Authentication Profiles

Authentication Profiles, also known as 'user sources', are a collection of users, roles, and other user data, such as contact information or schedule. When a new user or role is created, it is applied and stored in the user source. Projects and the Gateway are assigned a User Source to authenticate against. This determines which users have access to which project(s).

Types of Authentication Profiles

There are five types of user sources: three single-storage types with varying storage mediums, and two "hybrids" that combine features of the previous three types.

Single-Storage

Users and roles are stored in a single location. The single-storage users sources are:

Internal Authentication - Users and roles are stored internally to Ignition.
Database Authentication - Users and roles are stored in a SQL database. Managing users is done via direct interaction with the database.
Active Directory Authentication - Users and roles are managed by Active Directory. Users are authenticated through the LDAP protocol.

Hybrid

Users in hybrid user sources authenticate against Active Directory, meaning that user names and passwords are checked against those stored in Active Directory. However roles are stored either internally in Ignition or in a SQL database, so it is possible to make a role change without have to contact your Active Directory administrator. This way, Active Directory can be consulted to see if a user is valid, but the management of roles does not require coordination with the IT department, who typically control the Active Directory system. This "best of both worlds" approach is popular for many users of Active Directory.

Active Directory-Internal Hybrid - Users managed by Active Directory and roles stored to Ignition internally.
Active Directory-Database Hybrid - Users managed by Active Directory and roles stored in an SQL database.

Shared Functionality

Regardless of type, all User Sources have the following functionality:

Fail-Over Source: If the User Source is unavailable for authentication, then a backup User Source can be specified. The type of the fail-over User Source can differ from the primary, so configurations where an internal-type fails over to a database-type are possible.
Schedule Restrictions: The User Source can prevent users from logging in when they are off schedule, meaning that the schedule assigned to the user determines when the user may login.

The 'default' User Source

When Ignition is installed for the first time, an internal User Source named 'default' is created. This User Source contains the 'admin' user, and the gateway uses this authentication profile as the system user source, so that users can initially log into the gateway. You can manage the default User Source by navigating to the Configure > Security > Users, Roles section of the Gateway. The manage users link will allow you to add new users, modify roles and passwords for existing users, remove users, and add/remove roles from the user source. Choosing to edit a user will bring you to the following page allowing you to make any necessary changes to that user.

images/download/attachments/6038157/Config_Security_Authenication_image.png

The 'admin' user

After installing Ignition, it is highly recommended to change the password for the admin user. The default user credentials to access the gateway are public knowledge, and not fit for a production environment.

Alternatively, the admin user could be deleted, but a new user with the 'Administrator' role should be created first so that you will not be locked out of the gateway. Should this occur, the Gateway Control Utility can be used to recreate the admin user.

Which User Source Controls What?

With potentially multiple User Sources defined, you need to understand which User Sources are controlling which aspects of Ignition. To determine what kind of User Source is governing what, do the following:

To manage users and passwords for logging into the Gateway Configuration section, you'll need to see what User Source is currently set as the Gateway's User Source. You can check this under Configuration > Gateway Settings by looking at the System User Source field and the Gateway Config Role(s) field.
To manage users and passwords for logging into the Designer, you follow the same steps as in #1, except that you need to look at the Designer Role(s) field to see what roles are allowed to log into the designer.
To manage users and passwords for logging into a Vision Client, you go to the Configuration > Projects section. Look at the project in question and you can find its User Source listed there.
Now that you know what User Source you need to manage, you can find out what kind it is under the Security > Users, Roles section.

In This Section ...

Authentication Sources