Users in hybrid user sources authenticate against Active Directory, meaning that user names and passwords are checked against those stored in Active Directory. However, roles are stored either internally in Ignition or in a SQL database, so it is possible to make a role change without have to contact your Active Directory administrator. This way, Active Directory can be consulted to see if a user is valid, but the management of roles does not require coordination with the IT department, who typically control the Active Directory system. This "best of both worlds" approach is popular for many users of Active Directory.
This User Source was developed specifically for a system that is using Local Client Fallback, and allows you to cache the login credentials from a remote user source. This means your users can still log in with their normal username/password on a Local Client Fallback project, even when the network connection is unavailable.
More information can be found on the Fallback Cache Authentication page.
Regardless of type, all User Sources have the following functionality:
All User Sources have a section of properties that are categorized as "Main". Below is a description of these properties.
|Name||The name of the User Source. This is how other systems in Ignition reference the user source. Note that every User Source must have a unique name.|
|Description||An optional description of the user source. Useful for noting which database connection or AD server the User Source may be referencing.|
|Schedule Restricted||Forces schedule restrictions on users. Specifically, if a user attempts to log into a client while they are off schedule, the login will fail. Utilizes User Schedules.|
Allows authentication attempts against this User Source to failover to another User Source in the event of a network outage, or some other connection issue. Useful with database or Active Directory user sources, as connection failures to the database/AD server will prevent users from logging in.
This property in initially set to None, meaning a failover User Source is not configured.
When a Failover Source is configured, this property determines when the failover User Source should be consulted. The following options are available:
Hard: The Failover User Source is only consulted when this User Source is unreachable.
Soft: The Failover User Source will be consulted if the user's credentials fail authentication, meaning that the user typed in credentials that are unrecognized or incorrect.
|Cache Validation Timeout|
The amount of time between cache updates of the User Source.
This property can be disabled if set to a number less than zero.
When Ignition is installed for the first time, an internal User Source named 'default' is created. This User Source contains the 'admin' user, and the Gateway uses this User Source as the system user source, so that users can initially log into the Gateway. You can manage the default User Source by navigating to the Configure > Security > Users, Roles section of the Gateway. The manage users link will allow you to add new users, modify roles and passwords for existing users, remove users, and add/remove roles from the user source. Choosing to edit a user will bring you to the following page allowing you to make any necessary changes to that user.
After installing Ignition, it is highly recommended to change the password for the admin user. The default user credentials to access the Gateway are public knowledge, and not fit for a production environment.
Alternatively, the admin user could be deleted, but a new user with the 'Administrator' role should be created first so that you will not be locked out of the Gateway. Should this occur, the Gateway Control Utility can be used to recreate the admin user.
With potentially multiple User Sources defined, you need to understand which User Sources are controlling which aspects of Ignition. To determine what kind of User Source is governing what, do the following: