name||Last name of the user.|
|Roles||Role(s) assigned to this user. Check the box next to each role you want this user to have.|
|Schedule||Schedule for the user. Choose from a dropdown list of schedules that are already defined.|
|Language||Language to be used for the user. Choose from a dropdown list of languages that are already defined.|
|Any notes for this user.|
A string that represents the value set for the user's badge.
|Type||Choose email or SMS.|
|Value||The email value or SMS number.|