AD Internal Hybrid
Let's add an additional authentication profile to fetch the user list from Active Directory, but store all role information internally in Ignition. This authentication profile stores users, roles, and mappings in Ignition similar to the Internal Authentication profile, but validates against passwords stored in Active Directory.
AD/Internal User Source
The active directory/internal hybrid profile type combines the internal User Source type with the active directory User Source type. Active Directory is used to find all of the users, and to check their credentials when they attempt to log in. However, it allows assigning of roles, contact info, and other meta-information about a user through Ignition, all of this information is then stored as if it were an internal User Source.
This way, Active Directory can be consulted to see if a user is valid, but the management of roles does not require coordination with the I.T. department, who typically control the Active Directory system. This "best of both worlds" approach is popular for many users of Active Directory.
The AD/Internal hybrid User Source is partially manageable . Users cannot be added or removed. Their usernames and passwords cannot be changed. This is because this information resides in Active Directory, not within Ignition. Other information, such as a user's roles, contact info, schedule, and so on, is manageable.