Hello,

At the moment, Roles are not supported by the OPC UA SDK for Java. See https://forum.prosysopc.com/forum/opc-ua-java-sdk/about-roles/ for previous discussion on the topic.

For now, you will have to give different users different rights based on their UserIdentity. You can do this by creating your own implementations of listeners, such as IoManagerListener and NodeManagerListener, and using ServiceContext.getSession().getUserIdentity() to get the UserIdentity and then varying the results of the method based on it.

Hello,

First of all, you should NOT set different Values of AccessLevel Attribute for different Clients. That is what the UserAccessLevel Attribute is intended to be used for. The difference between AccessLevel and UserAccessLevel is that the former is used when user access rights are not considered and the latter is used when they are considered. The OPC UA specification states that UserAccessLevel can restrict restrict the accessibility indicated by the AccessLevel, but not exceed it (https://reference.opcfoundation.org/v104/Core/docs/Part3/5.6.2/). In other words, UserAccessLevel must be equal to or a subset of AccessLevel. The Prosys OPC UA SDK for Java will check both of these Attributes when checking if a Client has the right to perform an operation such as writing a Value to a Node.

Secondly, you say “When the client tries to access some node from the Model, I want to set AccessLevel for the client to a particular node”. OPC UA allows identifying both Clients and their users. Do you want the Server to set the UserAccessLevel based on the application (ApplicationIdentity) or the user of that application (UserIdentity)? If former, you can get the Client’s ApplicationIdentity with ServiceContext.getSession().getClientIdentity() and perform some comparisons with it to determine the UserAccessLevel you wish to set for this particular Client application. If latter, then use UserIdentity as adviced previously.

I would advice against setting UserAccessLevel based on the Client’s ApplicationIdentity as that would limit the access to your Server to only Clients that you have granted access in the listeners. It would also require you to provide each Client application unique ApplicationIdentity or Application Instance Certificate so that you can identify them uniquely in the Server’s code.

UaNode.getBrowseName() returns a QualifiedName object. If you compare that to a String object, their equality check will always fail. Instead, you need to use UaNode.getBrowseName().getName() to get the BrowseName as a String without its namespace index. However, since BrowseNames are not unique, I would recommend comparing NodeIds as they are unique within a Server.

Also, you might need to add null checks before attempting to get and compare the certificate of the Session to a String. Otherwise this part of the code will cause null pointer exceptions when connecting to the Server without a certificate, e.g. anonymously or with username and password. If your Server doesn’t support those type of logins, then you won’t need the checks.

If multiple Clients are connected to the Server at the same time, then listeners will be able to identify the Clients and their users based on ServiceContext as long as the one used to determine the UserAccessLevel (ApplicationIdentity or UserIdentity) is unique. In other words, as long as the solution works for a single connected Client, it will also work for multiple connected Clients as the Server will perform the checks separately for each Client.

Hello,

Have you added MyIoManagerListener to the IoManager of the NodeManager that manages the Nodes you wish to restrict access to? Each IoManagerListener can only see the requests related to the Nodes managed by the NodeManager containing the IoManager containing the listener. See SampleConsoleServer sample application for examples of using NodeManagers and adding listeners to them.

If you have loaded the model from a NodeSet XML-file, you can get its NodeManager with server.getAddressSpace().getNodeManager(modelURI) where server is an instance of UaServer class and modelURI is the URI of the loaded model as a String.

The access to a Node for particular users or applications can be restricted in onGetUserAccessLevel of an implementation of IoManagerListener. The method returns an AccessLevelType instance based on the Node and the ServiceContext, which contains information on both the user and the application requesting that information. You can use either of those to decide what the method should return.