View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0009508NodeSets, XSDs and Generated CodeImplementation Bugpublic2024-03-27 13:522024-06-18 16:42
ReporterThomas Merk Assigned ToRandy Armstrong  
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
Product Version1.05.03 
Summary0009508: RolePermissions in Opc.Ua.NodeSet2.xml are specified in a weird way
Description

There are many places in Opc.Ua.NodeSet2.xml where nodes contain configured role permissions.
Actually this issue contains two parts:

  1. Usage of role "Anonymous" (i=15644)

  2. Explicite assigned permissions for specific roles

  3. Usage of role "Anonymous"
    At many places specific permissions for role "Anonymous" are defined (in most places just browse, but sometimes also read or call).

E.g. node ServerConfiguration (i=12637) and its properties:
Permissions for role SecurityAdmin and ConfigureAdmin allow almost everything
Anonymous is allowed to browse.
=> Why should the role "AuthenticatedUser" have less permissions than Anonymous?

The same is valid for all other nodes, where explicite permissions are defined for role "Anonymous"
Most ridiculous is the "Call" permission on method "ChangePassword" for anonymous users.

Was the intention to permit e.g. "Browse" to all other roles?
In this case I would suggest an additional well known role "AllUsers".
This role can be assigned to all session and thus such a configuration would be possible.

  1. Explicite assigned permissions for specific roles

Again node ServerConfiguration (i=12637) and its properties:
Permissions for role SecurityAdmin and ConfigureAdmin allow almost everything
Why is the role "ConfigureAdmin" allowed to change server configuration?
In specification this role is mentioned only in part 3 with "The Role is allowed to change the non-security related configuration settings."

Similar for "PublishSubscribe" (i=14443).
Here only Anonymous and ConfigureAdmin have any rights configured.
All other roles are not even to browse - more related to 1)

In general I would suggest that RolePermissions (for almost all nodes) should be configured by application.
If any nodes shall be hidden (e.g. for security resons), then this shall be stated explicitely in specification.
This make sense e.g. for TrustList (below ServerConfiguration - CertificateGroups - ...)
This information should be hidden exept for specific role "SecurityAdmin".
Such an information is stated for "SessionSecurityDiagnosticsType" in specification part 5 - but not for the other nodes with role permissions assigned in NodSet2.xml

Other places in part 18 are more ambiguous " shall provide user credentials with administrator rights like SecurityAdmin Role".
=> Either state explicitely a role which is necessary to get permissions or remove RolePermissions from NodeSet2.xml

TagsNo tags attached.
Commit Version
Fix Due Date

Activities

Randy Armstrong

2024-03-27 14:07

administrator   ~0021047

Last edited: 2024-03-27 14:12

=> Why should the role "AuthenticatedUser" have less permissions than Anonymous?

It does not. Anonymous is a fallback role for permissions that everyone gets. If Anonymous has a permission then an AuthenticatedUser will have that permission.

See https://reference.opcfoundation.org/Core/Part3/v105/docs/4.9

The Anonymous Role is the default Role which is always assigned to all Sessions.

=> Most ridiculous is the "Call" permission on method "ChangePassword" for anonymous users.

Having permission to Call the Method does not mean the Method cannot apply additional checks.
In many cases, the Application Certificate is used to authenticate a Client and no user credentials are required.
All of the cases where you see Anonymous permissions that should not exist are use cases where authentication is based on the Client ApplicationInstance Certificate.

=> If any nodes shall be hidden (e.g. for security resons), then this shall be stated explicitely in specification.

All of the Role in the NodeSet are there because of requirements stated in the specification.
See https://reference.opcfoundation.org/Core/Part6/v105/docs/F.5

When a UANodeSet is the normative definition for the Nodes defined by a specification then the RolePermissions in the UANodeSet are the baseline requirements. Implementors may remove Permissions and Roles or add implementation specific Roles, however, they shall not add Permissions to any Well-Known Roles. Implementors may do anything they wish if a UANodeSet does not specify the RolePermissions for a Node.

Thomas Merk

2024-03-27 14:37

reporter   ~0021048

Sorry, I was not aware that each session shall be assigned at least the role "Anonymous".
So this is already the suggested role "AllUsers"...

The reference to NodeSet regarding normative definition is a bit weak from my point of view.
Some hints in the other parts would be good.

Issue History

Date Modified Username Field Change
2024-03-27 13:52 Thomas Merk New Issue
2024-03-27 14:07 Randy Armstrong Note Added: 0021047
2024-03-27 14:09 Randy Armstrong Note Edited: 0021047
2024-03-27 14:10 Randy Armstrong Note Edited: 0021047
2024-03-27 14:11 Randy Armstrong Note Edited: 0021047
2024-03-27 14:11 Randy Armstrong Note Edited: 0021047
2024-03-27 14:12 Randy Armstrong Note Edited: 0021047
2024-03-27 14:37 Thomas Merk Note Added: 0021048
2024-06-18 16:42 Jim Luth Assigned To => Randy Armstrong
2024-06-18 16:42 Jim Luth Status new => assigned