Security in Ignition falls into a few categories, and the bulk of the setup happens in the Gateway Webpage. Under Security in the Config section of the Gateway Webpage, you'll find pages for authentication, role mappings, zones, and more.
- User Sources can be created and stored in Ignition, they can access user info from an external database, or from an Active Directory (AD) profile.
- In Ignition 8.0 with the Perspective module, users can also come from Ignition's internal Identity Providers (IdP) or an external IdP using trusted federated identity technologies such as OpenID Connect or Security Assertion Markup Language (SAML).
Roles and Security Levels
- Roles are created and then assigned to users. Roles can be stored in Ignition or roles can be linked to AD Groups.
- In Ignition 8.0 with the Perspective module, Security Levels are established to connect users with roles. Security Levels are assigned to users through Security Level Rules or User Grants.
Project and Component Security
- All Projects have security settings indicating what roles can publish, view, save, delete, or access Project resources.
- In the Vision module, you can set security for managing alarms, editing Tags and a host of other functions. You can also set security on Vision components and windows .
- In Ignition 8.0 with the Perspective module, you can set security on projects and views. You can also set permissions in event Actions.
The primary purpose of Gateway security is to protect access to the two most critical areas of Ignition: the Designer and the Gateway. Many important resources are configured in these areas, so access to each Gateway section (Status and Config), as well as the Designer, can be limited by role.
- Through the Gateway you can also set up Audit Profiles, which cause Ignition to record details about specific events that occurred. For more information, see Project Auditing and Alarm Notification Auditing.
Security with User Sources
Role-based security works under the concept that each user may be assigned to various roles. Security policies are then defined in terms of these roles, rather than defined for specific users. An example of roles could be an Administrator role that has access to the Designer and the client or session or an Operator roles that have access only to windows or views that pertain to their jobs. Roles allow users to be reassigned, removed, and added without affecting the logic of the security policy.
The users and their roles are stored in User Sources. An Ignition Gateway may have many different User Sources defined, each governing the security of different aspects of the Gateway. For example, logging into the Gateway might be governed by one User Source, while the security in a project is governed by another. The example below shows the Users and Roles screen after user "Arthur" has been updated.
There are several types of User Sources that offer various features. For example, the Internal User Source offers the ultimate in ease-of-use: you simply define the users, their passwords, and the roles within the Ignition Gateway configuration web interface. In contrast, the Active-Directory User Source offers the power of integrating Ignition with a corporate security infrastructure. Users, passwords, and roles would be managed centrally by the IT department.
Security with Identity Providers
Identity Providers and Security Levels are currently only available for use with the Perspective module.
Identity Providers ( IdP) offer user authentication as a service. An IdP creates, maintains, and manages identity information for principals while providing authentication services to relying party applications within a federation or distributed network. Authentication of the user is handled by the IdP. Ignition can connect to these three different types of IdPs:
- Ignition's internal IdP
- OpenID Connect 1.0
- Security Assertion Markup Language (SAML)
IdPs are set up at the Gateway level. Security Levels are also set through the Gateway. The Security Levels enable you to define a hierarchy of access inside a Perspective Session.