Can you authorized which user can access Project A vs Project B Designer?
3 Likes
Thanks, a million. I will look at this.. - See if this is the one I am needing.
The video listed at the start of the section shows how to configure the allowed access level, which seems to be missing from the manual.
But keep in mind that any designer access can run code on the gateway, and thereby subvert any project-specific restrictions. Those are guardrails, not cages.
4 Likes
I am confused.
Which permission does what?
Project Permission (what are possible value Idp roles or security level)
vs Perspective Permission
Testing.
When I tick Ign_Write,
I Expect user other than Ign_Write, not able to login to perspective.
But Must still able to login to Project Via Designer? (but in actual does not) why?
Thanks, I got it..
To assign "IdP" roles to the Project Permissions (View, Save, Delete, Protect Resource).
The current user, putting roles, must have these roles too. - of course!
Wait, Using Ignition User Source, as Identity Provider.
A developer is not an admin.
But he can run code to create new user system.user.addUser via designer and set role as an Administrator?
Is it??
Yes.
A user given access to the designer can run arbitrary code on your gateway. Nevermind giving themselves admin - they can run system.util.execute and launch arbitrary processes on the server. This is fundamental to the way Ignition works. Don't let users you don't trust into the designer.
3 Likes
This comes up when trying to deploy Ignition as a multi-tenant application, and the workload is too much for the host organization. So they try to figure out how to let the tenants use the designer, and get themselves in big trouble.
You simply cannot allow people who aren't trusted with total gateway access to use the designer. Designer roles and restrictions are assistance with administrative barriers, not secure barriers.
1 Like