From the Gateway page in Config >> Security >> General, in the System User Source section you can choose the source of access control for the Designer, in my case I have a group that is based on the AD + internal management of roles, of the type "AD/Internal Hybrid".
This works fine for access to the Designer, but those same users cannot access the Gateway web.
Only those in the "default" user group.
Is there any way that this other group of "AD/Internal Hybrid" users can access the Gateway web?
Thanks in advance
It's a separate setting for the system user source. Highly recommended that an AD user source for this have soft failover to the original default user source.
Thanks for the answer, so I can't manage web access to the Gateway with a System User Source group?
I don't fully understand your recommendation.
There is user source setting for the "system" user source, the gateway itself. Separate for the user source setting for the designer. But works the same way. Yes, you can make a "gateway-admins" group in your AD to manage the gateway.
Thanks for the reply, but I have not been able to get the AD/Internal Hybrid user group working to allow them to log into the gateway.
This is the configuration:
And this one is the default group:
And this is the general configuration
You'll probably need an MS domain expert looking over your shoulder. I don't see anything wrong, other than your soft failover probably not working. (I don't see the default group's Administrators in the permissions list for the gateway sections.) Consider opening a support ticket.
The curious thing is that the domain user validation for the "OT domain" group does work to log in to the Designer. I monitor the traffic from the Ignition server to the AD and there are only name/password resolution requests against the AD when I log in to the designer but not when I try to log in from the Gateway with a domain user. I'm a bit confused. Thanks anyway for your help!
What do you have for the System Identity Provider? It's the top entry in Security -> General.
2 Likes
I finally figured it out. I had to modify the "User Source" of the "Provider Configuration" within the "Identity Providers" options of the:
In the general security options I had to change the "Designer Authenticaition Strategy" from "Classic" to "Identity Provider".
Now the OT Domain users can access both the Gateway (depending on the Role they can see Home, Status or Config" and also access the "Designer".
What is not clear to me is what would happen if the authentication against the AD fails? Supposedly I have configured the User Source "OT domain" to validate against the "default" (in which I have an admin user) in case of failure. I have set the failure mode to "Soft", but maybe it should be set to "Hard".
Thank you very much for your help!
