Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
sp_Search Search
Advanced Search
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Search Search
Go to Bottom
No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
Role based authorization, fields - RolePermissions, UserRolePermissions, AccessRestrictions, AccessLevel, AccessLevelEx.
October 21, 2024
18:56, EEST
Avatar
mithun
Member
Members
Forum Posts: 6
Member Since:
September 11, 2024
sp_UserOfflineSmall Offline
Go to Top
1sp_EditHistory sp_Permalink sp_Print

Hello,

It has been nearly 2 years since this thread (https://forum.prosysopc.com/forum/opc-ua-java-sdk/about-roles/) became dormant. I just wanted to clarify a few things and see if anything has changed.

I am trying to implement an OPCUA server using the java SDK. I have a role based authentication mechanism in my application system, that I use to authorize user access to appropriate actions on particular nodes using the IoManagerListener and the NodeManagerListener.

However, I am facing the same issue as users above, of seeing the following attributes in OPC UA Browser in red:
– RolePermissions
– UserRolePermissions
– AccessRestrictions
– AccessLevel
– AccessLevelEx
with the value: Bad_AttributeIdInvalid (0x80350000) “The attribute is not supported for the specified Node.”

Questions:
1. How do I set (or rather inject visually) the values to the correct values for the user based on their access? What would these correct values be for the above fields for say a read and read/write?

2. In the example on another post, an example code was provided:
@Override
public boolean onReadNonValue(ServiceContext serviceContext, NodeId nodeId, UaNode node, UnsignedInteger attributeId,
DataValue dataValue) throws StatusException {
if (Attributes.UserRolePermissions.equals(attributeId)) {
dataValue.setValue(new Variant(new RolePermissionType[] {new RolePermissionType(roleNodeId, PermissionType.Browse)}));
dataValue.setStatusCode(StatusCode.GOOD);
return true;
}
return false;
}

Here, the RolePermissionType constructor takes a NodeId roleNodeId parameter. How do I get the RoleId for a particular OPCUA Role?

3. Maybe a more primitive question would be, how would I go about merging my application’s role system to the OPCUA Role system? As the protocol defines a set of well-known roles to be implemented by the server – https://reference.opcfoundation.org/Core/Part3/v104/docs/4.8.2#Table%202 , any thoughts on how to correspond these roles to roles in my application would be deeply appreciated.

4. The protocol specifies that if the server supports permissions (which my server does), we have to specify the ” property on the Namespace. https://reference.opcfoundation.org/Core/Part3/v104/docs/5.2.9#:~:text=If%20a%20Server%20supports%20Permissions%20for%20a%20particular%20Namespace%20it%20shall%20add%20the%20DefaultRolePermissions%20Property%20to%20the%20NamespaceMetadata%20Object%20for%20that%20Namespace
Is there a way to do this in the java SDK?

5. How do I manage roles in the UaServer? I see the nodes for roles in the OPC UA Browser (see attachment), but am unable to find any documentation on how to add/manage roles.
https://gcdnb.pbrd.co/images/Hlk0hDWnQmyz.png?o=1

Thank you so much!

October 22, 2024
16:13, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 1026
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline
Go to Top
2sp_Permalink sp_Print

Hi,

SDK-wise situation is unchanged and not sure when it will change. We have explored the topic in the context of https://prosysopc.com/products/opc-ua-forge/, but in general I would say it will take some (or more) time before anything can be made to the SDK. It is sort of extremely complicated. In theory it is probably doable via listeners etc. manually, but in general, good luck.

1.
Look at the code you mentioned in 2. Though, of course that alone doesn’t do anything, you need to ensure via listeners etc. stuff that those returned permissions are actually checked.

AccessLevel is an old Attribute (not part of the 1.04 new attributes), that is already supported before. AccessLevelEx has the same bits and some more. Please look at https://reference.opcfoundation.org/Core/Part3/v105/docs/ for that and for the other Attributes.

2.
Any NodeIds defined in the core specification are supplied by the OPC Foundation resource files and generated by us e.g. in com.prosysopc.ua.stack.core.Identifiers.XXX constants. Via autocomplete search in most IDEs you should find some by searching ‘role’, e.g. there seem to be many Identifiers.WellKnownRole_XXX constants, I would assume those are them.

3.
Good Question, basically “no idea”, if they do not map 1:1, please ask in https://opcfoundation.org/forum/, if the spec doesn’t mention. Anyway doing/investigating/researching that would be outside of the scope of normal support.

4.
Anything that is just nodes, i.e. their Attributes (the supported ones) and References between them should work with the SDK via normal UaNode operations.

5.
Not supported. Those nodes just “happen to be there”, because the core information model (one of the resource files provided by the OPC Foundation) includes them (similar to many other nodes for features that not a lot of SDKs support yet), and we mostly just load it as-is. In theory if you want you could try to implement them manually via e.g. MyMethodManagerListener-listeners (see samples).

October 24, 2024
0:22, EEST
Avatar
mithun
Member
Members
Forum Posts: 6
Member Since:
September 11, 2024
sp_UserOfflineSmall Offline
Go to Top
3sp_EditHistory sp_Permalink sp_Print

Awesome, that was all the info I was looking for, Thank you!

A follow-up. Do you have any info on the timeline for implementation of role and role based attribute features?

October 24, 2024
14:33, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 1026
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline
Go to Top
4sp_Permalink sp_Print

No info at the moment, sorry. You can talk with sales@prosysopc.com, but I think it will be quite some time before anything happens on SDK-level. I guess in theory via https://prosysopc.com/services/ some application-design-help/support could be done since https://prosysopc.com/products/opc-ua-forge/ basically “does just use the SDK” (and other libraries), though in a complex manner (and it doesn’t exactly “implement UA Roles”, but sort of borrows the ideas and the role types, but it does implement some of the listeners i.e. it sort of does what I said above “In theory it is probably doable via listeners etc. manually, but in general, good luck.”), but that is something you would need to discuss with sales.

No permission to create posts
sp_Feed All RSS
Go to top
Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
66 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 88

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 734

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1523

Posts: 6449

Newest Members:

christamcdowall, redaahern07571, nigelbdhmp, travistimmons, AnnelCib, dalenegettinger, howardkennerley, Thomassnism, biancacraft16, edgardo3518

Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1026, Jimmy Ni: 26, Matti Siponen: 346, Lusetti: 0

Administrators: admin: 1