Search

39 result(s) for Roles

• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  3.1.18 Claim
  knows to be true Note 1 to entry: Claims can include username, email, and Roles granted to the subject
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.12 Roles
  Roles OPC UA provides standard approach for implementing role based security. Servers could choose to implement none, part or all of mechanisms defined ... approach assigns Permissions to Roles illustrated in Figure 6 . Clients are then granted Roles based on connection information ( Session creation). Roles could be restricted by User Authentication , Application Authentication , SecurityModes
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.2.4 Authorization
  Authorization Authorization could be provided via Roles ( 4.12 ) and supplied by a Authorization Server in a GDS. In an environment of mixed vendor products, the GDS can provide a consistent
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  6.17 Least privilege principle
  This could even be done for a short period of time. Roles such as SecurityAdmin or ConfigureAdmin should not be granted to a user except when the user is actively
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  4.9.1 Overview
  Role is a function assumed by a Client when it accesses a Server . Roles are used to separate authentication (determining who a Client is) from authorization (determining what the Client ... credentials while the Server only manages the Permissions on its Nodes assigned to Roles . The set of Roles supported by a Server are published as components of the RoleSet Object
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  4.9.2 Well Known Roles
  Well Known Roles The NodeIds for the well-known Roles are defined in OPC 10000-6 . All Servers should support the well-known Roles which are defined in Table ... Table 2 - Well-Known Roles BrowseName Suggested Permissions Anonymous The Role is allowed to browse and read non-security related Nodes only in the Server Object and all type Nodes
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  4.9.3 Evaluating Permissions with Roles
  Evaluating Permissions with Roles When a Client attempts to access a Node, the Server goes through the list of Roles granted to the Session and logically ORs the Permissions ... operation can proceed. If they are not set the Server returns Bad_UserAccessDenied . Roles appear under the Roles Object in the Server Address Space . Each Role has mapping rules defined
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  5.2.9 RolePermissions
  optional RolePermissions Attribute specifies the Permissions that apply to a Node for all Roles which have access to the Node . The value of the Attribute is an array of RolePermissionType ... that are not valid for the Node . If a Server publishes information about the Roles for a Namespace assigned to the current Session, it shall add the DefaultUserRolePermissions Property
• OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model
  5.2.10 UserRolePermissions
  optional UserRolePermissions Attribute specifies the Permissions that apply to a Node for all Roles granted to current Session . The value of the Attribute is an array of RolePermissionType Structures ... Attribute is derived from the rules used by the Server to map Sessions to Roles . This mapping may be vendor specific or it may use the standard Role model defined
• OPC-10000-5 – OPC Unified Architecture - Part 5: Information Model
  6.3.2 ServerCapabilitiesType
  Object . AggregateFunctions are Objects of AggregateFunctionType . The RoleSet Object is used to publish all Roles supported by the Server . The RoleSetType is specified in OPC 10000-18 . MaxSessions
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.5.2.3 Access Tokens
  groups. For example, Azure AD user account groups may be returned in this claim. roles array No A list of roles which are assigned to the subject. Roles apply ... requestor and describe what the requestor can do with the resource. Roles are list of unique names for roles known to the Authorization Service . These values are typically mapped
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  F.3 UANode
  specification then the RolePermissions are the minimum requirements. Implementors can add additional Roles that have privileges equivalent to the Roles specified, however, they may not make the Node more accessible ... example, Anonymous or AuthenticatedUser Roles shall not be granted more access to the Node than is specified in this field. Similarly, the AccessRestrictions are the minimum required. For example
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  6.2 Roles and Privileges
  Roles and Privileges GlobalDiscoveryServers restrict access to many of the features they provide. These restrictions are described either by referring to well-known Roles which a Session must have access ... Privileges which are assigned to Sessions using mechanisms other than the well-known Roles . The well-known Roles used in for a GDS are listed in Table 1 . Table
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  6.3 Client connections to global services
  Sessions with Clients which have not be authenticated as one of the GDS administrative Roles . If the GDS has to close Sessions , it should first close Sessions without GDS management
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.2 Roles and Privileges
  Roles and Privileges CertificateManagers restrict access to many of the features they provide. These restrictions are described either by referring to well-known Roles which a Session must have access ... Privileges which are assigned to Sessions using mechanisms other than the well-known Roles . The well-known Roles used for CertificateManagers are listed in Table 18 . Table 18 - Well-known
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.5.3 ConfirmUpdate
  method shall be specified by the subtype and should require one of the administrator Roles . Signature ConfirmUpdate( [in] 0:Guid UpdateId ); Argument Description UpdateId The id returned by CloseAndUpdate. Method
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  8.2 Roles and Privileges
  Roles and Privileges KeyCredentialServices restrict access to many of the features they provide. These restrictions are described either by referring to well-known Roles which a Session must have access ... Privileges which are assigned to Sessions using mechanisms other than the well-known Roles . The well-known Roles used for a KeyCredentialService are listed in Table 120 . Table 120 - Well
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  8.5.5 StartRequest
  certificate is provided this field shall be provided. RequestedRoles A list of Roles which should be assigned to the KeyCredential . If not provided the Server chooses suitable defaults. The Server ... ignores Roles which it does not recognize or if the caller is not authorized to request access to the Role . RequestId A unique identifier for the request. This identifier shall
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  8.5.6 FinishRequest
  SecurityPolicies . SecurityPolicyUri The SecurityPolicy used to create the CredentialSecret . GrantedRoles A list of Roles which have been granted to KeyCredential . If empty then the information is not relevant
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.1 Overview
  defined in OPC 10000-5 . In this scenario, the mapping rules assigned to the Roles known to the Server are used to populate an AccessToken with the Roles associated with ... Client submits the request. This scenario is illustrated in Figure 29 . Figure 29 - Roles and AuthorizationServices When requesting AccessTokens from an AuthorizationService Object there are three primary use cases based
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.2 Roles and Privileges
  Roles and Privileges AuthorizationServices restrict access to many of the features they provide. These restrictions are described either by referring to well-known Roles which a Session must have access ... Privileges which are assigned to Sessions using mechanisms other than the well-known Roles . The well-known Roles for an AuthorizationService are listed in Table 142 . Table 142 - Well-known
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.3 Implicit
  with any claims granted to the Client . The AccessToken includes a list of network Roles granted to the Client . The network Roles are abstract Roles defined by the system administrator ... that are mapped onto the Roles supported by each Target Server with IdentityMappingRules set by the administrator (see OPC 10000-18 ). Once the Client has the AccessToken, it passes
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.5 Chained
  Authorization Server" is needed to map the IT users onto system specific Roles . This use case is illustrated in Figure 32 . Figure 32 - Chained Authorization The "Target Server
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.4 AuthorizationServiceType
  accepted by the RequestAccessToken or FinishRequestToken Methods. The SupportedRoles Property specifies the system-wide Roles which may be included in an AccessToken . Each target Server uses mapping rules ... specify the relationship between the system-wide Roles and Roles known to the target Server . The GetServiceDescription Method is used to read the metadata used to request AccessTokens. The RequestAccessToken
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.7 FinishRequestToken
  granted to the AccessToken . If RequestedRoles are not provided the AuthorizationService includes all Roles available to the UserIdentityToken provided in the call. The SupportedRoles Property provides all Roles supported ... DateTime RefreshTokenExpiryTime ); Argument Description RequestId The identifier returned by StartRequestToken . RequestedRoles The list of Roles from the SupportedRoles Property that the requestor wants access to. If none are specified then
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  5.3.7 SecurityGroup
  NetworkMessage . A Security Key Service (SKS) manages SecurityGroups and maintains a mapping between Roles and their access Permissions for a SecurityGroup . This mapping defines if a Publisher or Subscriber
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  5.4.5.2 SecurityGroup Management
  entity with knowledge of SecurityGroups and it maintains a mapping between Roles and SecurityGroups . The related User Authorization model is defined in OPC 10000-3 . The User Authorization model defines ... mapping of identities to Roles and the mechanism to set Permissions for Roles on a Node . The Permissions on a SecurityGroup Object is used to determine if a Role
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  5.4.5.4 Authorization Services and Security Key Service
  Subscribers can request keys if the Access Token they provide is mapped to Roles that have been granted Permission to Browse the SecurityGroup Object
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  7.3.4.7.2 MessageType mapping
  after DataSetMessages are sent to the MQTT broker. It is therefore recommended to synchronize Roles used to configure read permissions to the topics with the Roles required to access
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  8.8 Security Key Service Roles
  Security Key Service Roles A SKS should support the well-known Roles for SKS which are defined in Table 231 . The NodeIds for the well-known Roles are defined ... Table 231 - Well-Known SKS Roles BrowseName Suggested Permissions SecurityKeyServerAdmin This Role allows an administrator to manage SecurityGroups and PushTargets on a SKS. This includes executing methods related to management
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.1 General
  mechanisms defined here. The OPC UA approach assigns Permissions to Roles for each Node in the AddressSpace . Clients are then granted Roles when they create a Session based ... information provided by the Client . Roles are used to separate authentication (determining who a Client is with a user token and Client application identity) from authorization ( Permissions determining what
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.2.2 AddRole Method
  Role when invoking this Method on the Server . OPC 10000-3 defines well-known Roles . If this Method is to be used to add a well-known Role , the name ... namespace URI. The Server shall use the NodeIds for the well-known Roles in this case. The NodeIds for the well-known Roles are defined in OPC 10000-6 . Signature
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.2.3 RemoveRole Method
  Role Object to remove. The Server may prohibit the removal of some Roles because they are necessary for the Server to function. If a Role is removed all Permissions associated
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.3 RoleSet
  RoleSet The RoleSet Object defined in Table 4 is used to publish all Roles supported by the Server . Table 4 - RoleSet definition Attribute Value BrowseName RoleSet References Node Class BrowseName ... RoleType Conformance Units Security Role Server Base 2 Servers should support the well-known Roles which are defined in OPC 10000-3 . The default Identities for the Anonymous Role shall
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.1 RoleType definition
  writeable and callable by authorized administrators through an encrypted channel. The configuration of the Roles is done through Method calls. The only exceptions are the ApplicationsExclude and EndpointsExclude Properties ... Role and the assignment of the Role to Sessions is vendor specific. Roles are required to support the RolePermissions Attribute . If a Server want to support RolePermissions
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  5.2.8 ChangePassword Method
  user and the new password to apply the change and to get the Roles configured for the user. The successful change of the password sets the MustChangePassword for the user
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  4.2.6 Roles and Privileges
  Roles and Privileges Registrars and DCA Servers need to restrict access to many of the features they provide. These restrictions are described either by referring to well-known Roles which ... named Privileges which are assigned to Sessions using mechanisms other than the well-known Roles . Privileges are needed because not all restrictions can be expressed simply by granting Role permissions
• OPC-10000-81 – OPC Unified Architecture - Part 81: UAFX Connecting Devices and Information Model
  5.9 Well Known Roles
  Well Known Roles All Servers supporting OPC UA FX should support the well-known Roles as defined in OPC 10000-3 . The well-known Role ConfigureAdmin should be extended ... well-known Role as defined in Table 3 . Table 3 - UAFX defined well-known roles BrowseName Suggested Permissions 3:ConnectionAdmin The Role is allowed to establish, close, and modify Connections
• OPC-10000-81 – OPC Unified Architecture - Part 81: UAFX Connecting Devices and Information Model
  13.2.1 Locating Server
  encryption. This includes: Application Authentication based on security mode and policy The use of Roles (this may require user authentication or specific application certificates) If SecurityPolicyUri contains "BestAvailable