I am creating different user accounts in my Ignition gateway. In the beginning it was easy: every user had one role. In the designer, I could enable/disable all functions based on the security option on the different components. No problems there.
I am in the stage where I want to give multiple roles to one user. Based on the location/laptop the client is logged in, I want to give him a certain role. For example:
George is an administrator. He has his own desktop and when he logs in, he has the Administrator role.
When George needs to go to a different location, and he logs in on a different computer with the same account, I don’t want to give him the role of Administrator, but only as an operator.
I know that I can check the hostname/ipaddress and stuff like that. But I am not sure how I can assign a “lesser” role in stead of the Administrator role. I tried working with Security Zones, but I don’t think that this will fix my problem.
I have different Desktops that access the gateway, but only one gateway. The application is made in Vision.
Also, I do not want to shut out Administrator (it was a bad example).
So I give a certain user different roles, and depending on its location, I want to assign it one of the roles that it has in its list
ah idk how security works in vision, havent used it to that extend there.
you could call up the user roles through script tho. and check it all or any are in a predefined role array…
I'm pretty sure you'll need to set your Vision client to use the Identity Provider auth strategy in order for Roles for a user to actually be recognised by the Security Levels system.
You can configure Security Zones to define your locations based on IP address(es), and then combine that with Security Levels -> Authenticated -> Roles -> e.g. Administrator
I haven't actually used these yet myself, but you can restrict tag writes (and reads) using security zones and/or roles. Just note that I don't think these will "disable" the component the tag is used on, it will simply bring up an error popup if the user doesn't have the right privilege/area, which is one reason I haven't started using these...
You can also supposedly use the hasRole expression function to read the security zone and role from the logged in user.
You'll see my post there saying I couldn't get it working, but I don't think i'd changed my auth strategy to IdP for Vision when I tested it. Actually, this option didn't even exist back in v7.9.4....
What I do currently is bind each component's enabled property to an expression that uses:
hasRole to check if a user has a particular role (administrator, operator, engineer, etc.) and
if I need to restrict by area as well, I add another condition that looks at a vision client tag (or session custom prop) that is defined for each HMI, e.g. [client]Security Zones/Packaging/Filtration/South Wall HMI:
Thank you for your input! If it will bring up an error pop-up, I won’t use it aswell.
I am creating something else here so I can store the role in a client tag. Seems to work for now. Then I connect the enabled en visible properties to an expression, similar as you did.
I was just hoping there would be an easier way. But it has to do like this i guess
I would suggest that you create a client tag for each of your roles, bind them to a expression with hasRole, and then you have the client tags you can reference as Booleans, Instead of having to compare strings all the time. It makes more complex expressions simpler and reduces the chance for errors