I’m using an external Identity Provider to manage user access and assign roles, then using Security Level rules to grant users access based on the role provided from the IdP. However, now that I’m implementing alarm notifications, I’m realizing that pretty much all of the alarm notication functionality relies on having users pre-defined in a user source. This means that we have to add them both to the user source (to recieve notifications) and to the external IdP (to secure Perspective access).
Is there some way to automate this process other than manually via a script that fires each time a user logs in? Ideally, I could maintain user information in one location.
I ran into the same issue, so I created a hybrid solution (using scripts). The IdP manages users (initial creation of user) and groups (groups define which site a user has access too). Unfortunately, the IdP only supports single layer groups. We also create Ignition User Sources to match the groups. Upon login, the script gets the username and check if the user exists in Ignitions User Source, if not, we create them, if so, we can read/update any roles assigned. Roles determine the level of access in the project (Supervisor, Operator…etc.). So now, all Ignition related services such as rosters, permissions, user management…etc. will work. We default all script created users to have no roles and let a supervisor elevate the new users roles as needed.
I realize this creates duplicate users inside many user sources, but until I can come up with something better, this will work. I did this because I don’t like the idea of creating a long list of roles such as Site1_Admin, Site1_Supervisor, Site1_Operator, Site2_Admin, Site2_Supervisor…etc. Maybe that’s what everyone else is doing. I can see this list getting very large and unmanageable.
Maybe one day we can have both roles and groups implemented in Ignition’s User Source.
Edit: Ok, so it looks like setting up Security Levels and User Grants can allow for nested roles. This is great, but there aren’t any scripting functions to add/remove user grants and security levels. This means we can’t build a GUI for end users to utilize or for automation. We don’t want people accessing the Gateway web interface for managing this.
Bump, so we use Identity providers but have to manually add them to a user source to get alarm notifications. Or build some kind of scripting hack to add them to a user source… It seems like an area that could use some love and enhancement.