Site Admin Access

Summary

Users with Admin access to a site have permissions to add, edit, or delete Problem Codes, OEE Codes, or UPC information for the site. It does not give them access to modify projects or change the gateway. Access to the gateway requires superuser access and will be required to make some of these changes.

Providing Admin access to a site for a user requires two steps,

1. Providing named access to the user through an Azure Access Request form
2. Adding the user to the Identity Provider section of the gateway

A user will not have Admin access until both steps are completed. The request form typically takes 3-4 days to complete, which the gateway updates can be completed immediately. If a user wants to have admin access to multiple sites, the request form does NOT need to be filled out a second time.

Filling Out an Azure Access Request

The following link will bring you to the Azure Access Request form. This form can be filled out by any user and does not require special access.

https://safeway.service-now.com/esc?id=sc_cat_item&sys_id=f619186b1b9f58145676437cdc4bcb39

Once the form is open in a browser, the top section will have you fill out the following information,

1. Requested for: This should be your name
2. Selected Division: enter "Backstage Norcal Corporate"
3. Cube of Office Location: This is an open text field and should be your office location
4. Cost Center: Should be "99011853"
5. Approving Manger: It will default to your manager, but it should be changed to Ana Cruz or Narayana Yellapragada, or another appropriate manager

 In the next section, you will fill out information about what specifically you are requesting. As you make selections, more options will appear. Below is an example of a filled-out section.

1. Select Request Type: Add Members to Azure Access RBAC Group
2. Select Group to Add Membership: Application
3. Application Code: Ignition – Manufacturing PLC Monitoring (SCPL)
4. Environment: prod
5. User Role: Member – read only

In the final section, you will select the users to give access to. This can be done by either entering the person’s name or their LDAP ID. The Business Reason section is not required for this request.

Updating the Ignition Gateway for Admin Access

The second step of the process is to go to the Ignition Gateway at https://manufacturing.monitoring.albertsons.com/web/home

This step requires a person to have access to the gateway. If the user does not have access, they will receive an error and should contact Marcus Dehaas, marcus.dehaas@safeway.com, or an Ignition superuser.

Once there, click on the “CONFIG” icon on the left side of the screen.

The Config menu will open with several options. Scroll down to “Security>Identity Providers” and click on this link.

This will open a new page with two options. On the “albertsons_oauth” Identity Provider, click “More”, then “User Grants”. This will open a new screen.

This is where all named access is controlled. Several usernames should already be listed. By clicking on a user, you can see what their current access level is.

To add a user, click on the “+” icon that is next to the current user list.

This will bring up a popup where you can enter the username. This should be the LDAP of the user, followed by “@safeway.com”.

CRITICAL: The username is CASE SENSITIVE, which means that “bfoul03” is different than “Bfoul03” and “BFOUL03”. Make sure to use the specific username that a user will typically enter. Often, a user will login to the Albertsons network on a browser (i.e. Chrome, Edge, Firefox) and that login information will be retained and attempted to be used in Ignition. This means that a user may not have an opportunity to enter a username, as the username will be recalled from when they opened their browser.

Once a username has been added, click on that username and there will be different options under the “Custom Roles” section. Each site has an admin level that can be selected. Select the appropriate site admin by clicking on the checkbox. Several sites can be selected at the same time. Once the selections have been made, click on the "Save" button at the bottom of the page.

There is an "Administrator" role which will provide admin access to all sites. This should not be used frequently as there are only rare times that a user will need access to all sites.