Question about the organization and configuration of security to project resources by different users

Hello,

I have one main Ignition project from which resources are inherited to other projects. These projects that inherit from the main project are for different companies. They are created for client accounts in our domain. They log in by domain using Security Assertion Markup Language 2.0. 'Roles' are returned and it is possible to set a permission level in the project for each user, e.g. Operator/Viewer.

I'm trying to find an approach that will allow me to have more control over security. Access is implemented from a single Gateway server - Frontend, which has Gemote Gateways connected. This allows access to tags and histories from the outside. VPN access is granted to all companies and they connect to our network and Gateway - Frontend through it.

  1. I want to divide users into groups, so that some have more privileges than others - as I described I implement this using 'Roles'. I have scripts defined in the project that verify Roles and using that assign access to activities, e.g. access to view and execute machine controls. Is this approach correct?

  2. I'm using Perspective in that users connect via URL links. I want users from one external company not to be able to connect via another company's link. There is a project division so in the project I mark, users with these roles, who should be able to get to SCADA via URL. Is this approach correct?

  3. There is another issue is about access to the resources of tag providers and others like stories. The URL passes information in the form of a parameter, which is used to connect to specific tags in tag providers. When someone types the name of the provider into their link it sends a parameter that connects them to another client's tags! How to prevent this and manage it easily. I have hundreds of remote providers in Frontend, many projects and remote gateways. I would like to define in one place a list of providers that the project would have access to. This needs to be easily modifiable and manageable I have no idea how to do this.

I will be grateful for any tips!

Best regards
Michał Góralczyk

You are blazing a trail for the rest of us. IA only recently (a year or so, IIRC) updated the Ignition license to allow multi-tenant usage, and doesn't really support the security models one might expect for that. In particular, you simply cannot give your tenants designer access.

That said:

  1. You probably need a group for each tenant, in addition to groups for specific functionality. Then your access control would check for the multiple groups required.

  2. Yes, probably the best you can do.

  3. Consider requiring the per-tenant group in the tag provider definition.

1 Like