Configurability of browsing permissions|OPC UA Standard|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
Configurability of browsing permissions
Avatar
Jim Luth
Moderator
Members

Moderators-Specifications
Forum Posts: 5
Member Since:
04/15/2014
sp_UserOfflineSmall Offline
1
11/10/2021 - 05:57
sp_Permalink sp_Print

I received an email with the following questions …

We are currently working on the implementation of the role based access control mechanism (RBAC) in our OPC-UA server. Our goal is to comply with security standards and to provide only information from the server address space that corresponds to the permissions of the sessions / persons. The authorization checks should also apply to browsing operations.

In this context, the question has arisen how the configurability of the browsing permissions can be designed in a meaningful way.

We would like to exchange best practices with you on how and where browsing permissions should be implemented for the following address spaces:

   1) Namespace zero nodes

   2) Type namespaces (DI namespace, EUROMAP namespace)

Avatar
Jim Luth
Moderator
Members

Moderators-Specifications
Forum Posts: 5
Member Since:
04/15/2014
sp_UserOfflineSmall Offline
2
11/10/2021 - 05:57
sp_Permalink sp_Print

Browsing permissions can be as fine grained as on a node basis, but it is often more desirable to set permissions on a group of nodes rather than on individual nodes. Since every node belongs to a particular namespace, the namespace a node is defined in becomes a logical grouping for which to apply permissions.

The OPC Specifications are silent on the best practice for setting browsing permissions on nodes belonging specific namespaces, but for your examples (namespace 0 and namespaces for publicly available companion specifications) it would makes sense to allow browsing of those nodes to “Anonymous”  (i.e. to everyone) since the content of those nodes is already public.

Do you think it makes sense for the OPC Specifications to be more prescriptive in setting such permissions for certain classes of nodes?

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 59
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1445
Posts: 4889