I had a question come up today about what would happen in the following scenario:
We are using the AD/Internal Hybrid setup
- A user is given roles to access different parts of the system
- The user is no longer employed with the company and has their LDAP account deactivated
- In 6 months, he is hired back on in a different role, and has his LDAP account re-activated
- What permissions would he have in the Ignition system at this point? Would it be the same access he had before? Or would it start from scratch?
Thanks to anyone who can help with this, I haven’t been able to come up with an answer for this.
If you’re using AD/Internal, then unless you specifically go in and delete the configured user/roles, once the user comes back they will have the exact same roles as they previously did.
The AD/Hybrid user source types use active directory for authentication but not authorization - see this page from more information on the (crucial) difference between the two: https://stackoverflow.com/questions/6556522/authentication-versus-authorization. You must use a full active directory user source if you want to use active directory as the only ‘source of truth’ about user access.
That is what I thought, Thanks for the confirmation!
Would there be any way to go through and periodically remove roles from users that no longer exist in the the AD source?
Not trivially - we don’t really expose that list of users directly through scripting, and if you’re not a full AD user source we’re also not pulling back any other information about them (ie, whether they’re enabled).
This might fall into something that will indirectly be improved by our planned expansion of identity provider support into Vision and the gateway itself in the future, but that’s a ways off at present.
OK. Thanks for your help on this - it is very much appreciated