View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
000532610000-018: Role-Based SecuritySpecpublic2019-12-04 23:592020-03-17 17:04
ReporterMatthias Damm Assigned ToMatthias Damm  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Summary0005326: Add new IdentityMappingRuleType.criteriaType option for Application
Description

At the moment a Role can define Application restrictions in addition to the Identities.

But there is no way to add an IndentityMapping where the identity is just based on the Application authentication (combined with an ANONYMOUS user token). Therefore it is not possible to combine an identity of a headless client with user identities in one Role.

Therefore I propose to add a Identity Mapping Type APPLICATION_7 where the criteria is the Application Instance URI, the user token would be ANONYMOUS and the MessageSecurityMode None would be for-bitten.

TagsNo tags attached.
Commit Version
Fix Due Date

Relationships

related to 0004177 closedMatthias Damm 10000-003: Address Space AccessRestrictions enforces hard limitation 
related to 0005135 closedMatthias Damm 10000-018: Role-Based Security Missing details or features on how to combine standard and vendor specific handling of user authorization 

Activities

Matthias Damm

2020-03-03 19:33

developer   ~0011641

There was also the question if the Identies list is combined with Applications and Endpoints with OR / AND.

The agreement in the OPC UA working group meeting on March 03, 2020 was that the entries in Identitis are combined with OR and that Identies is combined with Applications and Endpoints with AND if they are configured.

Matthias Damm

2020-03-03 20:31

developer   ~0011642

Resolved in OPC 10000-18 - UA Specification Part 18 - User Authentication Draft 1.05.01_MD2.docx

Table 3 – IdentityMappingRuleType
criteriaType
Added APPLICATION_7
The rule specifies the Application Instance Certificate of a Client. The criteria is the ApplicationUri from the Client Certificate which is trusted by the Server;
If a Role should be grandet to a Session for Application Authentication or with User Authentication, this criteria type is used. If a Role should be grandet to a Session for Application Authentication combined with User Authentication, the Applications Property on the Role is used instead.

Definition of Identities Property:
Added the following sentence:
If Applications or Endpoints are configured, the Role is only granted to the Session, if the Session complies with Identities and Applications and Endpoints.

Jim Luth

2020-03-17 17:04

administrator   ~0011777

Agreed to 1.05 and 1.04 Errata text editing in telecon.

Issue History

Date Modified Username Field Change
2019-12-04 23:59 Matthias Damm New Issue
2020-02-04 07:41 Matthias Damm Relationship added related to 0005135
2020-03-01 18:00 Matthias Damm Relationship added related to 0004177
2020-03-03 17:34 Jim Luth Assigned To => Matthias Damm
2020-03-03 17:34 Jim Luth Status new => assigned
2020-03-03 19:33 Matthias Damm Note Added: 0011641
2020-03-03 20:31 Matthias Damm Status assigned => resolved
2020-03-03 20:31 Matthias Damm Resolution open => fixed
2020-03-03 20:31 Matthias Damm Note Added: 0011642
2020-03-17 16:55 Jim Luth Project 10000-005: Information Model => 10000-018: Role-Based Security
2020-03-17 17:04 Jim Luth Status resolved => closed
2020-03-17 17:04 Jim Luth Fixed in Version => 1.05
2020-03-17 17:04 Jim Luth Note Added: 0011777