Hello,
My question is about user permissions.
For example:
user A (supervisor) can see all Nodes in Server, can execute Methods
user B (operator) can see only operational status of some Nodes and execute start/stop Method of one of the Nodes
user D (maintenance) can see extended status and execute “shutdown for maintain” Method of one of the Nodes
Do I need to create 3 different Profiles?
How to configure access?
Do this 3 used should have different certificate if they access from the same HMI?
It is done differently? How?
Thank you for helping.
Mikl
Moderators-Specifications
Moderators-Companion
Moderators-Implementation
Moderators-Certification
Moderators-COM
02/24/2014
Mikl,
In OPC UA there is application level security and user level security. Every application has its own application instance certificate that is used for establishing communication to another application. This include encrypting and signing of the messages. An application can also provided a number of different methods for establishing a User identity and the roles they might be granted. The user authentication is a second step in establish a session between the client (HMI) and the server. User authentication can be via Username/Password, Certificates (user certificates not application instance certificates), JSON Web Token (JWT). Different application may support different options, so it is important that the client and server support the same user security profile.
[Note on profiles: profiles describe the groups of functionality a server and client are tested against. There are profiles for transport/communication, for information models, generate functionality, User Security etc. So it is important that if you are purchasing a client or server that you review what functionality (profiles) it supports and that the desired function is supported by all applications.]
The specification supports restricting access to every item in a server based on the user, but this restriction is function of the server application. Some servers might only allow configuration of access restriction for a limited set of roles or users. Some might have very limited support for User access restrictions, other will allow configuration of user access rights for every item. The how to configuration the access restriction is defined by the application, it is not defined in the specification.
Paul
Paul Hunkar - DSInteroperability
Hello, Paul
Thank you for the answer.
Unfortunately, it is too theoretical for me.
Yes, it is possible to set application level security (as Node accessLevel attribute, if i am not wrong) and user level security (as userAccessLevel), it is even role based access authorisation described in part 5 annex F.
But how what is the “best”, as OPC Foundation design it, way of doing this?
Is any products on a market what implement this?
Mikl
For example, i am confused by:
Part 2, 4.8: “Profiles exist to indicate the support of user credentials to restrict or control access to data”
and
Part 7, 1, where it is only about testing
Can you help me to find the way to configure security “correctly” (according OPC UA design), please?
1 Guest(s)