AD integration direction needed

We are quickly growing the number of Ignition servers in our company and need to explore AD integration. The requirement is for me to have several Security Groups created, then allow that security group access to the server. Individuals will be placed in the proper AD security group and will have access to Ignition functions based on that Security Group Assignment on the server.

IE: Buffalo_Admin users will get admin access to the Buffalo Ignition server but not Hot Springs. And Global_Admin will be allowed access to every Ignition server.

Can this be done?

Can someone guide me to which type of AD integration I need" AD - AD/Hybrid - AD/Internal

In the Example of a Buffalo Ignition server, I assume I would make an Admin Role on the server, then Assign Buffalo_Admin and Global_Admin AD security groups to that Admin Role??

Any guidance is appreciated.

You can use AD Hybrid. It is easier to implement.

2 possibles way:
1- Have on user group in AD. All the users that need to access any of the Ignition server must be member of this group. The users list will be the same for all Ignition server BUT you can still control the access because the roles are savec locally in Ignition database (one per server).

2- Have one user group in AD per Ignition server. This way, the list on users will be different for each Ignition server.

Easier to implement, harder to maintain if you have a separate IT group. We use straight AD here.

You are correct, sir! We also use a designer role to further limit gateway access.

You are right. My mistake. I meant AD Internal is easier.

Thank you both. I ended up doing pure AD. What I was stuck on was the fact that I then had to go into the gateway, Configure, Gateway Settings, and hand type in the appropriate AD Security group name into the Gateway Config Role, Status Page Role, Designer Role, Etc. Seems a bit clunky to me (shouldn’t it query the AD for a dropdown), but once it’s setup properly will be a lot easier to manage as we start adding more servers.

Thanks again!!

We did AD Hybrid for a few years but are switching to pure AD. It was harder to setup on the IT side (big IT org) but now we can transfer role maintenance responsibility out of Ignition and needs no special training.

1 Like