Access control to Node|OPC UA Standard|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
Access control to Node
Avatar
Guest
Guests
1
08/02/2018 - 00:54
sp_Permalink sp_Print

Hello,

My question is about user permissions.

For example:
user A (supervisor) can see all Nodes in Server, can execute Methods
user B (operator) can see only operational status of some Nodes and execute start/stop Method of one of the Nodes
user D (maintenance) can see extended status and execute “shutdown for maintain” Method of one of the Nodes

Do I need to create 3 different Profiles?
How to configure access?
Do this 3 used should have different certificate if they access from the same HMI?
It is done differently? How?

Thank you for helping.

Mikl

 

 
Avatar
Paul Hunkar
Cleveland, Ohio, USA
Moderator
Members

Moderators-Specifications

Moderators-Companion

Moderators-Implementation

Moderators-Certification

Moderators-COM
Forum Posts: 112
Member Since:
02/24/2014
sp_UserOfflineSmall Offline
2
08/06/2018 - 07:54
sp_Permalink sp_Print

Mikl,

  In OPC UA there is application level security and user level security.  Every application has its own application instance certificate that is used for establishing communication to another application.  This include encrypting and signing of the messages.  An application can also provided a number of different methods for establishing a User identity and the roles they might be granted.  The user authentication is a second step in establish a session between the client (HMI) and the server.  User authentication can be via Username/Password, Certificates (user certificates not application instance certificates), JSON Web Token (JWT).  Different application may support different options, so it is important that the client and server support the same user security profile.

[Note on profiles: profiles describe the groups of functionality a server and client are tested against.  There are profiles for transport/communication, for information models, generate functionality, User Security etc.  So it is important that if you are purchasing a client or server that you review what functionality (profiles) it supports and that the desired function is supported by all applications.]

The specification supports restricting access to every item in a server based on the user, but this restriction is function of the server application. Some servers might only allow configuration of access restriction for a limited set of roles or users.  Some might have very limited support for User access restrictions, other will allow configuration of user access rights for every item.  The  how to configuration the access restriction is defined by the application, it is not defined in the specification.

Paul

Paul Hunkar - DSInteroperability

Avatar
Guest
Guests
3
08/08/2018 - 00:43
sp_Permalink sp_Print

Hello, Paul

 

Thank you for the answer.

 

Unfortunately, it is too theoretical for me.

Yes, it is possible to set application level security (as Node accessLevel attribute, if i am not wrong) and user level security (as userAccessLevel), it is even role based access authorisation described in part 5 annex F.

 

But how what is the “best”, as OPC Foundation design it, way of doing this?

Is any products on a market what implement this?

 

Mikl

Avatar
Guest
Guests
4
08/08/2018 - 02:19
sp_Permalink sp_Print

For example, i am confused by:

Part 2, 4.8: “Profiles exist to indicate the support of user credentials to restrict or control access to data”

and

Part 7, 1, where it is only about testing

 

Can you help me to find the way to configure security “correctly” (according OPC UA design), please?

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online: Randy Armstrong
Guest(s) 47
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1445
Posts: 4889