The IdentityMappingRuleTypestructure defines a single rule for selecting a UserIdentityToken. The structure is described in Table 7.

Table 7– IdentityMappingRuleType

Name

Type

Description

IdentityMappingRuleType

Structure

Specifies a rule used to map a UserIdentityTokento a Role.

criteriaType

Enumeration

IdentityCriteriaType

The type of criteria contained in the identity mapping rule. The IdentityCriteriaTypeis defined in 4.4.4.

criteria

String

The criteria which the UserIdentityTokenmust meet for a Sessionto be mapped to the Role. The meaning of the criteria depends on the criteriaType. The criteriaare a "" for Anonymousand AuthenticatedUser.

If the criteriaTypeis UserName, the criteriais a name of a user known to the Server, For example, the user could be the name of a local operating system account or a user managed by the server as defined in 5.2.

If the criteriaTypeis Thumbprint, the criteriais a thumbprint of an immediate user Certificateor an issuer Certificatein its chain which is trusted by the Server. For the criteria, the thumbprint shall be encoded as a hexadecimal string with upper case characters and without spaces.

If the criteriaTypeis Role, the criteriais a name of a restriction found in the Access Token. For example, the Role"subscriber" may only be allowed to access PubSubrelated Nodes.

If the criteriaTypeis GroupId, the criteriais a generic text identifier for a user group specific to the Authorization Service.For example, an Authorization Serviceproviding access to an Active Directory may add one or more Windows Security Groups to the Access Token. OPC 10000-6provides details on how groups are added to Access Tokens.

If the criteriaTypeis Anonymous, the criteriais a null string which indicates no user credentials have been provided.

If the criteriaTypeis AuthenticatedUser, the criteriais a null string which indicates any valid user credentials have been provided.

If the criteriaTypeis Application, the criteriais the ApplicationUrifrom the Client Certificateused for the Session. The Client Certificateshall be trusted by the Serverand the Sessionshall use at least a signed communication channel. This criteria type is used if a Roleshould be granted to a Sessionfor Application Authenticationwith Anonymous UserIdentityToken. If a Roleshould be granted to a Sessionfor Application Authenticationcombined with User Authentication, the Applications Propertyon the RoleTypeis combined with the Identities Propertyon the RoleTypeas defined in 4.4.1.

If the criteriaTypeis X509Subject, the criteria is the X509 subject name of a Certificateof a user which is trusted by the Server. The format of the subject name criteria consists of a sequence of name value pairs separated by a '/'. The name shall be one of entries in Table 8and shall be followed by a '=' and then followed by the value, which is always enclosed in double quotes ('"'). The order shall be by the order shown in Table 8with the lowest number first. Every value from Table 8present in the Certificateshall be included in the criteria, others must not be included. The value may be any printable character except for '"'. For example: CN="User Name"/O="Company". Table 8contains all subject name attributes where support is required by X509 and some commonly used attributes where support is optional. Additional fields may be added in the future. If one name is used multiple times in the certificate, the name is also repeated in the criteria. The entries with the same name are entered in the order they appear in the Certificate. All names listed in Table 8that are included in the X509 subject name shall match the content of the criteria String. Names not included in Table 8are ignored.

Table 8– Order for subject name criteria

Order

Name

Value

1

CN

Common Name

2

O

Organization

3

OU

Organization Unit

4

DC

Domain Component

5

L

Locality

6

S

State

7

C

Country

8

dnQualifier

Distinguished name qualifier

9

serialNumber

Serial number

The IdentityMappingRuleType Structurerepresentation in the AddressSpaceis defined in Table 9.

Table 9– IdentityMappingRuleType definition

Attributes

Value

BrowseName

IdentityMappingRuleType

IsAbstract

False

References

NodeClass

BrowseName

IsAbstract

Description

Subtype of Structure defined in OPC 10000-5.

Conformance Units

Base Info ServerType