Annex F (normative) User Authorization ToC Previous

F.3 RoleType ToC Previous Next

F.3.1 RoleType Definition ToC Previous Next index

Each Role Object has the Properties and Methods defined by the RoleType which is formally defined in Table F.2.

Table F.2 – RoleType Definition

Attribute Value        
BrowseName RoleType        
IsAbstract False        
References Node Class BrowseName DataType TypeDefinition Modelling Rule
Subtype of BaseObjectType          
           
HasProperty Variable Identities IdentityMapping
RuleType []
PropertyType Mandatory
HasProperty Variable ApplicationsExclude Boolean PropertyType Optional
HasProperty Variable Applications String [] PropertyType Optional
HasProperty Variable EndpointsExclude Boolean PropertyType Optional
HasProperty Variable Endpoints EndpointType [] PropertyType Optional
HasComponent Method AddIdentity Defined in F.3.3. Optional  
HasComponent Method RemoveIdentity Defined in F.3.4. Optional  
HasComponent Method AddApplication Defined in F.3.3. Optional  
HasComponent Method RemoveApplication Defined in F.3.4. Optional  
HasComponent Method AddEndpoint Defined in F.3.3. Optional  
HasComponent Method RemoveEndpoint Defined in F.3.4. Optional  

The Properties and Methods of the RoleType contain sensitive security related information and shall only be browseable, writeable and callable by authorized administrators through an encrypted channel.

The Identities Property specifies the currently configured rules for mapping a UserIdentityToken to the Role. If this Property is an empty array, then the Role cannot be granted to any Session.

The ApplicationsExclude Property defines the Applications Property as an include list or exclude list. If this Property is not provided or has a value of FALSE then only Application Instance Certificates included in the Applications Property shall be included in this Role. All other Application Instance Certificates shall not be included in this Role. If this Property has a value of TRUE then all Application Instance Certificates included in the Applications Property shall be excluded from this Role. All other Application Instance Certificates shall be included in this Role.

The Applications Property specifies the Application Instance Certificates of Clients which shall be included or excluded from this Role. Each element in the array is an ApplicationUri from a Client Certificate which is trusted by the Server.

The EndpontsExclude Property defines the Endpoints Property as an include list or exclude list. If this Property is not provided or has a value of FALSE then only Endpoints included in the Endpoints Property shall be included in this Role. All other Endpoints shall not be include this Role. If this Property has a value of TRUE then all Endpoints included in the Endpoints Property shall be excluded from this Role. All other Endpoints shall be included in this Role.

The Endpoints Property specifies the Endpoints which shall be included or excluded from this Role. The value is an EndpointType array which contains one or more Endpoint descriptions. The EndpointType DataType is defined in 12.22.

The AddIdentity Method adds a rule used to map a UserIdentityToken to the Role. If the Server does not allow changes to the mapping rules, then the Method is not present. A Server should prevent certain rules from being added to particular Roles. For example, a Server should refuse to allow an ANONYMOUS_5 (see F.3.2) mapping rule to be added to Roles with administrator privileges.

The RemoveIdentity Method removes a mapping rule used to map a UserIdentityToken to the Role. If the Server does not allow changes to the mapping rules, then the Method is not present.

The AddApplication Method adds an Application Instance Certificate to the list of. If the Server does not enforce application restrictions or does not allow changes to the mapping rules for the Role the Method is not present.

The RemoveApplication Method removes an Application Instance Certificate from the list of applications. If the Server does not enforce application restrictions or does not allow changes to the mapping rules for the Role the Method is not present.

Previous Next