Security options in Ignition provide many ways to safeguard your data and applications. You control not only who accesses your systems, but when and where they can access them. You can add as many user sources as you need. For users, you can store detailed information beyond just a user name and password, such as schedules, roles, and phone numbers.  At the core of Ignition's security are users and the roles of users.

At its simplest, setting up security in Ignition follows this pattern:

  1. Have a user source for logging in (one or more users).
  2. Set up roles that define the types of access users may need (for example, Administrator, Supervisor, Operator, or Guest).
  3. Establish security on Ignition Projects, the Gateway, the Designer, Vision components, Perspective Views, and so forth.
  4. Assign roles to the individual users.

The diagram below illustrates how Perspective and Vision access user sources and shows some of the differences between Federated IdPs, external AD authorization, and internal Ignition authorization. A few notable points:

  • Vision clients only use User Sources. Roles in Vision clients are automatically pushed into the Designer.
  • The Perspective module gets users and roles from an IdP. Roles must be then set up in Security Levels in order to be available to the security screens in the Designer. 
  • Perspective sessions can be made available to all users (Security Level - Public) or set to require user authentication.

Security Setup

Security in Ignition falls into a few categories, and the bulk of the setup happens in the Gateway Webpage. Under Security in the Config section of the Gateway Webpage, you'll find pages for authentication, role mappings, and zones. 

User Sources

  • User Sources can be created and stored in Ignition, they can access user info from an external database, or from an Active Directory  (AD) profile.
  • In Ignition 8.0 with the Perspective module, users can also come from Ignition's internal Identity Providers (IdP) or an external IdP using trusted federated identity technologies such as OpenID Connect or Security Assertion Markup Language (SAML). 

Roles and Security Levels

Project and Component Security

Gateway Security 

  • The primary purpose of Gateway security is to protect access to the two most critical areas of Ignition: the Designer and the Gateway. Many important resources are configured in these areas, so access to each Gateway section (Status and Config), as well as the Designer, can be limited by role.  

  • Through the Gateway security settings you can also choose to use Secure Sockets Layer (SSL), a widely adapted encryption protocol used all over the world.

  • Through the Gateway you can also set up Audit Log and Profiles, which cause Ignition to record details about specific events that occurred. For more information, see Project Auditing and Alarm Notification Auditing.

Security with User Sources

Role-based security works under the concept that each user may be assigned to various roles. Security policies are then defined in terms of these roles, rather than defined for specific users. An example of roles could be an Administrator role that has access to the Designer and the client or session or an Operator roles that have access only to windows or views that pertain to their jobs. Roles allow users to be reassigned, removed, and added without affecting the logic of the security policy.

The users and their roles are stored in User Sources. An Ignition Gateway may have many different User Sources defined, each governing the security of different aspects of the Gateway. For example, logging into the Gateway might be governed by one User Source, while the security in a project is governed by another. The example below shows the Users and Roles screen after user "Arthur" has been updated.

There are several types of User Sources that offer various features. For example, the Internal User Source offers the ultimate in ease-of-use: you simply define the users, their passwords, and the roles within the Ignition Gateway configuration web interface. In contrast, the Active-Directory User Source offers the power of integrating Ignition with a corporate security infrastructure. Users, passwords, and roles would be managed centrally by the IT department.

Security with Identity Providers

Identity Providers and Security Levels are currently only available for use with the Perspective module.

Identity Providers (IdPs) offer user authentication as a service. An IdP creates, maintains, and manages identity information for principals while providing authentication services to relying party applications within a federation or distributed network. Authentication of the user is handled by the IdP. Ignition can connect to these three different types of IdPs: 

  • Ignition's internal IdP
  • OpenID Connect 1.0
  • Security Assertion Markup Language (SAML

IdPs are set up at the Gateway level. Security Levels are also set through the Gateway. The Security Levels enable you to define a hierarchy of access inside a Perspective Session.