1st : Thank you so much for taking time to elaborate on this…
So, we’re just at PoC stage right now, to see how best we can move over to full AD role management.
The idea is to have a Universal Security group that will only contain all other groups.
We want to have multiple ‘Role level’ groups for a given Ignition server, and to have these groups duplicated for each site where we have or will have Ignition.
End users will be placed in one or more of these role groups, and each role group will be in the ‘All Ignition Users’ group.
We will then filter the users on each Ignition server based on nested membership of this ‘All Ignition Users’ group.
That’s on paper anyway
Our groups are in global.company.int domain.
Our user accounts are in Europe.company.int, asia.company.int, America.company.int domains.
and we plan to have these users members of the groups, that are in the global.company.int domain.
All these are part of our AD Forest, normal trust etc in place . . .
Each domain controller on each of the stated domains is setup as a global catalog server, and we are using port 3268/(soon 3269 with LDAPS) and not 389.
Ive maybe not described it in a clear enough way, but we are doing (in our PoC, and planning to do in Production) the same way as you: users into the role/security groups, and these groups into the main group that i’m then referencing in the User List Filter.
I haven’t done anything (yet) on the role filter to get rid of the ‘irrelevant-to-Ignition’ groups & memberships that all our users obviously have too…
Maybe its due to the Global Catalog, or the groups that should be Universal, or Domain Local, something clunky like that…