The IdentityMappingRuleTypestructure defines a single rule for selecting a UserIdentityToken. The structure is described in Table F.3.

Table F.3– IdentityMappingRuleType






Specifies a rule used to map a UserIdentityTokento a Role.





The type of criteria contained in the rule.

USERNAME_1The rule specifies a UserName from a UserNameIdentityToken;

THUMBPRINT_2The rule specifies the Thumbprintof a User or CA Certificate;

ROLE_3 The rule is a Rolespecified in an Access Token;

GROUPID_4 The rule is a user group specified in the Access Token;

ANONYMOUS_5The rule specifies Anonymous UserIdentityToken;

AUTHENTICATED_USER_6The rules specify any non-Anonymous UserIdentityToken;



The criteria which the UserIdentityTokenmust meet for a Sessionto be mapped to the Role. The meaning of the criteria depends on the mappingType. The criteria are a “” for ANONYMOUS_5 and AUTHENTICATED_USER_6

If the criteriaType is USERNAME_1, the criteria is a name of a user known to the Server, For example, the user could be the name of a local operating system account.

If the criteriaType is THUMBPRINT_2, the criteria is a thumbprint of a Certificateof a user or CA which is trusted by the Server.

If the criteriaType is ROLE_3, the criteria is a name of a restriction found in the Access Token. For example, the Role“subscriber” may only be allowed to access PubSubrelated Nodes.

If the criteriaType is GROUPID_4, the criteria is a generic text identifier for a user group specific to the Authorization Service.For example, an Authorization Serviceproviding access to an Active Directory may add one or more Windows Security Groups to the Access Token. OPC 10000-6provides details on how groups are added to Access Tokens.

If the criteriaType is ANONYMOUS_5, the criteria is a null string which indicates no user credentials have been provided.

If the criteriaType is AUTHENTICATED_USER_6, the criteria is a null string which indicates any valid user credentials have been provided.