Identity Provider Idp Security Level Rules

Say I wanted to give a tag write permissions more complex than I can give with just roles, for example (pseudo-code):

({Authenticated/Roles/Operator} and {Authenticated/Roles/Area_WWTP}) or {Authenticated/Roles/Master}

I assume that I would need to create a custom security level for each of these more complex examples and then configure a Security Level Rule for these in the idp.
The User Manual doesn't mention anything about being able to use logical operators, but can I use something like:

containsAll({user:roles}, 'Operator', 'Area_WWTP')
containsAll({user:roles}, 'Master')


1 Like

This does appear to work :slight_smile:
However, for example, say I had multiple areas (WWTP/Refrigeration/Line1/etc.)and multiple basic privileges (Supervisor/Operator/Engineer/Maintenance/etc). What if I wanted a particular user to be a Supervisor in WWTP but only have Operator level in Line1?
I think I would then need multiple area roles, like WWTP_Operator, WWTP_Supervisor, Refrigeration_Operator, Refrigeration_Supervisor, etc. and I wouldn't then need custom roles defined, unless I'm missing something?

We have multiple roles which I think is similar to your multiple area roles. We use Azure AD where all of the roles are defined (in App Registration). The security groups are defined in the Azure AD Enterprise Application screen and each group has 1 role associated with it. There is a 1 to 1 mapping of a group to a role.


1 Like