Skip to main content

Users

Ignition provides a wealth of user security management choices, giving you the option of managing users within the Ignition application, through Active Directory or through an Identity Provider. KanoaMES extends this security model to allow the management of users and their roles on an asset by asset basis.

Kanoa's security implementation provides a way to manage user permissions, via asset-role associations. It may support user management, such as user creation, editing, and deleting only with an internal user source. Any other type of user authentication, such as an AD user source, or an identity provider, will need to be managed externally. The security table by default, will populate with users that are in each of the gateway's user sources. Users that are stored in an identity provider will not show up initially. Kanoa's security implementation stores user data in parallel. For each user in the gateway's user sources, our database also stores a record for that user. Users may initialize their database record, by logging in for the first time, or when another user edits their information. Users can also be created through the security table. Creating a user through the security table will create a new user in the gateway's 'default' user source, and also initialize a record for them in the database. Users may have their basic information edited, such as their first and last name. This will update their record in the database, but note that only users in the 'default' user source will also have their information updated there. Users in any type of other user sources, or an identity provider will need to have their information updated externally. All users may have their asset-role associations configured. Users that are a part of the 'default' user source may also be deleted. Deleting a user through the security table will delete them both in the 'default' user source, and delete their record in the database. Users not in the 'default' user source will have their database record deleted, but will still need to be deleted externally at their corresponding user source/identity provider.

Features

Gateway Admin
KanoaMES supports multi-enterprise asset hierarchies on the same gateway server. Because of this we provide a reserved 'Gateway Admin' role that provides 'administrator' level rights for all enterprises. The Gateway Admin is the only user who can make another user an 'Administrator' for one or more enterprises. The 'administrator' can then manage the access and roles users have within that enterprise. Users with the 'Gateway Admin' role have full access to the application, being able to view all users in the security table, and being able to perform any action in any view, with any assets.

Configuration

The user security model has the following configuration parameters...

  • Allow Guest: Allows guests not logged in to view all assets
  • User Source: Specifies the name of the ignition user source that users will be stored and retrieved from

users

User Roles & Functions

Our security model allows for custom roles to be created and functions enabled for that role. A function is a reserved term that is used throughout the MES application to determine if a user has rights to perform these functions.

users

The following functions have been provided....

Configure Security | Configure Assets | Configure Items | Operate Assets | Edit Operations | Schedule Shifts | Schedule Operations | Configure Quality | Enter Checks | Approve Checks

If additional functions are required, they can be created directly in the [sec].[userFunction] database table.

New roles can be created by clicking the + button. Once a role has been created, functions associated with that role can be set by setting the checkbox in the table. A role can only be deleted if no users currently have that role.

User Configuration

When the ignition user source is set to internal, users can be added and deleted via the User table. If the userSource is set to Active Directory, only a users roles can be configured.

users

The 'active' field is set the first time a user has logged into the MES application.

Creating and Editing Users

Click the + button to add a new user or select a user and click the users button.

A first and last name is required for a user. This allows us to filter out users that may have been setup for kiosk auto-login or Active directory printers etc.

users

A user can be assigned a role along with a list of assets that role is valid for. This allows you to set a user to be an operator at say the mill, but not at the packaging line.

users

A user can given Gateway Admin permissions by enabling the Gateway Admin checkbox. There is no need to set specific roles to specific assets for a Gateway Admin as they automatically inherit all rights over all assets.

The first user to log into a freshly installed KanoaMES application will automatically be granted Gateway Admin rights. Only Gateway Admins can give Gateway Admin rights to other users.

To add a role to a user, select the role you wish to assign to the user and then click on the asset selector to select the assets.

To remove a user's roles, select the role you wish to remove from the user and then click the 'Remove assets' button.