Currently we have ConnectionAdmin role defined, which has permission to call Establish/Close Connections Methods (on AutomationComponent level).

There is a need to specify more granular access control, that is to restrict certain ConnectionManagers to establish connections (create endpoints) only on certain FunctionalEntities within the AutomationComponent.

A similar concept already exists in Part 14, where Call permission on the SecurityGroup, controls behaviour of the GetSecurityKeys Method on the PublishSubscribe Object.

See
https://reference.opcfoundation.org/Core/Part14/v105/docs/8.3.2

"The configuration parameter RolePermissions contained in the SecurityGroupDataType controls the access to the security keys for the SecurityGroupId. If the user used to call this Method does not have the Call Permission set for the RolePermissions parameter for the related SecurityGroupType Object, the Server shall return Bad_UserAccessDenied for this Method. The SecurityGroupType is defined in 8.4."

See also
https://reference.opcfoundation.org/Core/Part14/v105/docs/8.8

"SecurityKeyServerAccess
This Role allows a PubSub Application to access an SKS to pull keys. It is the default Role for pull but it is expected that different custom Roles are used for different SecurityGroups."