The UserManagement Object defined in5.3is a UserManagementTypewhich is formally defined in Table 13.
Table 13– UserManagementType definition
|
BrowseName |
UserManagementType |
||||
|
IsAbstract |
False |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
Modelling Rule |
|
Subtype of BaseObjectType defined in OPC 10000-5 |
|||||
|
HasProperty |
Variable |
Users |
UserManagementDataType[] |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
PasswordLength |
Range |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
PasswordOptions |
PasswordOptionsMask |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
PasswordRestrictions |
LocalizedText |
PropertyType |
Optional |
|
HasComponent |
Method |
AddUser |
Defined in 5.2.5. |
Mandatory |
|
|
HasComponent |
Method |
ModifyUser |
Defined in 5.2.6. |
Mandatory |
|
|
HasComponent |
Method |
RemoveUser |
Defined in 5.2.7. |
Mandatory |
|
|
HasComponent |
Method |
ChangePassword |
Defined in 5.2.8. |
Mandatory |
|
|
Conformance Units |
|||||
|
Security User Management Server |
|||||
The Propertiesand Methodsof the UserManagementTypecontain sensitive security related information and shall only be readable and callable by authorized administrators through an encrypted channel. The only exception is the ChangePassword Method. It requires an encrypted channel but it can be called by the Sessionuser if the user token type for the Sessionis not USERNAME.
The Users Propertyspecifies the currently configured users and their settings as array of UserManagementDataType Structuredefined in 5.2.4.
The Property PasswordLengthdefines the minimum and maximum length requirement for setting the password. A value of 0 for low indicates no limit for minimum and 0 for high indicates no limit for maximum password length. The Range DataTypeis defined in OPC 10000-8.
The Property PasswordOptionsdefines the password features and requirements for setting a password in a bit mask defined by the PasswordOptionsMask DataType. If the Serverdoes not define any special requirements nor does not support enhanced features for the password management, all bits in the bit mask are set to false.
The Property PasswordRestrictionsallows a Serverto provide additional explanations about the rules applied to new passwords accepted by the Server.
The DataType PasswordOptionsMaskis formally defined in Table 14.
Table 14– PasswordOptionsMask values
|
Value |
Bit No. |
Description |
|
SupportInitialPasswordChange |
0 |
Indicates if the server supports the feature to require a password change after the creation of the user. |
|
SupportDisableUser |
1 |
Indicates if the server supports to disable a user. |
|
SupportDisableDeleteForUser |
2 |
Indicates if the server supports the configuration NoDeletefor a user. |
|
SupportNoChangeForUser |
3 |
Indicates if the server supports the configuration NoChangeByUserfor a user. |
|
SupportDescriptionForUser |
4 |
Indicates if the server supports to management of a description for the user. |
|
RequiresUpperCaseCharacters |
5 |
Indicates if a upper case ASCII character is required in a password. |
|
RequiresLowerCaseCharacters |
6 |
Indicates if a lower case ASCII character is required in a password. |
|
RequiresDigitCharacters |
7 |
Indicates if a digit ASCII character is required in a password. |
|
RequiresSpecialCharacters |
8 |
Indicates if a special character is required in a password. |
The PasswordOptionsMaskrepresentation in the AddressSpaceis defined in Table 15.
Table 15– PasswordOptionsMask definition
|
Attribute |
Value |
||||
|
BrowseName |
PasswordOptionsMask |
||||
|
IsAbstract |
False |
||||
|
References |
Node Class |
BrowseName |
DataType |
TypeDefinition |
Others |
|
Subtype of UInt32defined in OPC 10000-5 |
|||||
|
HasProperty |
Variable |
OptionSetValues |
LocalizedText [] |
PropertyType |
|
|
Conformance Units |
|||||
|
Security User Management Server |
|||||
The DataType UserConfigurationMaskis formally defined in Table 16.
Table 16– UserConfigurationMask values
|
Value |
Bit No. |
Description |
|
NoDelete |
0 |
The user cannot be deleted. |
|
Disabled |
1 |
The user is disabled. |
|
NoChangeByUser |
2 |
The user cannot change the password. |
|
MustChangePassword |
3 |
The user must change the password to get the assigned roles. If the password is not changed, the user has only the RoleAnonymous. |
The UserConfigurationMaskrepresentation in the AddressSpaceis defined in Table 17.
Table 17– UserConfigurationMask definition
|
Attribute |
Value |
||||
|
BrowseName |
UserConfigurationMask |
||||
|
IsAbstract |
False |
||||
|
References |
Node Class |
BrowseName |
DataType |
TypeDefinition |
Others |
|
Subtype of UInt32defined in OPC 10000-5 |
|||||
|
HasProperty |
Variable |
OptionSetValues |
LocalizedText [] |
PropertyType |
|
|
Conformance Units |
|||||
|
Security User Management Server |
|||||
This Structure DataTypeis used to provide the metadata for a field in a DataSet. The UserManagementDataTypeis formally defined in Table 18.
Table 18– UserManagementDataType structure
|
Name |
Type |
Description |
|
UserManagementDataType |
Structure |
|
|
userName |
String |
Name of the user. |
|
userConfiguration |
UserConfigurationMask |
The configuration mask for the user. |
|
description |
String |
A description for the user. |
Its representation in the AddressSpace is defined in Table 19.
Table 19– DataSetMetaDataType definition
|
Attributes |
Value |
|
BrowseName |
UserManagementDataType |
|
IsAbstract |
False |
|
Subtype of Structure defined in OPC 10000-5. |
|
|
Conformance Units |
|
|
Security User Management Server |
|
This Methodis used to add a user to the user management of the Server.
This Methodaffects security and shall only be browseable and callable by authorized administrators and requires an encrypted channel.
Signature
AddUser(
[in]String UserName,
[in]String Password,
[in]UserConfigurationMaskUserConfiguration,
[in]String Description
);
|
Argument |
Description |
|
UserName |
The name of the user to add. |
|
Password |
The password for the user. |
|
UserConfiguration |
The configuration mask for the user. |
|
Description |
A description for the user. |
Method Result Codes
|
ResultCode |
Description |
|
Bad_BadAlreadyExists |
The user does already exist. |
|
Bad_OutOfRange |
The password is outside the valid range of accepted length and characters. |
|
Bad_NotSupported |
The UserConfigurationhas flags set that are not supported by the Server. See PasswordOptionsfor flags supported by the Server. |
|
Bad_UserAccessDenied |
The caller does not have the necessary Permissions. |
|
Bad_SecurityModeInsufficient |
The communication channel is not using encryption. |
This Methodis used to modify a user in the user management of the Server.
This Methodaffects security and shall only be browseable and callable by authorized administrators and requires an encrypted channel.
Signature
ModifyUser(
[in]String UserName,
[in]Boolean ModifyPassword,
[in]String Password,
[in]Boolean ModifyUserConfiguration,
[in]UserConfigurationMaskUserConfiguration,
[in]Boolean ModifyDescription,
[in]String Description
);
|
Argument |
Description |
|
UserName |
The name of the user to modify. |
|
ModifyPassword |
Flag indicating if the password should be changed. |
|
Password |
The password for the user. The password is set to a null or empty string if ModifyPasswordis false. The argument is ignored if ModifyPasswordis false. |
|
ModifyUserConfiguration |
Flag indicating if the user configuration should be changed. |
|
UserConfiguration |
The configuration mask for the user. The argument is ignored if ModifyUserConfigurationis false. |
|
ModifyDescription |
Flag indicating if the user description should be changed. |
|
Description |
A description for the user. The argument is ignored if ModifyDescriptionis false. |
Method Result Codes
|
ResultCode |
Description |
|
Bad_NotFound |
The user was not found in the user management. |
|
Bad_OutOfRange |
The password is outside the valid range of accepted length and characters. |
|
Bad_NotSupported |
The UserConfigurationhas flags set that are not supported by the Server. See PasswordOptionsfor flags supported by the Server. |
|
Bad_UserAccessDenied |
The caller does not have the necessary Permissions. |
|
Bad_SecurityModeInsufficient |
The communication channel is not using encryption. |
This Methodis used to remove a userfrom the user management of the Server.
This Methodaffects security and shall only be browseable and callable by authorized administrators and requires an encrypted channel.
If the user of the Sessionused to call the Methodis to be removed, the Methodshall fail with Bad_InvalidSelfReference.
Signature
RemoveUser(
[in]String UserName
);
|
Argument |
Description |
|
UserName |
The name of the user to remove. |
Method Result Codes
|
ResultCode |
Description |
|
Bad_BadNotFound |
The specified user does not exist. |
|
Bad_UserAccessDenied |
The caller does not have the necessary Permissions. |
|
Bad_NotSupported |
The user cannot be deleted due to NoDeleteuser configuration mask setting. |
|
Bad_SecurityModeInsufficient |
The communication channel is not using encryption. |
|
Bad_InvalidSelfReference |
The user to remove is used by the Sessionused to call the Method. |
This Methodis used to change the password of the user for the Sessionused to call the Method. The Method shall fail with Bad_InvalidStateif the user token type for the Sessionis not USERNAME.
Even if the Methodis not browsable through a hierarchy for the Sessionuser, it shall be accessible and callable by the Sessionuser with the well defined NodeIdsfor the UserManagement Objectand the ChangePassword Method.
This Methodaffects security and shall only be browseable and callable through an encrypted channel. It shall be callable by the Sessionuser if the user token type for the Sessionis not USERNAME, even if the Rolefor the user is Anonymous.
Signature
ChangePassword(
[in]String OldPassword,
[in]String NewPassword
);
|
Argument |
Description |
|
OldPassword |
The old password for the Sessionuser. |
|
NewPassword |
The new password for the Sessionuser. It is receommended that the user interface for entering the new password requires to enter the password twice to avoid typos. The Servercan apply additional restrictions to the accepted password in addition to the one indicated by PasswordOptionMask. |
Method Result Codes
|
ResultCode |
Description |
|
Bad_IdentityTokenInvalid |
The old password is not valid. |
|
Bad_OutOfRange |
The new password is outside the valid range of accepted length and characters. |
|
Bad_InvalidState |
The caller is not authenticated with a USERNAME user token. |
|
Bad_NotSupported |
The password cannot be changed due to NoChangeByUseruser configuration mask setting. |
|
Bad_SecurityModeInsufficient |
The communication channel is not using encryption. |
|
Bad_BadAlreadyExists |
The new password matches the old password. |