Porting Active Directory Roles Between Gateways

Hi, I am currently working on the setup of a new Ignition instance at one of our plants. When doing this I am using the same active directory source that is used at our other facilities. However, I also want to be able to import the user roles from our other facilities since the list is several thousand individuals long. I believe in the past we have taken a complete gateway backup from an existing plant and did a backup/restore on the new plant, then just deleted what wasn’t relevant. However, this is not the most effective since there always seems to be things brought over in the restore that don’t get removed and then cause issues in the future. Is there any way to do this type of import?

Also we do not currently have the EAM running so any enterprise scoped directory roles would not apply here.

I’ll describe a process - following it is at-your-own-risk, but this is definitely possible.

  1. Set up an auth profile on the new gateway with the same settings as the previous gateway, to validate the roles.
  2. Copy the config.idb file from the Ignition/data/db/ directory on both gateways.
  3. Use a tool like DB Browser For SQLite, or the first-party SQLite tools to open the old config.idb file, then go to the AUTHPROFILES table and find the AUTHPROFILES_ID for the AD/Hybrid user source.
  4. Back up the relevant settings from the INTERNAL* tables that have the same auth profile ID:

    IE, in my case, the AD/Hybrid profile was ID 6, so the only relevant roles here are the two with profile ID 6:
  5. Once this data is exported/copied/backed up in some way, you will need to find the new gateway’s auth profile ID for your AD/Hybrid user source, then manipulate these records to have that new ID.
  6. Then, apply the new records to the matching tables in the new gateway’s config.idb file
  7. Finally, shut down the new gateway, replace the config.idb file with the one you manipulated, and restart the gateway. If everything went well, your existing AD/Hybrid user source will still be there, but the user/role mapping information will still be there.

Note again that this is not a trivial operation, and I deliberately left a few steps vague, because undertaking any internal database modification is a potentially catastrophic operation. Take gateway backups before touching anything, and make sure they’re stored somewhere safe. If you’re comfortable in the command line, the last part of this page (starting with “Dump data of one or more tables into a file” is a great place to start).

1 Like