Tag Permissions - Remote Tag Provider, roles not working

So i’m currently trying to set up a Development and Testing environment as per the Ign 8 Deployment guide and i’m running into permissions issues.

I have a database based IdP / user source set to manual and I am using a remote tag provider for accessing the tags on the master server, no Security zones setup (other than default). User security is setup the same on both gateways.

Any tag with role based permissions will not read or write on the development server. For example, the Designer user is ‘Administrator’, and with this selected under roles I get an access error. I have populated the security levels with the roles in the database and all the roles show up in both gateway’s ‘Users, roles’.
If I change the permissions to only ‘Authenticated’ or simply ‘roles’ checkbox selected it works. It works also if I simply set permissions to ‘SecurityZones’>‘default’.

Could someone please help? Also any advice on how tags were configured for development/testing workflow’s is more than welcome.

Hello, reviving this thread because I stumbled over the same problem.

Setting any security level permission on the remote tag provider prevents the local gateway to access to those tags. Basically, permissions don’t seem to be carried over to the remote Gateway.

Is there any solution/workaround/am I doing something wrong here?

Thanks :slight_smile:

You should have an option on the Service Security page to trust the remote security levels; scroll up from this anchor:
https://docs.inductiveautomation.com/display/DOC81/Service+Security#ServiceSecurity-DefaultSecurityZone

Security levels are local to a specific gateway, as are tag permissions. By opting in, you can allow the gateway containing the tags to ‘trust’ the security context it’s supplied by the remote gateway. As the name suggests, you should only do this in an architecture where you ‘trust’ your remote gateways - which hopefully you’re taking steps for in any production environment…

1 Like

Ah perfect, I was looking into something similar in the remote tag provider section, not under Service Security.

Thanks for the tip :slight_smile: