The IdentityMappingRuleTypestructure defines a single rule for selecting a UserIdentityToken. The structure is described in Table F.3.
Table F.3– IdentityMappingRuleType
|
Name |
Type |
Description |
|
IdentityMappingRuleType |
Structure |
Specifies a rule used to map a UserIdentityTokento a Role. |
|
criteriaType |
Enumeration Identity CriteriaType |
The type of criteria contained in the rule. USERNAME_1The rule specifies a UserName from a UserNameIdentityToken; THUMBPRINT_2The rule specifies the Thumbprintof a User or CA Certificate; ROLE_3 The rule is a Rolespecified in an Access Token; GROUPID_4 The rule is a user group specified in the Access Token; ANONYMOUS_5The rule specifies Anonymous UserIdentityToken; AUTHENTICATED_USER_6The rules specify any non-Anonymous UserIdentityToken;
|
|
criteria |
String |
The criteria which the UserIdentityTokenmust meet for a Sessionto be mapped to the Role. The meaning of the criteria depends on the mappingType. The criteria are a “” for ANONYMOUS_5 and AUTHENTICATED_USER_6 |
If the criteriaType is USERNAME_1, the criteria is a name of a user known to the Server, For example, the user could be the name of a local operating system account.
If the criteriaType is THUMBPRINT_2, the criteria is a thumbprint of a Certificateof a user or CA which is trusted by the Server.
If the criteriaType is ROLE_3, the criteria is a name of a restriction found in the Access Token. For example, the Role“subscriber” may only be allowed to access PubSubrelated Nodes.
If the criteriaType is GROUPID_4, the criteria is a generic text identifier for a user group specific to the Authorization Service.For example, an Authorization Serviceproviding access to an Active Directory may add one or more Windows Security Groups to the Access Token. OPC 10000-6provides details on how groups are added to Access Tokens.
If the criteriaType is ANONYMOUS_5, the criteria is a null string which indicates no user credentials have been provided.
If the criteriaType is AUTHENTICATED_USER_6, the criteria is a null string which indicates any valid user credentials have been provided.