OPC UA defines a standard approach for implementing role based security. Serversmay choose to implement part or all of the mechanisms defined here. The OPC UA approach assigns Permissionsto Rolesfor each Nodein the AddressSpace. Clientsare then granted Roleswhen they create a Sessionbased on the information provided by the Client.

Rolesare used to separate authentication (determining who a Clientis with a user token and Clientapplication identity) from authorization (Permissionsdetermining what the Clientis allowed to do). By separating these tasks Serverscan allow centralized services to manage user identities and credentials while the Serveronly manages the Permissionson its Nodesassigned to Roles.

OPC 10000-3defines the possible Permissionsand the representation as Node Attributes.

Figure 1depicts the ObjectTypes, Objectsand their components used to represent the Rolemanagement.


Figure 1– Role management overview