Each Role Objecthas the Propertiesand Methodsdefined by the RoleTypewhich is formally defined in Table 4.

Table 4– RoleType definition

Attribute

Value

BrowseName

RoleType

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Modelling Rule

Subtype of BaseObjectType

HasProperty

Variable

Identities

IdentityMapping

RuleType []

PropertyType

Mandatory

HasProperty

Variable

ApplicationsExclude

Boolean

PropertyType

Optional

HasProperty

Variable

Applications

String []

PropertyType

Optional

HasProperty

Variable

EndpointsExclude

Boolean

PropertyType

Optional

HasProperty

Variable

Endpoints

EndpointType []

PropertyType

Optional

HasProperty

Variable

CustomConfiguration

Boolean

PropertyType

Optional

HasComponent

Method

AddIdentity

Defined in 4.4.5.

Optional

HasComponent

Method

RemoveIdentity

Defined in 4.4.6.

Optional

HasComponent

Method

AddApplication

Defined in 4.4.7.

Optional

HasComponent

Method

RemoveApplication

Defined in 4.4.8.

Optional

HasComponent

Method

AddEndpoint

Defined in 4.4.9.

Optional

HasComponent

Method

RemoveEndpoint

Defined in 4.4.10.

Optional

Conformance Units

Base Info ServerType

The Propertiesand Methodsof the RoleTypecontain sensitive security related information and shall only be browseable, readable, writeable and callable by authorized administrators through an encrypted channel.

The configuration of the Rolesis done through Methodcalls. The only exceptions are the ApplicationsExcludeand EndpointsExclude Properties. The two Propertiesare configured with the Write Service. All other Propertiesare configured with the corresponding Methodcalls. The CurrentWritebit of the AccessLevel Attributefor the Properties Identities, Applicationsand Endpointsshall be FALSE.

The Identities Propertyspecifies the currently configured rules for mapping a UserIdentityTokento the Role. If this Property is an empty array and CustomConfigurationis not TRUE, then the Rolecannot be granted to any Session.

The Roleshall only be granted to the Sessionif all of the following conditions are true:

The ApplicationsExclude Propertydefines the Applications Propertyas an include list or exclude list. If the ApplicationsExclude Propertyis not provided or has a value of FALSEthen only ApplicationInstance Certificatesincluded in the Applications Propertyshall be included in this Role. All other ApplicationInstance Certificatesshall not be included in this Role. If this Propertyhas a value of TRUEthen all ApplicationInstance Certificatesincluded in the Applications Propertyshall be excluded from this Role. All other ApplicationInstance Certificatesshall be included in this Role. If the Applications Propertyis provided with an empty array and all ApplicationInstance Certificatesshould be included, the ApplicationsExclude Propertyshall be present and the value must be TRUE.

The Applications Propertyspecifies the ApplicationInstance Certificatesof Clientswhich shall be included or excluded from this Role. Each element in the array is an ApplicationUrifrom a Client Certificatewhich is trusted by the Server. If Applicationsare configured for include or exclude, the Roleshall only be granted if the Sessionuses at least a signed communication channel.

The EndpointsExclude Propertydefines the Endpoints Propertyas an include list or exclude list. If this Propertyis not provided or has a value of FALSEthen only Endpointsincluded in the Endpoints Propertyshall be included in this Role. All other Endpointsshall not be included in this Role. If this Propertyhas a value of TRUEthen all Endpointsincluded in the Endpoints Propertyshall be excluded from this Role. All other Endpointsshall be included in this Role. If the Endpoints Propertyis provided with an empty array and all endpoints should be included, the EndpointsExclude Propertyshall be present and the value must be TRUE.

The Endpoints Propertyspecifies the Endpoints which shall be included or excluded from this Role. Each element in the array is an EndpointTypethat contains an Endpointdescription. The EndpointUrland the other Endpointsettings are compared with the configured Endpointthat is used by the SecureChannelfor the Session. The EndpointType DataTypeis defined in 4.4.2. Fields that have default values as defined in the EndpointType DataTypeare ignored during the comparison.

The CustomConfiguration Propertyindicates that the configuration of the Roleand the assignment of the Roleto Sessionsis vendor specific. Rolesare required to support the RolePermissions Attribute. If a Serverwant to support RolePermissionsbut is not able to support the standard Rolefunctionality, it can indicate this with the CustomConfiguration Property. If CustomConfigurationis TRUE, the Servermay hide the configuration options completely or the Servermay provide additional vendor specific configuration options.

The AddIdentity Methodadds a rule used to map a UserIdentityTokento the Role. If the Serverdoes not allow changes to the mapping rules, then the Method is not present. A Servershould prevent certain rules from being added to particular Roles. For example, a Servershould refuse to allow an ANONYMOUS_5 (see 4.4.2) mapping rule to be added to Roleswith administrator privileges.

The RemoveIdentity Methodremoves a mapping rule used to map a UserIdentityTokento the Role. If the Serverdoes not allow changes to the mapping rules, then the Methodis not present.

The AddApplication Methodadds an ApplicationInstance Certificateto the list of Applications. If the Serverdoes not enforce application restrictions or does not allow changes to the mapping rules for the Rolethe Method is not present.

The RemoveApplication Methodremoves an ApplicationInstance Certificatefrom the list of Applications. If the Serverdoes not enforce application restrictions or does not allow changes to the mapping rules for the Rolethe Methodis not present.