Project Required Roles

Jonathan · January 11, 2012, 10:54pm

Why does the project property required roles require the user to have all the roles specified?

for instance I have a role called “managers” and i have a role called "supervisors. when i set a project to require roles “managers,supervisors” neither users from the manager role or users from the supervisor role can log in.

i suppose i could set managers with both the role “managers” and the role “supervisors”, but i would not want to give a supervisor the role “manager”

Is there another way i am suppose to be using the required roles?

I am using “AD/Internal Hybrid” authentication.

Travis.Cox · January 12, 2012, 12:36am

I would create a special role that is different from managers or supervisors that you require to login. That way you only have one.

Jonathan · January 12, 2012, 12:41am

I have another question along the lines of the hybrid authentication. in FactoryPMI we used hybrid authentication and users could only login to projects if they existed in active directory and they had a matching user name in the gateway authentication hybrid profile. This does not seem to be the case with Ignition. We found that everyone in active directory could login to projects that did not have a role requirement whether they were setup in the Ignition gateway or not. is this the expected behavior of Ignition?

JordanCClark · January 12, 2012, 10:43am

This is from the manual:

[quote]Security Settings

Choose the authentication profile that governs this project’s security. This profile will be used for client logins. You may also optionally specify a list of roles that are required for a user to log into this project. Use commas to separate the roles. Users must have all of the roles in order to log in. If no roles are specifed, the user only needs to correctly authenticate with the authentication profile in order to log in.[/quote]

[quote]AD/Internal Hybrid Authentication Profile

The active directory/internal hybrid profile type combines the internal profile for role management, but uses Active Directory for authentication. This means that for any username/password combination, Active Directory gets to decide whether that user is a valid user, and if they are considered valid, then the Ignition Gateway looks internally for their list of roles.[/quote](emphasis added)

Duffanator · January 12, 2012, 1:45pm

I’ve also created a client login script that will look at the roles a user has and open specific windows depending on what role they are. Anyone can still log in, but if I have not associated them with a role then they just get a blank screen and can’t look at or do anything. This is another path you could take.

You could probably also look to see if they are not in any of the roles, and if that’s the case force close the client as well if you really wanted to.

Here’s a sample from my project:

[code]

This part of the script will open up different windows on

startup depending on the users roles.

if ‘Administrators’ in system.security.getRoles():
system.nav.openWindow(“Main Window”)
system.nav.openWindow(“Screen Selection Docked”)
elif ‘Electronics’ in system.security.getRoles():
system.nav.openWindow(“Main Window”)
system.nav.openWindow(“Screen Selection Docked”)[/code]

Jonathan · January 12, 2012, 4:10pm

from FPMI manual

This hybrid authentication source uses Active Directory to authenticate a user (that is, provide a yes/no answer for whether or not a given username/password combination is valid), but uses the Internal authentication source's style of role management. This internal role structure can be configured in the same way that an Internal Authentication Profile's users and roles are administered, except that it won't ask you for any user's password. It is simply a role mapping.

This separation allows IT to manager usernames and passwords, but allows the FactoryPMI designer to administer their role mappings, without having to bother IT to add new roles to the corporate Active Directory setup. This is a win-win, as you get the security and central user management of Active Directory, but without the sometimes cumbersome cooperation of role definition between engineering and IT.

For example, suppose that you had a user named Joe. When Joe logged on, this authentication profile would ask Active Directory if Joe and has password are a valid user. If Joe authenticated against Active Directory successfuly, the profile will then look for a user named Joe (case insensitive) in the internal configuration. If one is there, the roles assigned to the internal "Joe" user will be used for Joe's roles.
On the profile configuration you will have to specify a number of settings that outline how FactoryPMI will connect to ActiveDirectory.

so the functionality has changed for hybrid authentication. I will now have to change the structure of all our roles for all our projects.

We already have specific roles required on certain buttons, but not all. So in order to keep everyone in active directory from poking around in our projects I will make a separate role for each project. then i will assign each separate role to the respective projects required roles. only users that should be opening each project will get the required role assigned to them in order to open their assigned projects. i will leave all our other roles the way they are so that scripts that check role membership will still work.

JordanCClark · January 12, 2012, 5:38pm

Hmm… Not seeing that as a difference, according to the documentation. Not saying that FPMI didn’t treat it differently, just that the FPMI document is a wordy version of the Ignition document.

I seem to remember that launching with AD/DB hybrid projects would launch on AD Authentication only. Been more than four days ago, though, so don’t hold me to that…