Each Role Objecthas the Propertiesand Methodsdefined by the RoleTypewhich is formally defined in Table F.2.
Table F.2– RoleType Definition
|
Value |
|||||
|
BrowseName |
RoleType |
||||
|
IsAbstract |
False |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
Modelling Rule |
|
Subtype of BaseObjectType |
|||||
|
|
|
|
|
|
|
|
HasProperty |
Identities |
IdentityMapping RuleType [] |
PropertyType |
Mandatory |
|
|
HasProperty |
ApplicationsExclude |
Boolean |
PropertyType |
Optional |
|
|
HasProperty |
Applications |
String [] |
PropertyType |
Optional |
|
|
HasProperty |
EndpointsExclude |
Boolean |
PropertyType |
Optional |
|
|
HasProperty |
Endpoints |
EndpointType [] |
PropertyType |
Optional |
|
|
HasComponent |
Method |
AddIdentity |
Defined in F.3.3. |
Optional |
|
|
HasComponent |
Method |
RemoveIdentity |
Defined in F.3.4. |
Optional |
|
|
HasComponent |
Method |
AddApplication |
Defined in F.3.3. |
Optional |
|
|
HasComponent |
Method |
RemoveApplication |
Defined in F.3.4. |
Optional |
|
|
HasComponent |
Method |
AddEndpoint |
Defined in F.3.3. |
Optional |
|
|
HasComponent |
Method |
RemoveEndpoint |
Defined in F.3.4. |
Optional |
|
The Propertiesand Methodsof the RoleTypecontain sensitive security related information and shall only be browseable, writeable and callable by authorized administrators through an encrypted channel.
The Identities Propertyspecifies the currently configured rules for mapping a UserIdentityTokento the Role. If this Property is an empty array, then the Rolecannot be granted to any Session.
The ApplicationsExclude Propertydefines the Applications Propertyas an include list or exclude list. If this Propertyis not provided or has a value of FALSEthen only Application Instance Certificatesincluded in the Applications Propertyshall be included in this Role. All other Application Instance Certificatesshall not be included in this Role. If this Propertyhas a value of TRUEthen all Application Instance Certificatesincluded in the Applications Propertyshall be excluded from this Role. All other Application Instance Certificatesshall be included in this Role.
The Applications Propertyspecifies the Application Instance Certificatesof Clientswhich shall be included or excluded from this Role. Each element in the array is an ApplicationUrifrom a Client Certificatewhich is trusted by the Server.
The EndpontsExclude Propertydefines the Endpoints Propertyas an include list or exclude list. If this Propertyis not provided or has a value of FALSEthen only Endpointsincluded in the Endpoints Propertyshall be included in this Role. All other Endpointsshall not be include this Role. If this Propertyhas a value of TRUEthen all Endpointsincluded in the Endpoints Propertyshall be excluded from this Role. All other Endpointsshall be included in this Role.
The Endpoints Propertyspecifies the Endpoints which shall be included or excluded from this Role. The value is an EndpointTypearray which contains one or more Endpointdescriptions. The EndpointType DataTypeis defined in 12.22.
The AddIdentity Methodadds a rule used to map a UserIdentityTokento the Role. If the Serverdoes not allow changes to the mapping rules, then the Method is not present. A Servershould prevent certain rules from being added to particular Roles. For example, a Servershould refuse to allow an ANONYMOUS_5 (see F.3.2) mapping rule to be added to Roleswith administrator privileges.
The RemoveIdentity Methodremoves a mapping rule used to map a UserIdentityTokento the Role. If the Serverdoes not allow changes to the mapping rules, then the Methodis not present.
The AddApplication Methodadds an Application Instance Certificateto the list of. If the Serverdoes not enforce application restrictions or does not allow changes to the mapping rules for the Rolethe Method is not present.
The RemoveApplication Methodremoves an Application Instance Certificatefrom the list of applications. If the Serverdoes not enforce application restrictions or does not allow changes to the mapping rules for the Rolethe Method is not present.
The IdentityMappingRuleTypestructure defines a single rule for selecting a UserIdentityToken. The structure is described in Table F.3.
Table F.3– IdentityMappingRuleType
|
Name |
Type |
Description |
|
IdentityMappingRuleType |
Structure |
Specifies a rule used to map a UserIdentityTokento a Role. |
|
criteriaType |
Enumeration Identity CriteriaType |
The type of criteria contained in the rule. USERNAME_1The rule specifies a UserName from a UserNameIdentityToken; THUMBPRINT_2The rule specifies the Thumbprintof a User or CA Certificate; ROLE_3 The rule is a Rolespecified in an Access Token; GROUPID_4 The rule is a user group specified in the Access Token; ANONYMOUS_5The rule specifies Anonymous UserIdentityToken; AUTHENTICATED_USER_6The rules specify any non-Anonymous UserIdentityToken;
|
|
criteria |
String |
The criteria which the UserIdentityTokenmust meet for a Sessionto be mapped to the Role. The meaning of the criteria depends on the mappingType. The criteria are a “” for ANONYMOUS_5 and AUTHENTICATED_USER_6 |
If the criteriaType is USERNAME_1, the criteria is a name of a user known to the Server, For example, the user could be the name of a local operating system account.
If the criteriaType is THUMBPRINT_2, the criteria is a thumbprint of a Certificateof a user or CA which is trusted by the Server.
If the criteriaType is ROLE_3, the criteria is a name of a restriction found in the Access Token. For example, the Role“subscriber” may only be allowed to access PubSubrelated Nodes.
If the criteriaType is GROUPID_4, the criteria is a generic text identifier for a user group specific to the Authorization Service.For example, an Authorization Serviceproviding access to an Active Directory may add one or more Windows Security Groups to the Access Token. OPC 10000-6provides details on how groups are added to Access Tokens.
If the criteriaType is ANONYMOUS_5, the criteria is a null string which indicates no user credentials have been provided.
If the criteriaType is AUTHENTICATED_USER_6, the criteria is a null string which indicates any valid user credentials have been provided.
This Methodis used to add an identity mapping rule to a Role.
The Clientshall use an encrypted channel and shall provide user credentials with administrator rights when invoking this Methodon the Server.
Signature
AddIdentity(
[in]IdentityMappingRuleType Rule
);
|
Argument |
Description |
|
Rule |
The rule to add. |
Method Result Codes
|
ResultCode |
Description |
|
Bad_InvalidArgument |
The rule is not valid. |
|
Bad_RequestNotAllowed |
The rule cannot be added to the Rolebecause of Serverimposed restrictions. |
|
Bad_NotSupported |
The rule is not supported by the Server. |
|
Bad_AlreadyExists |
An equivalent rule already exists. |
This Methodis used to remove an identity mapping rule from a Role.
The Clientshall provide user credentials with administrator rights when invoking this Methodon the Server.
Signature
RemoveIdentity(
[in]IdentityMappingRuleType Rule
);
|
Argument |
Description |
|
Rule |
The Rule to remove. |
Method Result Codes
|
ResultCode |
Description |
|
Bad_NotFound |
The rule does not exist. |
|
Bad_UserAccessDenied |
The session user is not allowed to configure the object. |
This Methodis used to add an application mapping rule to a Role.
The Clientshall provide user credentials with administrator rights when invoking this Methodon the Server.
Signature
AddApplication(
[in]String ApplicationUri
);
|
Argument |
Description |
|
ApplicationUri |
The ApplicationUrifor the application. |
Method Result Codes
|
ResultCode |
Description |
|
Bad_InvalidArgument |
The ApplicationUriis not valid. |
|
Bad_RequestNotAllowed |
The mapping cannot be added to the Rolebecause of Serverimposed restrictions. |
|
Bad_AlreadyExists |
The ApplicationUri is already assigned to the Role. |
|
Bad_UserAccessDenied |
The session user is not allowed to configure the object. |
This Methodis used to remove an application mapping rule from a Role.
The Clientshall provide user credentials with administrator rights when invoking this Methodon the Server.
Signature
RemoveApplication(
[in]String ApplicationUri
);
|
Argument |
Description |
|
ApplicationUri |
The ApplicationUrifor the application. |
Method Result Codes
|
ResultCode |
Description |
|
Bad_NotFound |
The ApplicationUri is not assigned to the Role. |
|
Bad_UserAccessDenied |
The session user is not allowed to configure the object. |
This Methodis used to add an endpoint mapping rule to a Role.
The Clientshall provide user credentials with administrator rights when invoking this Methodon the Server.
Signature
AddEndpoint(
[in]EndpointType Endpoint
);
|
Argument |
Description |
|
Endpoint |
The Endpoint to add. |
Method Result Codes
|
ResultCode |
Description |
|
Bad_InvalidArgument |
The EndpointUrl is not valid. |
|
Bad_RequestNotAllowed |
The mapping cannot be added to the Rolebecause of Serverimposed restrictions. |
|
Bad_AlreadyExists |
The EndpointUrl is already assigned to the Role. |
|
Bad_UserAccessDenied |
The session user is not allowed to configure the object. |
This Methodis used to remove an endpoint mapping rule from a Role.
The Clientshall provide user credentials with administrator rights when invoking this Methodon the Server.
Signature
RemoveEndpoint(
[in]EndpointType Endpoint
);
|
Argument |
Description |
|
Endpoint |
The Endpoint to remove. |
Method Result Codes
|
ResultCode |
Description |
|
Bad_NotFound |
The EndpointUrl is not assigned to the Role. |
|
Bad_UserAccessDenied |
The session user is not allowed to configure the object. |