Multiple roles based on location

Hi all,

I am creating different user accounts in my Ignition gateway. In the beginning it was easy: every user had one role. In the designer, I could enable/disable all functions based on the security option on the different components. No problems there.
I am in the stage where I want to give multiple roles to one user. Based on the location/laptop the client is logged in, I want to give him a certain role. For example:

  • George is an administrator. He has his own desktop and when he logs in, he has the Administrator role.
  • When George needs to go to a different location, and he logs in on a different computer with the same account, I don’t want to give him the role of Administrator, but only as an operator.

I know that I can check the hostname/ipaddress and stuff like that. But I am not sure how I can assign a “lesser” role in stead of the Administrator role. I tried working with Security Zones, but I don’t think that this will fix my problem.
I have different Desktops that access the gateway, but only one gateway. The application is made in Vision.

Any advice on how to do this best?

Thanks in advance!

i think there is an option to set “must have all roles”

not sure if its good practice to lock out admins based on locations tho…

edit: seems to be “must match all security levels”
image

Maybe I posted this a little bit to soon. Can I try working with security levels? I have no experience with that but gues I can do it

1 Like

xd typed same time it seems

Where could I find this option?

Also, I do not want to shut out Administrator (it was a bad example).
So I give a certain user different roles, and depending on its location, I want to assign it one of the roles that it has in its list

you should be able to find this on every place you put security xd like scripts or views itself

So I’m not able to get this done at the moment. I’m starting to wonder it this is possible or not?

how did you enable the single role security? it should be possible

I think that you are working on Perspective projects? There I can use the security levels. In Vision this is not possible I think.

ah idk how security works in vision, havent used it to that extend there.
you could call up the user roles through script tho. and check it all or any are in a predefined role array…

https://docs.inductiveautomation.com/display/DOC81/Security+Levels

I'm pretty sure you'll need to set your Vision client to use the Identity Provider auth strategy in order for Roles for a user to actually be recognised by the Security Levels system.

You can configure Security Zones to define your locations based on IP address(es), and then combine that with Security Levels -> Authenticated -> Roles -> e.g. Administrator

image

I haven't actually used these yet myself, but you can restrict tag writes (and reads) using security zones and/or roles. Just note that I don't think these will "disable" the component the tag is used on, it will simply bring up an error popup if the user doesn't have the right privilege/area, which is one reason I haven't started using these...

You can also supposedly use the hasRole expression function to read the security zone and role from the logged in user.

You'll see my post there saying I couldn't get it working, but I don't think i'd changed my auth strategy to IdP for Vision when I tested it. Actually, this option didn't even exist back in v7.9.4....

@Carl.Gould, any tips or comments?

What I do currently is bind each component's enabled property to an expression that uses:

  • hasRole to check if a user has a particular role (administrator, operator, engineer, etc.) and
  • if I need to restrict by area as well, I add another condition that looks at a vision client tag (or session custom prop) that is defined for each HMI, e.g. [client]Security Zones/Packaging/Filtration/South Wall HMI:

image
image

Hi nminchin,

Thank you for your input! If it will bring up an error pop-up, I won’t use it aswell.
I am creating something else here so I can store the role in a client tag. Seems to work for now. Then I connect the enabled en visible properties to an expression, similar as you did.
I was just hoping there would be an easier way. But it has to do like this i guess :slight_smile:

BR

I would suggest that you create a client tag for each of your roles, bind them to a expression with hasRole, and then you have the client tags you can reference as Booleans, Instead of having to compare strings all the time. It makes more complex expressions simpler and reduces the chance for errors

2 Likes

Great advice! Thank your very much