How to Group Roles into a Custom Security Level in Ignition?

Ignition
1

Hi Everyone,

I've been working on setting up security settings similar to what PlantPAx uses (not exactly the same, but along the same lines).

My goal is to define multiple roles, such as:

  • HMI_Operators (A)
  • HMI_Operating Supervisor (B)
  • HMI_Maintenance (C)
  • HMI_Maintenance Supervisor (D)
  • HMI_Engineering (E)
    ...and so on.

In addition to these, I want to create a custom role (or security tag) — for example, AlarmAck — that includes roles C, D, and E (i.e., HMI_Maintenance, HMI_Maintenance Supervisor, and HMI_Engineering).

The idea is to simplify HMI authorization logic. So instead of writing something like:

isAuthorized(true, "Authenticated/Roles/HMI_Maintenance", 
                  "Authenticated/Roles/HMI_Maintenance_Supervisor", 
                  "Authenticated/Roles/HMI_Engineering")

…I would like to just use:

isAuthorized(true, "Authenticated/AlarmAck")

To do this, I tried creating a custom security level called AlarmAck and added security level rules with the following expression:

image
image1595×358 21.4 KB

However, when I test isAuthorized(true, "Authenticated/AlarmAck"), it always returns false, indicating that I don’t have the required access.

Am I doing something wrong in how I'm setting up the security level rules?
Is there a better or easier way to implement this type of role grouping in Ignition?

Thanks in advance!

2

(Sorry for the late reply…)

I prefer to make Ignition Security Levels which match AD groups 1:1, and enforce that preference. This is done to avoid future handcuffs, especially when adding new projects with new roles to our ecosystem. Your experience may differ…
If you opt for 1:1, one option might be to also create an AlarmAck AD group which contains the other groups as members. Some IT personnel resist that temptation, which is why…
For things like AlarmAck priv (if I recall correctly), I utilize an array tag on each (default) tag provider, with each element containing the Ignition-mapped roles listed therein, and reference that array tag in the isAuthorized expression, with a default value (via coalesce) of false.

Nothing jumped out me, so I’d recommend that you use the Test Login feature on the same IDP that your project is using, then verify the roles and mappings there before jumping in to the runtime application.

2 Likes