View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0004177 | 10000-003: Address Space | Spec | public | 2018-02-28 11:32 | 2020-08-04 15:24 |
| Reporter | Matthias Damm | Assigned To | Matthias Damm | ||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | ||
| Summary | 0004177: AccessRestrictions enforces hard limitation | ||||
| Description | Currently the AccessRestrictions can only be applied to all permissions. Therefore a node where SigningRequired or EncryptionRequired is set is not visible at all, even if the SigningRequired or EncryptionRequired is only necessary for information access (Value Read/Writer, Method Call, Events, History Access). There are use cases where the node should not be visible at all but in most use cases, the node and the meta data access is not criticial but the information access must be signed/encrypted. This is not possible at the moment. This excludes also the "reason" for the attribute that should tell the user what restrictions are applied. | ||||
| Tags | No tags attached. | ||||
| Commit Version | |||||
| Fix Due Date | |||||
| related to | 0005326 | closed | Matthias Damm | 10000-018: Role-Based Security | Add new IdentityMappingRuleType.criteriaType option for Application |
|
|
Please add more explanation. We cannot understand the scenario. |
|
|
We have the option to allow secured communication without encryption to reduce CPU load in cases where confidentiality is not required but all other security objective should be fulfilled. Let's assume a client is connected with 'Sign' only to a server that allows MessageSecurityMode 'Sign' and 'SignAndEncrypt'. The client (with it's user) is able to access most of the nodes but there is one node that requires 'SignAndEncrypt' since the data provided by this node requires confidentiality for the data exchanged. To support this use case, we introduced the AccessRestrictions attribute. This ensures that a server is able to support all message security modes but can restrict modes for some nodes. In the above scenario, the 'EncryptionRequired' would be set in the AccessRestrictions for the node that requires confidentiality. But with the current definition, the client that is connected with 'Sign' would not even see the node, even if the user would have access to the node. The client would not see the node and would not be able to find out that encryption is required to read the value. With the requested extension, it would be possible to make the node visible to authorized clients but to apply EncryptionRequired to all other permissions. |
|
|
The proposed change is contained in OPC 10000-3 - UA Specification Part 3 - Address Space Model Draft 1.05.07.docx See note for the requested further explanation. |
|
|
Agreed to changes edited in telecon. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2018-02-28 11:32 | Matthias Damm | New Issue | |
| 2018-08-14 16:59 | Jim Luth | Note Added: 0009316 | |
| 2018-08-14 16:59 | Jim Luth | Status | new => feedback |
| 2018-10-23 15:44 | Jim Luth | Assigned To | => Matthias Damm |
| 2018-10-23 15:44 | Jim Luth | Status | feedback => assigned |
| 2020-02-29 20:28 | Matthias Damm | Note Added: 0011632 | |
| 2020-02-29 20:29 | Matthias Damm | Status | assigned => resolved |
| 2020-02-29 20:29 | Matthias Damm | Resolution | open => fixed |
| 2020-02-29 20:29 | Matthias Damm | Note Added: 0011633 | |
| 2020-03-01 18:00 | Matthias Damm | Relationship added | related to 0005326 |
| 2020-08-04 15:24 | Jim Luth | Status | resolved => closed |
| 2020-08-04 15:24 | Jim Luth | Fixed in Version | => 1.05 |
| 2020-08-04 15:24 | Jim Luth | Note Added: 0012655 |
