Each Role Object has the Properties and Methods defined by the RoleType which is formally defined in Table 4.
Value |
|||||
BrowseName |
RoleType |
||||
IsAbstract |
False |
||||
References |
Node Class |
BrowseName |
DataType |
TypeDefinition |
Modelling Rule |
Subtype of BaseObjectType |
|||||
|
|
|
|
|
|
HasProperty |
Variable |
Identities |
IdentityMapping RuleType [] |
PropertyType |
Mandatory |
HasProperty |
Variable |
ApplicationsExclude |
Boolean |
PropertyType |
Optional |
HasProperty |
Variable |
Applications |
String [] |
PropertyType |
Optional |
HasProperty |
Variable |
EndpointsExclude |
Boolean |
PropertyType |
Optional |
HasProperty |
Variable |
Endpoints |
EndpointType [] |
PropertyType |
Optional |
HasProperty |
Variable |
CustomConfiguration |
Boolean |
PropertyType |
Optional |
HasComponent |
Method |
AddIdentity |
Defined in 4.4.5. |
Optional |
|
HasComponent |
Method |
RemoveIdentity |
Defined in 4.4.6. |
Optional |
|
HasComponent |
Method |
AddApplication |
Defined in 4.4.7. |
Optional |
|
HasComponent |
Method |
RemoveApplication |
Defined in 4.4.8. |
Optional |
|
HasComponent |
Method |
AddEndpoint |
Defined in 4.4.9. |
Optional |
|
HasComponent |
Method |
RemoveEndpoint |
Defined in 4.4.10. |
Optional |
|
Conformance Units |
|||||
Base Info ServerType |
The Properties and Methods of the RoleType contain sensitive security related information and shall only be browseable, readable, writeable and callable by authorized administrators through an encrypted channel.
The configuration of the Roles is done through Method calls. The only exceptions are the ApplicationsExclude and EndpointsExclude Properties. The two Properties are configured with the Write Service. All other Properties are configured with the corresponding Method calls. The CurrentWrite bit of the AccessLevel Attribute for the Properties Identities, Applications and Endpoints shall be FALSE.
If the configuration of a Role is changed, the Role assignment to active Session shall be re-evaluated and applied.
The Identities Property specifies the currently configured rules for mapping a UserIdentityToken to the Role. If this Property is an empty array and CustomConfiguration is not TRUE, then the Role cannot be granted to any Session.
The Role shall only be granted to the Session if all of the following conditions are true:
- The UserIdentityToken complies with Identities.
- The Applications Property is not configured or the Client Certificate complies with the Applications settings.
- The Endpoints Property is not configured or the Endpoint used complies with the Endpoints settings.
The ApplicationsExclude Property defines the Applications Property as an include list or exclude list. If the ApplicationsExclude Property is not provided or has a value of FALSE then only ApplicationInstance Certificates included in the Applications Property shall be included in this Role. All other ApplicationInstance Certificates shall not be included in this Role. If this Property has a value of TRUE then all ApplicationInstance Certificates included in the Applications Property shall be excluded from this Role. All other ApplicationInstance Certificates shall be included in this Role. If the Applications Property is provided with an empty array and all ApplicationInstance Certificates should be included, the ApplicationsExclude Property shall be present and the value must be TRUE.
The Applications Property specifies the ApplicationInstance Certificates of Clients which shall be included or excluded from this Role. Each element in the array is an ApplicationUri from a Client Certificate which is trusted by the Server. If Applications are configured for include or exclude, the Role shall only be granted if the Session uses a signed or signed and encrypted communication channel.
The EndpointsExclude Property defines the Endpoints Property as an include list or exclude list. If this Property is not provided or has a value of FALSE then only Endpoints included in the Endpoints Property shall be included in this Role. All other Endpoints shall not be included in this Role. If this Property has a value of TRUE then all Endpoints included in the Endpoints Property shall be excluded from this Role. All other Endpoints shall be included in this Role. If the Endpoints Property is provided with an empty array and all endpoints should be included, the EndpointsExclude Property shall be present and the value must be TRUE.
The Endpoints Property specifies the Endpoints which shall be included or excluded from this Role. Each element in the array is an EndpointType that contains an Endpoint description. The EndpointUrl and the other Endpoint settings are compared with the configured Endpoint that is used by the SecureChannel for the Session. The EndpointType DataType is defined in 4.4.2. Fields that have default values as defined in the EndpointType DataType are ignored during the comparison.
The CustomConfiguration Property indicates that the configuration of the Role and the assignment of the Role to Sessions is vendor specific. Roles are required to support the RolePermissions Attribute. If a Server want to support RolePermissions but is not able to support the standard Role functionality, it can indicate this with the CustomConfiguration Property. If CustomConfiguration is TRUE, the Server may hide the configuration options completely or the Server may provide additional vendor specific configuration options.
The AddIdentity Method adds a rule used to map a UserIdentityToken to the Role. If the Server does not allow changes to the mapping rules, then the Method is not present. A Server should prevent certain rules from being added to particular Roles. For example, a Server should refuse to allow an ANONYMOUS_5 (see 4.4.2) mapping rule to be added to Roles with administrator privileges.
The RemoveIdentity Method removes a mapping rule used to map a UserIdentityToken to the Role. If the Server does not allow changes to the mapping rules, then the Method is not present.
The AddApplication Method adds an ApplicationInstance Certificate to the list of Applications. If the Server does not enforce application restrictions or does not allow changes to the mapping rules for the Role the Method is not present.
The RemoveApplication Method removes an ApplicationInstance Certificate from the list of Applications. If the Server does not enforce application restrictions or does not allow changes to the mapping rules for the Role the Method is not present.