We use Idp for user to login as a general user.
On the other hand, we use external database, for user management - which user have what roles and have what privileges.
But Also nice to use Ignition built it security levels..
I am curious if it is possible, to map the currently logged user, to security levels, using script?
Example:
If user is "John Doe" set "UpperManagement" Level to True.
Hi Eugene, we have done similar things just not getting Roles from a database but using regex, have a look at the docs on user attribute mapping, User Attribute Mapping | Ignition User Manual
If you change Roles from Direct to Expression, you can call a gateway scoped script ( so need the project that has your script set to the default gateway scripting project )
We use the below for the expression
runScript(
"_Kernel.Security.AD.MapRoles" , 0 ,
{multi-attribute-source:idTokenClaims:roles},
"arg1",
"arg2"
)
and our script looks something like below, just simplified it a bit, we extracted roles using regex and return the cleaned up roles. This should hopefully give you a good staring point.
import java.util.ArrayList as ArrayList
def MapRoles(roles, match_pattern, return_template, flags=0):
"""
Transform incoming IdP roles into simplified names.
Must return a java.util.ArrayList of strings (not a Jython list).
"""
logger = system.util.getLogger("Security.Auth")
out = ArrayList()
logger.debug("Given Roles: {}".format(str(roles)))
if roles is None:
logger.debug("No Given Roles")
return out
# Normalise roles to iterable
if isinstance(roles, basestring):
roles = [roles]
for r in roles:
# do something with the role
out.add("SomeNewRole") # or any custom retrieved roles, can add as many as you want
logger.info("Mapped Roles: {}".format(str(out)))
return out