Search

57 result(s) for Role

• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  3.1.40 Role
  Role function assumed by a Client when it accesses a Server Note 1 to entry: A Role could refer to a specific job function such as operator or engineer
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.12 Roles
  Roles OPC UA provides standard approach for implementing role based security. Servers could choose to implement none, part or all of mechanisms defined ... assigned to all Nodes in a Namespace or to specific Nodes . Figure 6 - Role overview OPC UA defines a set of standard Roles that OPC UA Applications can use, these
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  6.17 Least privilege principle
  user except when the user is actively performing duties associated with that Role
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  8.4 Certificate management threats
  Part 12. This includes restricting all certificate management functionality to users with SecurityAdmin Role or comparable access rights. Furthermore, the list of Clients that are allowed to access management functionality
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  4.9.1 Overview
  Overview A Role is a function assumed by a Client when it accesses a Server . Roles are used to separate authentication (determining who a Client is) from authorization (determining what ... specific mapping rules in addition to or instead of the standard rules. The Anonymous Role is the default Role which is always assigned to all Sessions. The AuthenticatedUser Role
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  4.9.2 Well Known Roles
  defined in Table 2 . Table 2 - Well-Known Roles BrowseName Suggested Permissions Anonymous The Role is allowed to browse and read non-security related Nodes only in the Server Object ... type Nodes . AuthenticatedUser The Role is allowed to browse and read non-security related Nodes . TrustedApplication The Role is allowed to browse and read non-security related Nodes . Observer
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  4.9.3 Evaluating Permissions with Roles
  list of Roles granted to the Session and logically ORs the Permissions for the Role on the Node. If there are no Node specific Permissions then the default Permissions ... Role in the DefaultRolePermissions Property of the NamespaceMetadata for the namespace the Node belongs to are used (see OPC 10000-5 ). The resulting mask is the effective Permissions
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  5.2.9 RolePermissions
  Table 8 - RolePermissionType Name Type Description RolePermissionType Structure Specifies the Permissions for a Role roleId NodeId The NodeId of the Role Object . permissions PermissionType A mask specifying which Permissions ... available to the Role . See 8.55 Servers may allow administrators to write to the RolePermissions Attribute . If not specified, the value of DefaultRolePermissions Property from the NamespaceMetadata Object associated with
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  5.2.10 UserRolePermissions
  determine their effective Permissions by performing a logical OR of Permissions for each Role in the array. The value of this Attribute is derived from the rules used ... Roles . This mapping may be vendor specific or it may use the standard Role model defined in 4.9 . This Attribute shall not be writeable. When a Client reads the UserRolePermissions
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.40.5 X509IdentityTokens
  configurable time after the token expires. The Session shall stay valid with the Anonymous Role . If the Server does not allow anonymous users, it should close the Session . Clients should
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.40.6 IssuedIdentityToken
  configurable time after the token expires. The Session shall stay valid with the Anonymous Role . If the Server does not allow anonymous users, it should close the Session . Clients should
• OPC-10000-5 – OPC Unified Architecture - Part 5: Information Model
  6.3.5 SessionDiagnosticsObjectType
  defined in 7.11 . CurrentRoleIds is an optional array providing the NodeId of each Role the Server has granted to the current Session . Since this information is security-related, Sessions other ... Session shall be restricted to authorized users, such as users who have the SecurityAdmin role, defined in OPC 10000-18 . The additional definition for the ConformanceUnits of AuditActivateSessionEventType are defined
• OPC-10000-5 – OPC Unified Architecture - Part 5: Information Model
  6.4.10 AuditActivateSessionEventType
  AuditChannelEventType and its subtypes). CurrentRoleIds is an optional array providing the NodeId of each Role the Server has granted to the activated Session . The additional definition for the conformance units ... Table 35 . Table 34 - AuditActivateSessionEventType Additional Conformance Units BrowsePath Conformance Units CurrentRoleIds Security Role Server Base
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  F.5 RolePermission
  RolePermission The RolePermission type specifies the Permissions granted to Role for a Node . The fields in the RolePermission type are defined in Table F.4 . Table F.4 - RolePermission Element Type Description ... NodeId NodeId The NodeId of the Role which has the Permissions . Permissions UInt32 A bitmask specifying the Permissions granted to the Role. The bitmask values the Permissions bits defined
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  6.2 Roles and Privileges
  Table 1 . Table 1 - Well-known Roles for a GDS Name Description DiscoveryAdmin This Role grants rights to register, update and unregister any OPC UA Application . SecurityAdmin This Role grants
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.2 Roles and Privileges
  Table 18 . Table 18 - Well-known Roles for a CertificateManager Name Description CertificateAuthorityAdmin This Role grants rights to request or revoke any Certificate , update any TrustList or assign CertificateGroups ... Applications . RegistrationAuthorityAdmin This Role grants rights to approve Certificate Signing requests or NewKeyPair requests. SecurityAdmin This Role grants the right to change the security configuration of a CertificateManager . The well
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.7.2 Update Certificates Workflow
  Purpose are considered. The CertificateManager needs credentials that will have access to the SecurityAdmin Role on the Server . Connect The CertificateManager creates a secure connection using encryption and a Session ... with the Server . The Session requires access to the SecurityAdmin Role or equivalent. Possible credentials used to authenticate the CertificateManager are: CertificateManager ApplicationInstance Certificate ; UserIdentityToken provided in ActivateSession . Update TrustList
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.7.5 Create Endpoint Workflow
  ManagedApplications Folder . The CertificateManager needs credentials that will have access to the SecurityAdmin Role on the Server . Connect This is described in Table 22 . Read Current Configuration The current configuration
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.5.1 ConfigurationFileType
  appropriate users or applications. This should be ConfigureAdmin , SecurityAdmin or an equivalent administrative Role . The Open Method shall not support modes other than Read (0x01) and Read + Write (0x03). When
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.5 FinishRequest
  Client will periodically call this Method until an entity with access to the RegistrationAuthorityAdmin Role has approved the request. If the Client experiences a network failure while waiting ... from an encrypted SecureChannel and from a Session that has access to the CertificateAuthorityAdmin Role, the ApplicationAdmin Privilege , or the ApplicationSelfAdmin Privilege (see 7.2 ). In addition, the Client Certificate shall
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  8.2 Roles and Privileges
  Table 120 . Table 120 - Well-known Roles for a KeyCredentialService Name Description KeyCredentialAdmin This Role grants rights to request or revoke any KeyCredential . SecurityAdmin This Role grants the right ... known Roles for Server managed by a KeyCredentialService Name Description SecurityAdmin For PushManagement , this Role grants the right to change the security configuration of a Server managed by a KeyCredentialService
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  8.5.5 StartRequest
  from an encrypted SecureChannel and from a Client that has access to the KeyCredentialAdmin Role, the ApplicationAdmin Privilege , or the ApplicationSelfAdmin Privilege (see 8.2 ) . Signature StartRequest ( [in] String ApplicationUri ... recognize or if the caller is not authorized to request access to the Role . RequestId A unique identifier for the request. This identifier shall be passed to the FinishRequest
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.1 Overview
  external AuthorizationService . The AuthorizationService is best used in conjunction with the Role model defined in OPC 10000-5 . In this scenario, the mapping rules assigned to the Roles known
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.2 Roles and Privileges
  Table 142 . Table 142 - Well-known Roles for an AuthorizationService Name Description AuthorizationServiceAdmin This Role grants the right to manage the configuration of an AuthorizationService . SecurityAdmin This Role grants
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  G.2 Application setup with the PushManagement
  that defaults to ON; Always allow Clients to connect securely and assign the SecurityAdmin Role to Anonymous user if the TrustList is empty; Connect to the Server after toggling ... device which enables access for a short period. Add Client ApplicationUri to SecurityAdmin Role , remove Anonymous from SecurityAdmin Role ; Provide a new Certificate and TrustList ; Set the configuration flag
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  5.4.5.2 SecurityGroup Management
  Node . The Permissions on a SecurityGroup Object is used to determine if a Role has access to the keys for the SecurityGroup . An example for setting up a SecurityGroup
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  8.8 Security Key Service Roles
  Table 231 - Well-Known SKS Roles BrowseName Suggested Permissions SecurityKeyServerAdmin This Role allows an administrator to manage SecurityGroups and PushTargets on a SKS. This includes executing methods related to management ... SecurityGroups and PushTargets on an SKS. SecurityKeyServerAccess This Role allows a PubSub Application to access an SKS to pull keys. It is the default Role for pull
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.1 General
  General OPC UA defines a standard approach for implementing role-based security. Servers may choose to implement part or all of the mechanisms defined here. The OPC UA approach assigns ... Attributes . Figure 1 depicts the ObjectTypes , Objects and their components used to represent the Role management. Figure 1 - Role management overview
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.2.1 RoleSetType definition
  Units Base Info ServerType The AddRole Method allows configuration Clients to add a new Role to the Server . The RemoveRole Method allows configuration Clients to remove a Role from
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.2.2 AddRole Method
  AddRole Method This Method is used to add a Role to the RoleSet Object defined in 4.3 . The combination of the NamespaceUri and RoleName parameters are used to construct ... RoleSet Object . If the optional Properties EndpointsExclude and ApplicationsExclude are available on the Role Object created with this Method , the initial values of the EndpointsExclude and ApplicationsExclude Properties shall
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.2.3 RemoveRole Method
  RemoveRole Method This Method is used to remove a Role from the RoleSet Object. The RoleNodeId is the NodeId of the Role Object to remove. The Server may prohibit ... some Roles because they are necessary for the Server to function. If a Role is removed all Permissions associated with the Role shall be deleted. Ideally these changes should take
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.3 RoleSet
  Object Supervisor RoleType HasComponent Object ConfigureAdmin RoleType HasComponent Object SecurityAdmin RoleType Conformance Units Security Role Server Base 2 Servers should support the well-known Roles which are defined ... default Identities for the Anonymous Role shall be Identities with the criteriaType IdentityCriteriaType.Anonymous and the criteriaType IdentityCriteriaType.AuthenticatedUser . The Anonymous Role is the default Role which is always assigned
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.1 RoleType definition
  RoleType definition Each Role Object has the Properties and Methods defined by the RoleType which is formally defined in Table 6 . Table 6 - RoleType definition Attribute Value BrowseName RoleType IsAbstract ... Properties Identities , Applications and Endpoints shall be FALSE. If the configuration of a Role is changed, the Role assignment to active Session shall be re-evaluated and applied. The Identities
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.3 IdentityMappingRuleType
  Type Description IdentityMappingRuleType Structure Specifies a rule used to map a UserIdentityToken to a Role . criteriaType Enumeration IdentityCriteriaType The type of criteria contained in the identity mapping rule. The IdentityCriteriaType ... criteria which the UserIdentityToken must meet for a Session to be mapped to the Role . The meaning of the criteria depends on the criteriaType . The criteria shall be null
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.4 IdentityCriteriaType
  from a UserNameIdentityToken . Thumbprint 2 The rule specifies the Thumbprint of a user Certificate . Role 3 The rule is a Role specified in an Access Token . GroupId 4 The rule
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.5 AddIdentity Method
  AddIdentity Method This Method is used to add an identity mapping rule to a Role . The Client shall use an encrypted channel and shall provide user credentials with administrator rights ... like SecurityAdmin Role when invoking this Method on the Server . Signature AddIdentity ( [in] IdentityMappingRuleType Rule ); Argument Description Rule The rule to add. Method Result Codes ResultCode Description Bad_InvalidArgument
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.6 RemoveIdentity Method
  RemoveIdentity Method This Method is used to remove an identity mapping rule from a Role . The Client shall use an encrypted channel and shall provide user credentials with administrator rights ... like SecurityAdmin Role when invoking this Method on the Server . Signature RemoveIdentity ( [in] IdentityMappingRuleType Rule ); Argument Description Rule The Rule to remove. Method Result Codes ResultCode Description Bad_NotFound
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.7 AddApplication Method
  AddApplication Method This Method is used to add an application mapping rule to a Role . The Client shall use an encrypted channel and shall provide user credentials with administrator rights ... like SecurityAdmin Role when invoking this Method on the Server . Signature AddApplication ( [in] String ApplicationUri ); Argument Description ApplicationUri The ApplicationUri for the application. Method Result Codes ResultCode Description Bad_InvalidArgument
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.8 RemoveApplication Method
  RemoveApplication Method This Method is used to remove an application mapping rule from a Role . The Client shall use an encrypted channel and shall provide user credentials with administrator rights ... like SecurityAdmin Role when invoking this Method on the Server . Signature RemoveApplication ( [in] String ApplicationUri ); Argument Description ApplicationUri The ApplicationUri for the application. Method Result Codes ResultCode Description Bad_NotFound
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.9 AddEndpoint Method
  AddEndpoint Method This Method is used to add an endpoint mapping rule to a Role . The Client shall use an encrypted channel and shall provide user credentials with administrator rights ... like SecurityAdmin Role when invoking this Method on the Server . Signature AddEndpoint ( [in] EndpointType Endpoint ); Argument Description Endpoint The Endpoint to add . Method Result Codes ResultCode Description Bad_InvalidArgument
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.10 RemoveEndpoint Method
  RemoveEndpoint Method This Method is used to remove an endpoint mapping rule from a Role . The Client shall use an encrypted channel and shall provide user credentials with administrator rights ... like SecurityAdmin Role when invoking this Method on the Server . Signature RemoveEndpoint ( [in] EndpointType Endpoint ); Argument Description Endpoint The Endpoint to remove . Method Result Codes ResultCode Description Bad_NotFound
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.5 RoleMappingRuleChangedAuditEventType
  RoleMappingRuleChangedAuditEventType This Event is raised when a mapping rule for a Role is changed. This is the result of calling any of the add or remove Methods defined ... AddIdentity, RemoveIdentity, AddApplication, RemoveApplication, AddEndpoint or RemoveEndpoint Method causes an update to a Role . Its representation in the AddressSpace is formally defined in Table 20 . Table 20 - RoleMappingRuleChangedAuditEventType definition Attribute
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  5.2.5 AddUser Method
  encrypted channel and shall provide user credentials with administrator rights like SecurityAdmin Role when invoking this Method on the Server . Signature AddUser ( [in] String UserName, [in] String Password, [in] UserConfigurationMask
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  5.2.6 ModifyUser Method
  encrypted channel and shall provide user credentials with administrator rights like SecurityAdmin Role when invoking this Method on the Server . Signature ModifyUser ( [in] String UserName, [in] Boolean ModifyPassword, [in] String
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  5.2.7 RemoveUser Method
  encrypted channel and shall provide user credentials with administrator rights like SecurityAdmin Role when invoking this Method on the Server . If the user of the Session used to call
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  5.2.8 ChangePassword Method
  Service ActivateSession shall return Good_PasswordChangeRequired and the activated Session shall have only the Role Anonymous . In this state, the Session shall be allowed to call ChangePassword for the user ... user if the user token type for the Session is USERNAME, even if the Role for the user is Anonymous . Signature ChangePassword ( [in] String OldPassword, [in] String NewPassword ); Argument Description
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  4.2.6 Roles and Privileges
  Roles . Privileges are needed because not all restrictions can be expressed simply by granting Role permissions on Nodes . For example, authenticated Devices are granted the ability to update only their ... Table 3 . Table 3 - Well-known Roles for Onboarding Name Description RegistrarAdmin The Role grants rights to manage the Tickets known the Registrar and approve Devices when automatic authentication
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.2.5 RegisterDeviceEndpoint
  from an authenticated SecureChannel and from a Session that has access to the RegistrarAdmin Role (see 4.2.6 ). Signature RegisterDeviceEndpoint ( [in] 0:ApplicationDescription application ); Argument Description application The Server which allows
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.2.11 RegisterTickets
  This Method shall be called from a Session that has access to the RegistrarAdmin Role (see 4.2.6 ). Signature RegisterTickets ( [in] 0:EncodedTicket [] tickets, [out] 0:StatusCode [] results ); Argument Description tickets
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.2.12 UnregisterTickets
  This Method shall be called from a Session that has access to the RegistrarAdmin Role (see 4.2.6 ). Signature UnregisterTickets ( [in] 0:EncodedTicket [] tickets, [out] 0:StatusCode [] results ); Argument Description tickets
• OPC-10000-81 – OPC Unified Architecture - Part 81: UAFX Connecting Devices and Information Model
  4.6 FunctionalEntities and applications
  value from being changed or only to be changed by a specific entity or Role . Multiple ControlGroups might reference overlapping data. ControlGroups might be created dynamically or be pre-configured
• OPC-10000-81 – OPC Unified Architecture - Part 81: UAFX Connecting Devices and Information Model
  5.9 Well Known Roles
  support the well-known Roles as defined in OPC 10000-3 . The well-known Role ConfigureAdmin should be extended as indicated in Table 2 . Table 2 - Extended well-known role ... definition BrowseName Suggested Permissions 0:ConfigureAdmin The Role is allowed to browse the Information Model , execute methods related to application configuration, and read and write non-security-related configuration settings
• OPC-10000-81 – OPC Unified Architecture - Part 81: UAFX Connecting Devices and Information Model
  6.2.5.1 CloseConnections signature
  recommended that this Method has the execute privilege for the well-known Role ConnectionAdmin as defined in Clause 5.9 . The signature of the Method is described below, and the arguments
• OPC-10000-81 – OPC Unified Architecture - Part 81: UAFX Connecting Devices and Information Model
  6.7.3.2 Establishing Connections
  Method invocation. It is recommended that the ConnectionManager has the well-known Role ConnectionAdmin as defined in Clause 5.9 . NOTE   The specified configuration sequence applies to the establishment
• OPC-10000-81 – OPC Unified Architecture - Part 81: UAFX Connecting Devices and Information Model
  6.8.2 ConnectionConfigurationSetType definition
  recommended that the system integrator Client use the well-known Role ConfigureAdmin, as defined in Clause 5.9 , for accessing this Object . It is recommended that the modifiable content ... ConnectionConfigurationSet has the write privilege for the well-known Role ConfigureAdmin as defined in Clause 5.9 . Lock is an instance of LockingServicesType , defined in OPC 10000-100 , which provides
• OPC-10000-81 – OPC Unified Architecture - Part 81: UAFX Connecting Devices and Information Model
  F.3.3.1 CloseAndUpdate signature
  recommended that this Method be restricted to Client connections that have the well-known Role ConfigureAdmin (see 5.9 ). If the file also contains SKS configuration, then it is recommended that ... Client also have the well-known Role SecurityKeyServerAdmin (see OPC 10000-14 ). The signature of the Method is described below, and the arguments are described in Table F.38 . Signature CloseAndUpdate
• OPC-10000-83 – OPC Unified Architecture - Part 83: UAFX OfflineEngineering
  A.2.2 RCL_OpcAmlMetaModel library
  library The AML best practice is for all SystemUnitClasses to implement at least one Role . The RCL_OpcAmlMetaModel library contains one RoleClass UaBaseRole that all OPC UA-derived SUCs shall