Hi all 
We are currently testing and investigating how we should configure (best practice) tag write permissions in a gateway network.
Our current GW network only consist of one main Ignition GW (standard Ignition), and one Edge GW, both on version 8.1.44.
We have a remote tag provider configured on our main GW, which represents the tag provider on the Edge.
On our Edge server, we have defined a security zone that our main Ignition gateway goes into by using IP address as identifier. And on the service security tab, for the actual security zone, we have "ReadWrite" access to the Edge local tags (image below). So, now we are able to write to tags on our Edge GW from our Main GW. Great.
So, on our main Ignition GW we now have these two tag providers:
If we edit the Standard Tag Provider, we can access settings where we can define which roles and security zones a user needs to have to be able to read and write to that tag provider, nice:
If we edit the Remote tag provider, we do not get the same options like we did on the Standard Tag Provider, with roles and/or security zones etc.:
We want to be able to restrict tag writing access for certain users on our Remote Tag Provider, so we tried creating a security zone on our main Ignition GW, called "zone_ext".
On the service security tab on the main Ignition GW, we have set the access level for the Remote Tag Provider to "Read Only":
If we launch a session that falls into the "zone_ext" security zone (confirmed by checking "session.props.auth.securityLevels"), and try to write to a tag in the Remote Tag Provider, we are allowed to do that, despite configuring the access level for that RTP to be ReadOnly. Something we have missed here?
Seems like when you write to a Remote Tag Provider, the request falls into the security settings on the Edge GW for the incoming GW connection from the Main GW.
We have noticed the option of "Trust Remote Security Levels" and "Impersonation Role Name", but have not found any good examples and documentation on this yet.
Any recommendations on how we easily can restrict tag writing access on a Remote Tag Provider, based on Role and/or Security Zone? How do we achieve the same functionality as restricting access on a Standard Tag Provider, when we do not have the same options as mentioned? Something simple we are missing here? We would like to avoid defining security on individual tags, so the ability to restrict the whole tag provider is preferable.
Would appreciate all input on how this is handled in the great Ignition universe 
Thanks in advance!