Moderators-Specifications
04/15/2014
I received an email with the following questions …
We are currently working on the implementation of the role based access control mechanism (RBAC) in our OPC-UA server. Our goal is to comply with security standards and to provide only information from the server address space that corresponds to the permissions of the sessions / persons. The authorization checks should also apply to browsing operations.
In this context, the question has arisen how the configurability of the browsing permissions can be designed in a meaningful way.
We would like to exchange best practices with you on how and where browsing permissions should be implemented for the following address spaces:
1) Namespace zero nodes
2) Type namespaces (DI namespace, EUROMAP namespace)
Moderators-Specifications
04/15/2014
Browsing permissions can be as fine grained as on a node basis, but it is often more desirable to set permissions on a group of nodes rather than on individual nodes. Since every node belongs to a particular namespace, the namespace a node is defined in becomes a logical grouping for which to apply permissions.
The OPC Specifications are silent on the best practice for setting browsing permissions on nodes belonging specific namespaces, but for your examples (namespace 0 and namespaces for publicly available companion specifications) it would makes sense to allow browsing of those nodes to “Anonymous” (i.e. to everyone) since the content of those nodes is already public.
Do you think it makes sense for the OPC Specifications to be more prescriptive in setting such permissions for certain classes of nodes?
1 Guest(s)