KeyCredentialServices restrict access to many of the features they provide. These restrictions are described either by referring to well-known Roles which a Session must have access to or by referring to Privileges which are assigned to Sessions using mechanisms other than the well-known Roles. The well-known Roles used for a KeyCredentialService are listed in Table 77.

Table 77 – Well-known Roles for a KeyCredentialService

Name

Description

KeyCredentialAdmin

This Role grants rights to request or revoke any KeyCredential.

SecurityAdmin

This Role grants the right to change the security configuration of a KeyCredentialService.

The well-known Roles for Server managed by a KeyCredentialService are listed in Table 78.

Table 78 – Well-known Roles for Server managed by a KeyCredentialService

Name

Description

SecurityAdmin

For PushManagement, this Role grants the right to change the security configuration of a Server managed by a KeyCredentialService.

The Privileges used for a KeyCredentialService are listed in Table 79.

Table 79 – Privileges for a KeyCredentialService

Name

Description

ApplicationSelfAdmin

This Privilege grants an OPC UA Application the right to request its own KeyCredentials.

The Certificate used to create the SecureChannel is used to determine the identity of the OPC UA Application.

ApplicationAdmin

This Privilege grants rights to request KeyCredentials for one or more OPC UA Applications.

The Certificate used to create the SecureChannel is used to determine the identity of the OPC UA Application and the set of OPC UA Applications that it is authorized to manage.