User without "Create project permission" can create projects

dcri · November 11, 2025, 1:38am

Trying to get a better understanding of roles & levels as a new to Ignition sysadmin on a fresh install of 8.3

Roles based on AD group membership associated with users as expected, using Classic auth in designer, system user source is AD.

Testing with 2 roles from AD groups: “Ignition Designer Login” and “Ignition Project Creator”

“Ignition Designer Login” is added to the “Designer Role(s)” list in Roles & Permissions

A new level “Ignition Project Creator” is added under Authenticated > Roles

That level is the only option selected in “Create Project Permission”

A user who does not have the “Ignition Designer Login” role assigned gets “Login failed” attempting to log in to Designer as expected.

The problem is a user who has “Ignition Designer Login” but not “Ignition Project Creator” is able to log in to Designer and create projects.

pturmel · November 11, 2025, 1:16pm

The project creator role is only for operations at the gateway web UI, IIUC. Any actual designer login is effectively full authority for everything in the gateway.

If you don't trust people with full access to a gateway, don't give them access through a designer.

dcri · November 11, 2025, 9:23pm

Documentation for the “Create Project Permission” role states “Check the security levels required to create a new project in the Designer. Users must belong to at least one of these roles in order to create a new Designer project.”

pturmel · November 11, 2025, 9:57pm

I suggest you open a support ticket. Don't be surprised if it is resolved by changing the docs to match reality.