Servers shall allow Method invocation only for Sessions using user accounts with the right to invoke Methods. There shall exist user accounts with restricted rights (that is, no Method invocation unless explicitly allowed for all users for a specific Method) for Clients performing data acquisition or diagnosis also.

If well-known Roles are supported by the Server, role-based security (see [OPC 10000-18] shall be applied. Method invocation shall only be possible if the well-known “Operator” Role is granted to the Client’s Session. This applies to all Methods except for those where the restriction is lifted explicitly.

All Variables are read-only. Modifying the content of Variables shall only be possible by invoking a “Set-” Method.