Please can you clarify by several examples (post specific names - that will help to understand the idea) the concept of Ignition authentication profiles, roles and users?
There are several places where developer can choose roles to be qualified to do something:
These are based on comma separated list of roles which can do that (each role can, this is ‘‘OR’’).
Designer - {ProjectName} - Configuration - Properties - General
This is based on comma separated list of roles which can launch View client (must have ALL the roles, this is “AND”). By default this field is empty that means everybody can launch Viewer.
There is a list of configured roles under the selected AP and some actions which the Roles (“OR” or ‘‘AND’’?) are allowed or restricted - I don’t know.
It would be great to post several industrial automation specific examples (names) of:
Authentication profiles (more authentication profiles for one project is somehow useful?)
Roles
Users
and say if they are (best practice) defined for the whole IG, or for particular project. If it is common to configure one User into several Authentication profiles etc.
There is some flexibility when you start to configure your authentication within Ignition. I am going to try and do my best to answer your questions. However, some of the answers are going to be rather vanilla because of the numerous ways you may want to configure your authentication.
In the Ignition gateway, you can configure webpages that you would like to give access to. You may have your project on port 80 and connected to the internet, so you might only want to allow users from your company to have access. So for Home, Status, and Configure you can enable authentication. Lets say you have it configured for
Administrator, Users, Operators
Any individual users that are in those Roles will have access to any of those three web pages after entering their username and password.
Multiple Authentication Profiles can be useful. For instance, if you’re using Active Directory to authenticate your users, and your active directory server is down, you would want to have another authentication profile to fail over to.
When configuring your Roles, think about what Users will be in those Roles and the types of access you want to grant them. These are also the Roles that you can use when configuring security on individual components within a project.
Thank you Greg. I understand that the webpages (Home, Status, Configure) and Designer should be allowed only for the designers (authors, administrators) of the project and maybe some of the pages or Designer even for other qualified people at the location (plant admin, plant industrial control systems architect/maintenance…)
On the other side there’s very few people (if any) to deny launching Client (Viewer). Of course even the operators should have their names/passwords to login.
I think that you could distinguish several “levels” of operators by allow/deny particular objects on the Viewer (Client) screen.
[b]But could you name some examples (the more the better):
authentication profiles?
roles?
of various approaches to design them?[/b] Only names of them - that will be self-explanatory for many IG beginners.
I know that your looking for more specific examples. However, there are many different ways Ignition is used, and because of the diversity of Ignition, there are probably thousands of different examples of how to configure authentication, users, and roles. Each company is going to have its own requirements for how these three things are configured. You are absolutely right when you say that you can distinguish between different levels of roles to enable or disable particular components within a project. That would be a very good way to use the security. Now you just need to build off of that and figure out what role will have more access than another, then figure out what users will be in that role. You could probably draw a tree on a piece of paper, starting at the top with the role that will have complete access to the entire project, lets call it Administration. Then list the individual users that will be in that role. After that is done, move down to the next level and create Supervisor and Maintenance. Now you can place those users in those roles. Think about the types of security that those roles will require and what you would like them to have access to. The next level below that could be Operators, Users, and Guests. These roles may have more security than the other roles above them, and the Guest role could have a generic username/password and everything within the project disabled so they can look but not change anything.
I know this is a rather vanilla answer, but again, there are so many different ways that Ignition can be deployed that there would be an enormous amount of possibilities for configuring authentication, users, and roles.
Here are some additional resources in the quest for authentication and user/role configuration enlightenment: