Active Directory Authentication - User List Filter

Hello - we are using Active Directory authentication with groups. We have a broad User Listing Base and then a very specific User List Filter that allows only one or two groups. While we see only the members of those groups to assign roles, anybody that is part of the user listing base is able to authenticate against the profile - whether their part of the group or not.

Is this the expected behavior? Our assumption was that you would only be able to authenticate if you were part of the User List Filter.

There's a couple of open questions here...
If you are using Hybrid Active Directory then yes, authentication is done by AD but Ignition permissions are set on the gateway in Security/General where you enter the groups that have access to the designer, configuration and status. Next, you need to edit users and add them to the Ignition groups where they belong. Then in your application, you set the permissions based on the Ignition groups you've defined on the gateway.

If you are using Active Directory (not hybrid) then the Security/General still sets permissions on the gateway. In your application, you set the permissions based on the Active Directory group names defined in AD. Also note that this is case sensitive so match the AD names exactly.

We are using the Hybrid Active Directory. So just to clarify my understanding:

  • All users in the "User Listing Base" can authenticate but will not (and can not) have any roles
  • All users in the "User List Filter" can have roles assigned to them

So if we use a Hybrid AD user source as the primary authentication for a project, we should be very careful that every secured action requires at least a role, not just that they are authenticated.

When you use Hybrid, authentication is done with Active Directory but the groups and group membership is all in the gateway.
AD says if the user credentials are good or bad.
If the credentials are good, then it is handed off to Ignition to associate the Ignition user with Ignition roles.
If you want use the AD roles to manage permissions in Ignition, you'll need to move from Hybrid to full Active Directory.
You can see the effective roles that a user gets when you "Verify User Source". If the roles are listed when you Verify, then those roles can be applied within applications to grant or deny permissions.

In other words, with a hybrid:
AD is in charge of authentication
Ignition (or the DB) is in charge of authorization

2 Likes