Project Required Roles

Why does the project property required roles require the user to have all the roles specified?

for instance I have a role called “managers” and i have a role called "supervisors. when i set a project to require roles “managers,supervisors” neither users from the manager role or users from the supervisor role can log in.

i suppose i could set managers with both the role “managers” and the role “supervisors”, but i would not want to give a supervisor the role “manager”

Is there another way i am suppose to be using the required roles?

I am using “AD/Internal Hybrid” authentication.

I would create a special role that is different from managers or supervisors that you require to login. That way you only have one.

I have another question along the lines of the hybrid authentication. in FactoryPMI we used hybrid authentication and users could only login to projects if they existed in active directory and they had a matching user name in the gateway authentication hybrid profile. This does not seem to be the case with Ignition. We found that everyone in active directory could login to projects that did not have a role requirement whether they were setup in the Ignition gateway or not. is this the expected behavior of Ignition?

This is from the manual:

[quote]Security Settings

Choose the authentication profile that governs this project’s security. This profile will be used for client logins. You may also optionally specify a list of roles that are required for a user to log into this project. Use commas to separate the roles. Users must have all of the roles in order to log in. If no roles are specifed, the user only needs to correctly authenticate with the authentication profile in order to log in.[/quote]

[quote]AD/Internal Hybrid Authentication Profile

The active directory/internal hybrid profile type combines the internal profile for role management, but uses Active Directory for authentication. This means that for any username/password combination, Active Directory gets to decide whether that user is a valid user, and if they are considered valid, then the Ignition Gateway looks internally for their list of roles.[/quote](emphasis added) :wink:

I’ve also created a client login script that will look at the roles a user has and open specific windows depending on what role they are. Anyone can still log in, but if I have not associated them with a role then they just get a blank screen and can’t look at or do anything. This is another path you could take.

You could probably also look to see if they are not in any of the roles, and if that’s the case force close the client as well if you really wanted to.

Here’s a sample from my project:


This part of the script will open up different windows on

startup depending on the users roles.

if ‘Administrators’ in
system.nav.openWindow(“Main Window”)
system.nav.openWindow(“Screen Selection Docked”)
elif ‘Electronics’ in
system.nav.openWindow(“Main Window”)
system.nav.openWindow(“Screen Selection Docked”)[/code]

from FPMI manual

so the functionality has changed for hybrid authentication. I will now have to change the structure of all our roles for all our projects.

We already have specific roles required on certain buttons, but not all. So in order to keep everyone in active directory from poking around in our projects I will make a separate role for each project. then i will assign each separate role to the respective projects required roles. only users that should be opening each project will get the required role assigned to them in order to open their assigned projects. i will leave all our other roles the way they are so that scripts that check role membership will still work.

Hmm… Not seeing that as a difference, according to the documentation. Not saying that FPMI didn’t treat it differently, just that the FPMI document is a wordy version of the Ignition document.

I seem to remember that launching with AD/DB hybrid projects would launch on AD Authentication only. Been more than four days ago, though, so don’t hold me to that… :laughing: