System Security and AD group settings

cs_tractor · August 12, 2024, 6:45pm

Hello Everyone,

I am trying to determine the best security and authentication strategy for accessing our Vision projects. Currently we are using the Active Directory type to access the project, so essentially anyone can access as long as they are included in the AD. I am then refencing the RolesDataSet system tag to populate the list of AD group for me. I then have a custom roles manager where I assign an AD group to a role name (Admin, Engineer, supervisor, operator, etc) and store it in SQL. As admin I can assign those AD groups to role names and then when a user signs in I check to see what the highest AD group they are a part of and assign the role. This is useful for then determining if certain components are enabled in the project.

This issue that I am running into is I cannot autologin the project with a dummy generic user because from my understanding you can only add users to AD/Internal Hybrid type. I would Ideally like to have the project auto login with a generic user and to permit higher access I would use a SwithUser function and once the user logged in I still want to reference the same roles manager as above. Is there a function or way to get the AD groups similar to using [System]Client/User/RolesDataSet?

I appreciate the help!

pturmel · August 12, 2024, 7:00pm

Most setups like this use another, internal, user source for non-AD accounts, including such a dummy account. Set the AD user source to soft failover to the internal user source.

cs_tractor · August 13, 2024, 8:02pm

Great idea, that worked! Thank you

michael.flagler · August 15, 2024, 9:42pm

Got a question for you. We're going to have to do something similar as we have a client with a company-wide AD that users and roles are assigned in, but each site has different roles/security groups named based upon the site name and role ie (SG-Site1-Admin, SG-Site1-Operator, SG-Site2-Admin, etc), so I was curious if upon login when you assign a role to the user, does that take effect immediately, or does it only apply the next time they login? Or are you doing it some other way? Just curious how you're handling it so that each plant can share standard security roles like "Admin", "Operator", etc. Or are you doing something besides "hasRole()" for your security checks?

I know I can do exactly what I want with the identity providers, but I'd like to stick with classic logins since this is a Vision project.