Roles and Privileges – OPC Unified Architecture – Part 12: Discovery and Global Services

9.2 Roles and Privileges

AuthorizationServices restrict access to many of the features they provide. These restrictions are described either by referring to well-known Roles which a Session must have access to or by referring to Privileges which are assigned to Sessions using mechanisms other than the well-known Roles. The well-known Roles for an AuthorizationService are listed in Table 142.

Table 142 – Well-known Roles for an AuthorizationService

Name	Description
AuthorizationServiceAdmin	This Role grants the right to manage the configuration of an AuthorizationService.
SecurityAdmin	This Role grants the right to change the security configuration of an AuthorizationService.

The Privileges for an AuthorizationService are listed in Table 143.

Table 143 – Privileges for an AuthorizationService

Name	Description
AccessTokenRequestor	This Privilege grants an OPC UA Application the right to request AccessTokens. The Certificate used to create the SecureChannel is used to determine the identity of the OPC UA Application. A KeyCredential (see 8) provided as a UserIdentityToken may also be used to determine if the Client has access to this Privilege.

Name

Description

AccessTokenRequestor

This Privilege grants an OPC UA Application the right to request AccessTokens.

The Certificate used to create the SecureChannel is used to determine the identity of the OPC UA Application.

A KeyCredential (see 8) provided as a UserIdentityToken may also be used to determine if the Client has access to this Privilege.