Registrars and DCA Servers need to restrict access to many of the features they provide. These restrictions are described either by referring to well-known Roles which a Session must have access to or by referring to named Privileges which are assigned to Sessions using mechanisms other than the well-known Roles. Privileges are needed because not all restrictions can be expressed simply by granting Role permissions on Nodes. For example, authenticated Devices are granted the ability to update only their own information which means the decision on granting access can depend on the values of the arguments passed to a Method call rather than the permissions on the Method Node. The well-known Roles used in this document are listed in Table 3.

Table 3 – Well-known Roles for Onboarding




The Role grants rights to manage the Tickets known the Registrar and approve Devices when automatic authentication was not possible.


The Role grants rights to set the software status for a Device.


The Role grants the right to changes the security configuration of a Registrar or a DCA Server. For the DCA Server this includes the right to set the location of the Registrar or to force the Server to restart the authentication process.

The Privileges used in this document are listed in Table 4.

Table 4 – Privileges for Onboarding




The Device has rights to modify its own registration.


The Client is a DCA that has rights to request Certificates and TrustLists for Applications that it has been granted rights to.

For a detailed description of Roles, see OPC 10000-3.