Security Level Clarification

Hi - I am a bit confused on a particular aspect of Gateway security. Hoping someone can shed some light. The example here is for illustrative purposes.

It is my understanding that the Gateway uses Security Levels in the default (Ignition) Identity Provider to authenticate, and that roles had to be added to the Security Levels in order to work with a given IdP.

When I go to Security --> General and for the settings "Gateway Config Permissions" and "Status Page Permissions", I see Authenticated/Roles/Administrator. I would then expect this role to be within the Security Levels page, but is it not.

Similarly, if I create a new role called roleGWAdmin, add this role to the aforementioned settings, then create a new user and assign this role to them, that user is still able to log in despite not being in the Security Levels list.

Am I misunderstanding how the Gateway checks users and roles?
I'd like to understand this better because I plan on having a separate role for Gateway configuration and a different admin role for my Vision application (the latter using a Classic security approach).

Thanks

When you logging into your Config Page Identity Provider will authenticate against a User Source. If your Roles were added to your User Source (which they've been) you will be authenticated. Your Roles still exist even if they are not visually visible in the Security Levels tab (that's my understanding)

Thanks.
I think my confusion is when I would need roles to the Security Levels.
It is stated (in the manuals and one of the training videos) that one needs to add them to ensure they match against what is in the Identity Provider. For the "default" internal Ignition IdP, I guess user roles do not need to be added to the Security Levels?

In other words, this is only for external / non-Ignition IdPs?

You will need them in the Security Levels for them to be visible in the Designer. But I agree it can be confusing and I'm not the best man on this topic