UA Part 18: Role-Based Security - 4.4.1 RoleType definition

Each Role Objecthas the Propertiesand Methodsdefined by the RoleTypewhich is formally defined in Table 4.

*Attribute*	Value
BrowseName	RoleType
IsAbstract	False
References	**NodeClass**	BrowseName	DataType	TypeDefinition	Modelling Rule
Subtype of BaseObjectType

HasProperty	Variable	Identities	IdentityMapping RuleType []	PropertyType	Mandatory
HasProperty	Variable	ApplicationsExclude	Boolean	PropertyType	Optional
HasProperty	Variable	Applications	String []	PropertyType	Optional
HasProperty	Variable	EndpointsExclude	Boolean	PropertyType	Optional
HasProperty	Variable	Endpoints	EndpointType []	PropertyType	Optional
HasProperty	Variable	CustomConfiguration	Boolean	PropertyType	Optional
HasComponent	Method	AddIdentity	Defined in 4.4.5.		Optional
HasComponent	Method	RemoveIdentity	Defined in 4.4.6.		Optional
HasComponent	Method	AddApplication	Defined in 4.4.7.		Optional
HasComponent	Method	RemoveApplication	Defined in 4.4.8.		Optional
HasComponent	Method	AddEndpoint	Defined in 4.4.9.		Optional
HasComponent	Method	RemoveEndpoint	Defined in 4.4.10.		Optional
Conformance Units
Base Info ServerType

The Propertiesand Methodsof the RoleTypecontain sensitive security related information and shall only be browseable, readable, writeable and callable by authorized administrators through an encrypted channel.

The configuration of the Rolesis done through Methodcalls. The only exceptions are the ApplicationsExcludeand EndpointsExclude Properties. The two Propertiesare configured with the Write Service. All other Propertiesare configured with the corresponding Methodcalls. The CurrentWritebit of the AccessLevel Attributefor the Properties Identities, Applicationsand Endpointsshall be FALSE.

The Identities Propertyspecifies the currently configured rules for mapping a UserIdentityTokento the Role. If this Property is an empty array and CustomConfigurationis not TRUE, then the Rolecannot be granted to any Session.

The Roleshall only be granted to the Sessionif all of the following conditions are true:

The UserIdentityTokencomplies with Identities.
The Applications Propertyis not configured or the Client Certificatecomplies with the Applicationssettings.
The Endpoints Property is not configured or the Endpointused complies with the Endpointssettings.

The ApplicationsExclude Propertydefines the Applications Propertyas an include list or exclude list. If the ApplicationsExclude Propertyis not provided or has a value of FALSEthen only ApplicationInstance Certificatesincluded in the Applications Propertyshall be included in this Role. All other ApplicationInstance Certificatesshall not be included in this Role. If this Propertyhas a value of TRUEthen all ApplicationInstance Certificatesincluded in the Applications Propertyshall be excluded from this Role. All other ApplicationInstance Certificatesshall be included in this Role. If the Applications Propertyis provided with an empty array and all ApplicationInstance Certificatesshould be included, the ApplicationsExclude Propertyshall be present and the value must be TRUE.

The Applications Propertyspecifies the ApplicationInstance Certificatesof Clientswhich shall be included or excluded from this Role. Each element in the array is an ApplicationUrifrom a Client Certificatewhich is trusted by the Server. If Applicationsare configured for include or exclude, the Roleshall only be granted if the Sessionuses at least a signed communication channel.

The EndpointsExclude Propertydefines the Endpoints Propertyas an include list or exclude list. If this Propertyis not provided or has a value of FALSEthen only Endpointsincluded in the Endpoints Propertyshall be included in this Role. All other Endpointsshall not be included in this Role. If this Propertyhas a value of TRUEthen all Endpointsincluded in the Endpoints Propertyshall be excluded from this Role. All other Endpointsshall be included in this Role. If the Endpoints Propertyis provided with an empty array and all endpoints should be included, the EndpointsExclude Propertyshall be present and the value must be TRUE.

The Endpoints Propertyspecifies the Endpoints which shall be included or excluded from this Role. Each element in the array is an EndpointTypethat contains an Endpointdescription. The EndpointUrland the other Endpointsettings are compared with the configured Endpointthat is used by the SecureChannelfor the Session. The EndpointType DataTypeis defined in 4.4.2. Fields that have default values as defined in the EndpointType DataTypeare ignored during the comparison.

The CustomConfiguration Propertyindicates that the configuration of the Roleand the assignment of the Roleto Sessionsis vendor specific. Rolesare required to support the RolePermissions Attribute. If a Serverwant to support RolePermissionsbut is not able to support the standard Rolefunctionality, it can indicate this with the CustomConfiguration Property. If CustomConfigurationis TRUE, the Servermay hide the configuration options completely or the Servermay provide additional vendor specific configuration options.

The AddIdentity Methodadds a rule used to map a UserIdentityTokento the Role. If the Serverdoes not allow changes to the mapping rules, then the Method is not present. A Servershould prevent certain rules from being added to particular Roles. For example, a Servershould refuse to allow an ANONYMOUS_5 (see 4.4.2) mapping rule to be added to Roleswith administrator privileges.

The RemoveIdentity Methodremoves a mapping rule used to map a UserIdentityTokento the Role. If the Serverdoes not allow changes to the mapping rules, then the Methodis not present.

The AddApplication Methodadds an ApplicationInstance Certificateto the list of Applications. If the Serverdoes not enforce application restrictions or does not allow changes to the mapping rules for the Rolethe Method is not present.

The RemoveApplication Methodremoves an ApplicationInstance Certificatefrom the list of Applications. If the Serverdoes not enforce application restrictions or does not allow changes to the mapping rules for the Rolethe Methodis not present.