Attach Security Zone to User

I’m having a hard time understanding the Security Level and Zones with Identity providers.

I can’t seem to add a security zone to a user.
In the perspective session I am displaying the session property securityLevels and it is blank for the Security Zones value.
How do values populate into that session property?

Security Zones and Security Levels are different things entirely.

Security Zone: Typically assigned to a user based on a bucket into which their IP address falls, or based on some network setting. I think of Security Zones as a way of saying “the user is within X subnet”, or “the user is on the same machine as the Gateway”.

Security Level: These are actually attached directly to users and will be present within the session properties at session.props.auth.securityLevels I think of Security Levels as a way of saying “this user is an Administrator”, and I also use Security Levels to define what roles mean for users. For example, I have an operator role in addition to an Administrator role. I have a Security Level configured and I’ve set up rules so that any user who is an Operator and/or Administrator receives the HMIOperator Security Level. My input components are then disabled if the user does not have the HMIOperator Security Level. Security Levels MAY have rules assigned based on the security zone of the user, but note that in such a scenario you are still using a Security LEVEL, which is based on a Security ZONE.

How do you add security levels to users? I only see how you add roles to users.

I want to have two security levels, one called ReadWriteAccess and ReadOnlyAccess. I want every user to be given ReadOnlyAccess when they login but when they want control access they will have to authenticate using MFA. Once they authenticate there, they will be granted ReadWriteAccess.

Will I be able to achieve this using the security levels? Or should I just use a custom session property and do a if statement to check if that custom property has ReadWriteAccess before I do any writes?

I will have a ReadOnly tag provider and ReadWrite tag provider so that is why I wanted to change the security zone of the user after the login using MFA.

Please review this documentation which covers how to add rules to groups of users, or how to set a rule which users could fall into given some sort of condition.

Is authentication enough? Or do you REQUIRE that they go through the MFA? If authentication is enough, you could just verify the user is authenticated via the session property at session.props.auth.authenticated. If you require something from the IdP, then you want to study the Special Object Reference area in-depth.

Can you change the security level a user receives after logging in?
I want to use the security settings on buttons to check if a user has a certain role to perform that action.

You can’t write to the session.props.auth.securityLevels array if that’s what you’re asking; it’s a “system” property and therefore read-only. Off the top of my head I can’t think of any way to directly modify Security Levels in Perspective, so you can’t change the rules to include your user. You could in theory change the roles attached to the user while in a running session, and that should result in a re-evaluation of that user’s Security Levels. I fail to understand why you would want to modify a user’s Security Levels at runtime though; Security Levels should almost always be applied by specified rules, and a user either receives a level or they do not based on those rules.

Could you provide a detailed example of what rules would define who gets to use this button? Perhaps I could show you a better way to determine all of this.

I’m considering a case where every 5 logins or where it’s a new type of device a client is using to require MFA. Then if the next time they login, MFA is not required immediately. This user will now have read only access. When they want writable access (control) they have to re-authenticate using MFA.

If the user uses a new device and/or its their 5th time to login, then immediately upon login require MFA. Then they will have write access upon login.

I want every user to be authenticated period. Then they would need to have certain security level to do certain things. All the examples in webinars show a public access with unsecure button which they can press. Then there is another secure button they can’t press until they have the security level authenticated.

Requiring the user to complete MFA is a requirement/configuration of the IdP, and since it is managed by the IdP, it should be available within the object supplied by the provider. If you investigate the Identity Provider section within the configuration of the Gateway, you can do a Test Login.

See Configure > Security > Identity Provider. Once there, select the “More” dropdown and select “Test Login”. Complete the steps for login and upon completion you’ll arrive on a page which includes not only the user’s authentication object, but a list of the attribute mappings and Security Levels which are attached to the user based on their authentication.

The returned object should have some sort of property which specifies whether the login attempt included MFA. This attribute could be used as part of the rules to determine a Security Level. if you need to force a user to re-authenticate for some reason, any authentication should result in a re-evaluation of a user’s Security Levels.

I want to use the Ignition Identity Provider, it’s easier to deal with. For MFA, every user will have an SMS for their user account. When I require MFA, whether that’s on login from a new device, X amount of logins, etc., I would use the Ignition scripting function system.twilio.sendSms to send the code for MFA.

If they log in from a familiar device or less than X times, then no MFA on login. As soon as they want to access a screen or run a control action, then they will be redirected to the MFA screen I build in Ignition which has the button to send them an SMS message to input into the MFA screen to get that ReadWrite Role.

Consider using a session property to hold your MFA status / timestamp. Check that everywhere necessary. You won’t be able to use Security Zones for this, I don’t think.

Yep, that’s what I was thinking but was hoping I could achieve this with the built-in security on views and actions.