You can help by commenting or suggesting your edit directly into the transcript. We'll review any changes before posting them. All comments are completely anonymous. For any comments that need a reply, consider emailing firstname.lastname@example.org.
We are experiencing playback issues from our video hosting provider. Please check back shortly.
This lesson is part of the Security in Ignition course. You can browse the rest of the lessons below.
4:01Creating an Identity Provider
1:37User Attribute Mapping
4:19Security Level Rules
Take topic challenge
Take topic challenge
Learn how to configure specific security level overrides for particular users.
Video recorded using: Ignition 8.0
Transcript(open in window)
[00:00] Security Levels grant access to different parts of the Ignition system, where each Security Level has its own set of rules that govern when a user is granted that level. However, it is possible to override the default behavior of a level and grant it to a user regardless of whether they meet the requirements set forth in the rules or not. These overrides are called User Grants, and they are set up per Identity Provider. To create these User Grants, we're going to come into the Gateway webpage in the Configure section and navigate to the Identity Providers page underneath the Security heading. Once here we're going to find the Identity Provider that we want to add User Grants to, and click on the more button on the right and go down to User Grants. Here we have the ability to add, edit, or remove User Grants. I currently don't have any but I can easily add one by clicking on the plus button up near the top of the middle of the page.
[01:08] I'm going to get a popup that asks me identify the user that I want to add to the User Grant system. I can either identify them based on the unique ID that they have within the Identity Provider or I can identify them based on their username. I'm going to go ahead and use the username option and identify my user called John. Once I have that set I can go ahead and click on the confirm button and with John selected we now see our Security Levels tree on the right. I have a Security Level here called Upper Management. It's requirements are that a user has at least one of the roles that pertain to an Upper Management level position. Even if John doesn't meet those requirements, by checking Upper Management I tell the system that I want John to be granted the Upper Management Security Level no matter what. I do want to point out that you don't see any custom Security Levels that lie outside of the Authenticated level.
[02:09] This is because for levels outside of the Authenticated level they don't have access to user information since users can be granted those levels without logging in. If the user hasn't logged in, then we're not sure who that user is so it makes it impossible to give them User Grants when they haven't logged in. Once you've configured your User Grants the way you want, you can click the save button, down in the bottom right-hand corner of the screen to save your changes.