Please consider registering

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —

— Match —

— Forum Options —

Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
About Roles
September 30, 2020
10:48, EET
Forum Posts: 3
Member Since:
May 19, 2020
sp_UserOfflineSmall Offline


I’ve already implemented some kind of permission handling on our Prosys OPC UA Server depending on the logged-in user wich is working great so far. Now I’m wondering how to bring roles into play. I know that the standard supports roles (RoleType) and that you should see them in the address space, but oviously I’m no OPC UA expert jet.

Ist there the possibility to implement a role model with the Java SDK compliant to the standard and utilize the RolePermissions, UserRolePermissions and AccessRestrictions attributes of each Node? If I connect with UA Browser, those attributes are shown with a Bad_AttributeIdInvalid exception. How would you suggest handling roles in general?


September 30, 2020
12:41, EET
Bjarne Boström
Forum Posts: 579
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline


I think you are the first to ask this, good question.

Those (Roles, as a concept) were added in OPC UA Specification version 1.04, thus they are relatively new things.

In practice we do not have support for them in the Server side at all.

For the Client side we do read them for UaNode objects, though you will need to use the raw id based API UaNode.readAttribute(UnsignedInteger attributeId) (pass Attributes.RolePermissions for example to it) to get the values of those Attributes (or use UaClient.readXXX methods).

It might be possible to implement them in the server side with IoManagerListeners to handle the new attributes, but you would need to handle the validation of the roles yourself manually. Most places of the SDK does accept have a Listener of sorts which has the ServiceContext as a parameter that can be used to determine the Session/User which made the service call. I would expect it to be somewhat complicated, so preferably we should have some real support for this in the future. Also I’m not sure there is a listener to every possible operation the role system might define.

Since our SDK has existed since the start of OPC UA, it is non-trivial to “glue on” the role system, that was introduced this late so to say to the specification. It should be baked close to the “core”, in my personal opinion. Given that we have had our hands full in other requested features (such as PubSub, which will still continue to take larger than I would like chunk of dev time), we have not yet looked towards the new Attributes (other than the DataTypeDefinition, which had immediate uses).

For the Application layer, i.e. application made using the SDK, but not the SDK code itself, I would look for an existing de-facto standard library that can be used to evaluate roles and use that. Thus maybe something from the answers of: https://stackoverflow.com/questions/3895467/role-based-access-control, though they might be more web-related.

For SDK code, I’m not yet sure how we would implement this. At minimum we could/should add the Attributes to the server side UaNode implementations, though at with UserRolePermissions we would probably want to avoid the same thing that happened with other UserXXX Attributes. On the Client side it makes sense, but on the server side given that it is Session/User based, it really cannot be stored in the UaNodes (and having API to access it from that would also not make sense, though we have tried our best to have the UaNode to be a common client and server side API, so it is a bit … mess). At least in general we try to avoid having too many dependencies, so lets see how it goes in the future (adding the Attributes to do the nodes without also adding the backing functionality would not be a good idea in my opinion).

How critical this these features would be for you in the Server side?

And as extra clarification, most places do have a Listener that can be used for user authorization checks, just that given that those were made before OPC UA 1.04 era, we do not have specific support for the new role Attributes, but most of the authorization checks can be still made.

I think it might be closer to like SDK 5.x, if we could revamp some core parts of the SDK to accommodate these better. Though we also just cannot like rewrite everything (too much work and backwards-compatibility would suffer). I think in 2021 there will be OPC UA 1.05 (or late this year, I do not know exactly when), so given the current trend we would most likely jump major version then (we have done so previously on 1.02, 1.03, 1.04) so we could do probably some a bit larger updates then.

Regardless, at least one part of PubSub does depend on the Roles, so eventually through that the very least they will be implemented in one form or another.

September 30, 2020
13:47, EET
Forum Posts: 3
Member Since:
May 19, 2020
sp_UserOfflineSmall Offline

Hello Bjarne,

thanks for your reply. I can see that the OPC UA role model is quite comprehensive with lots of dependencies regarding node and io management. For now, a lightweight custom solution on the Application layer will do for us I guess.

Regarding the display of Attribute exceptions in UA Browser: Maybe you could change the way those are displayed for optional attributes (bright red suggests something is critically wrong).

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 267

Currently Online:
10 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

hbrackel: 103

pramanj: 86

ibrahim: 70

kapsl: 57

gjevremovic: 49

TimK: 41

Fransua33: 39

fred: 38

Rainer Versteeg: 32

Thomas Reuther: 31

Member Stats:

Guest Posters: 0

Members: 1160

Moderators: 15

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1048

Posts: 4416

Newest Members:

jonas.rahm, sophiekohler, zqecortney, adeletoscano947, forestgenders23, auroratrumper, ericmclain04, rblu, starlowery23194, dakotadalgety82

Moderators: Jouni Aro: 853, Otso Palonen: 32, Tuomas Hiltunen: 5, janimakela: 0, Pyry: 1, Terho: 0, Petri: 0, Bjarne Boström: 579, Heikki Tahvanainen: 402, Jukka Asikainen: 1, moldzh08: 0, Teppo Uimonen: 21, Markus Johansson: 24, Matti Siponen: 72, Lusetti: 0

Administrators: admin: 1