Permissions for Adding Devices

Could you please add a permissions level between Gateway Admin and Programmer.

It would be helpful if there as a SuperProgrammer Role that would have Programmer rights plus the rights to add devices. They don’t need the full Admin rights, but just the ability to add additional devices.

Thanks for listening.


Is it possible to do this now via the hybrid model?

The opcua module doesn’t make provision for failover, but is it necessary?

Thinking out loud.


Yeah, the Gateway’s Config section doesn’t have fine-grained rights management so that you could restrict/allow individual sections.

If this is a blocker for you, you might consider running a second Ignition Gateway with only the OPC-UA module installed. Have your main Gateway use an OPC-UA connection to the second gateway’s OPC-UA server. In this way you could allow access for the SuperProgrammer to the second Gateway, and all that would be there would be the devices configuration. Somewhat clunky, but you could do it today as opposed to waiting for this feature request to make its way into the dev schedule…

Let me see if I can restate what you are saying I could do.

I can run two instances of Ignition. Different computers or same computer using different ports?

The one paid license instance handles everything except serving data from the PLCs. Normal admin, programmer, and client creds required.

The other instance would run a free OPC-UA server with drivers talking to plcs. It could have all of the “extra” modules stripped out. On this instance all users would have admin rights allowing them to add new devices. In essence this would be a Super OPC-UA server

How are the two instances linked?



You would create a new OPC-UA connection on the first (main) server that pointed to the second (OPC-UA module + drivers only) server.

Right now under Configure > OPC Connections > Servers you have one connection that points to the local UA server. You would simply be adding a second one to this section, naming it appropriately, and then browsing/adding tags from this connection instead of the first.

So do I point the main server to port 4096 on the new Super server and use internal profile creds?

Do I have to point each one at the other?

I just tried to do this and it says connecting for a while and then says closed.

Any help?



Are they on the same server or not? If they are on the same, make sure all the ports are different. Also make sure that the user/pw you are connecting with from the “client” gateway is valid on the OPC-UA (Super)Server gateway.

Does the console on the client display any errors or warnings when you try to connect?

They are on seperate machines.

I have the creds set correctly. Using the internal admin/password. That should work.

I still have several layers of this onion to peal back yet.

Please ignore the tears.


The OPC-UA server does not use the default admin/password. It has its own authentication profile, the defaults of which are opcuauser / password.


Thanks Kevin! That’s not the way I have it set.

Since I am an engineer, I can share the following self-deprecating humor…

Q. Why do engineers have stooped shoulders and sloped forheads?

A. When you ask them a question, there’s always a shrug of the shoulders.
When you tell them the answer, there’s always a slap of the forehead.

It’s just a joke guys, a joke…



That works!!!

I have my Ignition main pointed at Ignition demo for opc-ua using creds opcuauser/password.

Now what should I do, ask for a Panel Edition key or is there another free type available?


No, panel edition isn’t what you want, you want the OPC-UA CD Key request form.

There are two free licenses: panel edition, which is just for the vision module, and OPC-UA with the drivers. I guess the panel edition probably includes UA, but in regards to what you want to accomplish, the straight UA license is probably better.