View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
000513510000-018: Role-Based SecuritySpecpublic2019-10-09 09:562020-09-18 12:13
ReporterMatthias Damm Assigned ToMatthias Damm  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Summary0005135: Missing details or features on how to combine standard and vendor specific handling of user authorization
Description

We extended the OPC UA base information model with standard user authorization mechanisms including standard configuration options.

But not all variations of existing systems or requirements can be covered with the features defined by OPC UA. We always said vendor specific mechanisms can be combined with standard mechanisms.

We have Roles, identity mapping for Roles and we have permission settings per Role on the Nodes.

A server may want to use the standard permission configuration but is not able to cover all use cases with the defined Role configuration.

At the moment, F.3.1 RoleType Definition defines the following for Identities:
"The Identities Property specifies the currently configured rules for mapping a UserIdentityToken to the Role. If this Property is an empty array, then the Role cannot be granted to any Session."

It is necessary to have a Role object to configure the permissions on a Node but there is no way to indicate that the Role configuration is vendor specific. One option would be to expose only the mandatory Identities property and to not allow Read/Write access to the value. Another (preferred) option is to extend the criteriaType enumeration with a custom option. This would tell a client that the Role is not configurable with standard mechanisms.

TagsNo tags attached.
Commit Version
Fix Due Date

Relationships

related to 0005326 closedMatthias Damm 10000-018: Role-Based Security Add new IdentityMappingRuleType.criteriaType option for Application 
related to 0005490 closedPaul Hunkar 10000-002: Security 5.2.4 Authorization does not refer to standard OPC UA mechanisms 

Activities

Matthias Damm

2020-03-03 20:34

developer   ~0011643

Resolved in OPC 10000-18 - UA Specification Part 18 - User Authentication Draft 1.05.01_MD2.docx

Table 2 – RoleType definition
Adds
HasProperty
Variable
CustomConfiguration
Boolean
PropertyType
Optional

The CustomConfiguration Property indicates that the configuration of the Role and the assignment of the Role to Sessions is vendor specific.

Jim Luth

2020-09-18 12:13

administrator   ~0012938

Agreed to changes in Virtual F2F.

Issue History

Date Modified Username Field Change
2019-10-09 09:56 Matthias Damm New Issue
2019-11-26 16:30 Jim Luth Assigned To => Jeff Harding
2019-11-26 16:30 Jim Luth Status new => assigned
2020-02-04 07:41 Matthias Damm Relationship added related to 0005326
2020-03-01 18:06 Matthias Damm Relationship added related to 0005490
2020-03-03 17:47 Jim Luth Assigned To Jeff Harding => Matthias Damm
2020-03-03 20:34 Matthias Damm Status assigned => resolved
2020-03-03 20:34 Matthias Damm Resolution open => fixed
2020-03-03 20:34 Matthias Damm Note Added: 0011643
2020-03-17 16:55 Jim Luth Project 10000-005: Information Model => 10000-018: Role-Based Security
2020-09-18 12:13 Jim Luth Status resolved => closed
2020-09-18 12:13 Jim Luth Fixed in Version => 1.05
2020-09-18 12:13 Jim Luth Note Added: 0012938