Configuring security settings

The OPC UA Server enables the configuration of permissions at namespace and node level. This allows you to fine-granulate the access to ADS devices (for example, to different PLC runtimes) as well as variables. These security settings are available for all ADS devices that can be displayed in the server namespace.

Configuring security settings 1:

Configuration

The permissions are configured on the basis of an XML-based configuration file (TcUaSecurityConfig.xml), which is located in the same directory as the server. The configuration file consists of the three areas "Users", "Groups" and "AccessInfos".

Users

In the "Users" area you can configure user accounts that are to be accepted by the OPC UA Server as logins. There are three different authentication methods:

OS (recommended authentication method)

The mechanisms of the operating system are used to validate user name and password. The user account is subject completely to the control of the operating system and/or domain.

Server (not recommended)

User name and password are known only to the OPC UA Server. Both pieces of information are stored in plain text in the XML file.

None

Only the user name of the server is evaluated, the password is ignored.

Users can be configured with a tag <DefaultAccess> that specifies the standard access of the user to a certain namespace.

Users can be members of one or more groups. You can specify this using the MemberOf attribute. In case of memberships of several groups, separate the groups by a semicolon.

Configuring security settings 2:

Groups

In order to enable a simpler configuration with several user accounts, you can combine the users into groups.

Groups can also be configured with a tag <DefaultAccess>.

You can nest groups using the MemberOf attribute. In case of memberships of several groups, separate the groups by a semicolon.

Configuring security settings 3:

AccessInfos

If a fine-granular setting of permissions at the node level is to be implemented, then AccessInfos can be configured additionally, which specify the access permissions on nodes. Access rights can be passed on to subelements. Although AccessInfos allow the most fine-grained configuration of permissions, such a configuration can quickly become confusing. Therefore, check whether configuring access rights at the namespace level (see above) is not sufficient.

The AccessInfo for a node contains the following settings:

NS

Configures the NamespaceName in which the node is localized

Id

Configures the identifier of the node, including the IdentifierType (e.g. s = String)

Depth

Inheritance depth of permissions (-1 for infinite)

User/Group

User or group that is to be given access to this node, including the AccessLevels

Configuring security settings 4:

AccessInfos can be configured by dragging & dropping variables from the Target Browser. The configurable permissions are cumulative.

Sample configuration

Let's take the following simple control program. The variables are already published in the OPC UA namespace of the server. The OPC UA Server is initially in the delivery state.

Configuring security settings 5:

Access restrictions

Access to the server is to be restricted for clients as follows:

Settings

The configuration of the OPC UA Server is set as follows:

Configuring security settings 6:

Settings for the user "Administrator":

Configuring security settings 7:

Settings for the user "User1":

Configuring security settings 8:

Settings for the user "User2":

Configuring security settings 9:

Settings for AccessInfos "MAIN.Instance1":

Configuring security settings 10:

Settings for AccessInfos "MAIN.Instance2":

Configuring security settings 11:

Settings for the group "Users":

The user group is equipped both with basic access to required server and type system namespaces and with read and browse permissions to the PLC1 namespace.

Configuring security settings 12:

Result

Following activation of the configuration, the namespace of the server for "User1" looks like the following after establishment of a connection:

Configuring security settings 13:

The user has only read rights to the node "Instance1", which is clear from the attribute UserAccessLevel:

Configuring security settings 14:

The user "Administrator", conversely, has full access rights to all elements of the namespace:

Configuring security settings 15: