Hello,
For a project, I have the following architecture:
-
One Ignition Standard Gateway, connected to an LDAP usingOpenID Connect
-
On a remote site, an Ignition Edge Panel
-
A Gateway Network connection configured between the two Gateways
Currently, from the central Gateway, I am able to read and write to the tags hosted on the Edge Gateway (since no security rules are applied yet).
I would now like to implement a more granular write-permission strategy, so that only certain users authenticated on OpenID Connect on the central Gateway (for example with an “Operator” security level) are allowed to write to specific tags hosted on the Edge.
Initially, it was not planned to connect the Edge Gateway to the LDAP. Therefore, I did the following on the Edge:
-
created local user accounts and local roles,
-
configured Security Level Rules to assign Security Levels based on those roles,
-
used the same Security Level hierarchy as on the central Gateway, with the goal of having matching and valid Security Levels on both Gateways.
However, this approach does not seem to work. It is not possible to grant write permissions from the central Gateway based on the Security Levels resulting from OIDC authentication.
Based on my investigations, since permission checks are evaluated on the Gateway hosting the tags (the Edge), the user authenticated via OIDC on the central Gateway is not recognized on the Edge, and therefore has no write permissions.
The intended architecture goal was:
-
under normal operation, to use the central Gateway with OIDC authentication,
-
in case of network failure or central Gateway unavailability, to allow local operation using local accounts on the Edge Gateway (degraded mode).
At this point, I am blocked in implementing the security layer correctly from the central Gateway. From what I understand, it would be necessary to also connect the Edge Gateway to the same LDAP / OIDC provider in order to allow writing from the central Gateway.
Can you please confirm if this understanding is correct?
Is there any other supported solution to achieve this use case without connecting the Edge Gateway to the LDAP?