Configuring security settings
The OPC UA Server enables the configuration of permissions at namespace and node level. This allows you to fine-granulate the access to ADS devices (for example, to different PLC runtimes) as well as variables. These security settings are available for all ADS devices that can be displayed in the server namespace.
Configuration
The permissions are configured on the basis of an XML-based configuration file (TcUaSecurityConfig.xml), which is located in the same directory as the server. The configuration file consists of the three areas Users, Groups, and AccessInfos.
Users
In the Users area you can configure user accounts that are to be accepted by the OPC UA Server as logins. There are three different authentication methods:
OS (recommended authentication method) | The mechanisms of the operating system are used to validate user name and password. The user account is subject completely to the control of the operating system and/or domain. |
Server (not recommended) | User name and password are known only to the OPC UA Server. Both pieces of information are stored in plain text in the XML file. |
None | Only the user name of the server is evaluated, the password is ignored. |
Users can be configured with a tag <DefaultAccess> that specifies the standard access of the user to a certain namespace.
Users can be members of one or more groups. You can specify this using the MemberOf attribute. In case of memberships of several groups, separate the groups by a semicolon.
Groups
In order to enable a simpler configuration with several user accounts, you can combine the users into groups.
Groups can also be configured with a tag <DefaultAccess>.
You can nest groups using the MemberOf attribute. In case of memberships of several groups, separate the groups by a semicolon.
AccessInfos
If a fine-granular setting of permissions at the node level is to be implemented, then AccessInfos can be configured additionally, which specify the access permissions on nodes. Access rights can be passed on to subelements. Although AccessInfos allow the most fine-grained configuration of permissions, such a configuration can quickly become confusing. Therefore, check whether configuring access rights at the namespace level (see above) is not sufficient.
The AccessInfo for a node contains the following settings:
NS | Configures the NamespaceName in which the node is localized |
Id | Configures the identifier of the node, including the IdentifierType (e.g. s = String) |
Depth | Inheritance depth of permissions (-1 for infinite) |
User/Group | User or group that is to be given access to this node, including the AccessLevels |
AccessInfos can be configured by dragging & dropping variables from the Target Browser. The configurable permissions are cumulative.
Sample configuration
Let's take the following simple control program. The variables are already published in the OPC UA namespace of the server. The OPC UA Server is initially in the delivery state.
Access restrictions
Access to the server is to be restricted for clients as follows:
- Anonymous access is to be deactivated.
- There is to be a user - "Administrator" - who has full access to the complete server.
- There is to be a user - "User1" - who only has read access to MAIN.Instance1. The user should not come from the operating system here, but should only be used internally in the server.
- There is to be a user - "User2" - who only has read access to MAIN.Instance2. The user should not come from the operating system here, but should only be used internally in the server.
- General access permissions are to be configured for all users via a group called "Users".
Settings
The configuration of the OPC UA Server is set as follows:
Settings for the user "Administrator":
Settings for the user "User1":
Settings for the user "User2":
Settings for AccessInfos "MAIN.Instance1":
Settings for AccessInfos "MAIN.Instance2":
Settings for the group "Users":
The user group is equipped both with basic access to required server and type system namespaces and with read and browse permissions to the PLC1 namespace.
Result
Following activation of the configuration, the namespace of the server for "User1" looks like the following after establishment of a connection:
The user has only read rights to the node "Instance1", which is clear from the attribute UserAccessLevel:
The user "Administrator", conversely, has full access rights to all elements of the namespace:
