Hello everyone,
We want to develop an application that is placed on cloud that should analyze data coming from different plants connected with Gateway Network with a central Ignition on Microsoft Azure.
Each customer can have more than one plant, so we want to configure some users for each customer, after login into Ignition Perspective application, user has to select the plant he wants to see.
At this point, operator can see only certain views based on the selected plant.
Identity Provider is Ignition default.
I thought to do like this:
Create one role for each customer (That equals to the customers)
Create users for each role (Link the users with the customer)
Once operator logs into Perspective application we show the list of plants based on logged user role (only the plants for the logged customer has to be shown) and, when he selects the plant, only some views has to be shown based on selected plant.
Unfortunately this last point seems to be hard to set up, can anyone give me a help?
I like using a database user source for this because you can add a customer_id column to the users table. Then in the application, anywhere that you have customer-specific data you can display it based on the user's assigned customer_id.
You don't really need a database user source but I would recommend using a separate IdP that supports MFA especially if allowing control from the system. Then use a database as a lookup for their roles to limit the plants they can access. Just make sure the roles in the IdP follow some sort of standard naming so you can only filter plants based upon the company roles rather than any role.
The logic and filter based on role of the logged user to show only the specific plants already works.
The complication is that for each plant I want to enable or not views and component.
So is not sufficient make the logic only with role and user but also on the selected plant.
I thought to force security level rule based on selected plant and in the designer set the permissions on views and component but I dont know how to do this
You cannot base security on user-selectable values. Security can only be based on attributes out of the user's direct control, like roles and physical location.
You will have to create your own plant-selection state and drive visibility and/or component enables with bindings. Not with security settings.
I tried and if I bind session.auth to a label seems it is applied correctly
However if I set a view permission to have the same security level rule its not allowed the access
What I need is the possibility for the operator that logs into Perspective application to select a plant from a list (based on the customer, in my case I have set up roles like customers, so each customer can have some users) and then, based on the selected plant, show or not some views
Yes, but how are you defining which views each user can see? I'm assuming you're setting up roles based on what each group of users can see at each plant. This way let's say Alice can see plants A, B, and C as the supervisor role, but plants D, E, and F as only an operator or read only role that can both limit visibility of screens/areas, but also set restrictions on what actions they can take at each plant. Then maybe Bob can only see plants A, B, and C as an operator, but D, E, and F as supervisor. With roles similar to what I listed, you can do all of that.
