The IdentityMappingRuleType structure defines a single rule for selecting a UserIdentityToken. The structure is described in Table F.3.

Table F.3 – IdentityMappingRuleType






Specifies a rule used to map a UserIdentityToken to a Role.





The type of criteria contained in the rule.

USERNAME_1The rule specifies a UserName from a UserNameIdentityToken;

THUMBPRINT_2The rule specifies the Thumbprint of a User or CA Certificate;

ROLE_3 The rule is a Role specified in an Access Token;

GROUPID_4 The rule is a user group specified in the Access Token;

ANONYMOUS_5The rule specifies Anonymous UserIdentityToken;

AUTHENTICATED_USER_6The rules specify any non-Anonymous UserIdentityToken;



The criteria which the UserIdentityToken must meet for a Session to be mapped to the Role. The meaning of the criteria depends on the mappingType. The criteria are a “” for ANONYMOUS_5 and AUTHENTICATED_USER_6

If the criteriaType is USERNAME_1, the criteria is a name of a user known to the Server, For example, the user could be the name of a local operating system account.

If the criteriaType is THUMBPRINT_2, the criteria is a thumbprint of a Certificate of a user or CA which is trusted by the Server.

If the criteriaType is ROLE_3, the criteria is a name of a restriction found in the Access Token. For example, the Role “subscriber” may only be allowed to access PubSub related Nodes.

If the criteriaType is GROUPID_4, the criteria is a generic text identifier for a user group specific to the Authorization Service. For example, an Authorization Service providing access to an Active Directory may add one or more Windows Security Groups to the Access Token. OPC 10000-6 provides details on how groups are added to Access Tokens.

If the criteriaType is ANONYMOUS_5, the criteria is a null string which indicates no user credentials have been provided.

If the criteriaType is AUTHENTICATED_USER_6, the criteria is a null string which indicates any valid user credentials have been provided.