OPC UA via the ActivateSession Service allows a Client to change the user that is involved with the Session. This Service can have security related implications.

Developers have to ensure that when a user context changes that all existing activities switch to the new context. Furthermore, in multi-threaded environments, when an ActivateSession request is received by a Server, it should stop processing new Service calls until the Server has completed any user change. For Services like Read or Browse, the Server needs to ensure that any Service call that were issued under the old user context are completed using that context and that the new context is only applied to Service calls that are issued after the user context change. For the Publish Service (part of a Subscription Services), it is important that security checks are applied to all monitored items if the user context has changed (as described in OPC 10000-4) which could result in a MonitoredItem returning Bad_AccessDenied.