Step 1: Create a New Project

Create a new project as described in steps 1–5 of HowTo: Create a New UaModeler Project With a Method first.

Step 2: Specify Settings for NodeAccessInfo

NodeAccessInfo has to be enabled first. Choose Settings → *Edit Settings…" from the context menu. Expand the section “Modeling”. Then check the box “NodeAccessInfo enabled” under “Editing of NodeAccessInfo”. We have to choose “Role – Role” from the drop-down menu, because this is the only mode that the .NET SDK supports. Finally, check the box “Add Default Roles”. We will use them in the next step.

Step 3: Add a Variable

Right-click on the Objects folder in the Information Model window and select “Add Instance” from the context menu.

If necessary, switch to the Types View and expand the section “Instance”. Enter the following settings (see screenshot):

Pick “Variable” as Node Class.
Name the Variable “MyVariable”.
Choose “BaseDataVariableType” as Type Definition.
Select “Double” as Data Type.

Step 4: Set NodeAccessInfo

To specify NodeAccessInfo for the newly created node, select it in the Information Model Window and switch to the Extensions View. Then expand the section “NodeAccessInfo” if necessary.

First, we have to check “Specify NodeAccessInfo”; otherwise all settings are grayed out. Then select “Operator” from the drop-down menu for “Role1” and “Observer” for “Role2”. You can now check the boxes in the selected columns.

Now we can set the NodeAccessInfo. Set the following permissions (see screenshot) by checking the respective boxes:

Check “Other” in the row titled “Read Attribute”.
Check “Role1” and “Role2” in the row titled “Read”.
Check “Role1” in the row titled “Write”.
Check “Other” in the row titled “Browse”.

Note that the boxes for both other roles are automatically checked as soon as you check “Other” in any row. This is intentional.

Confirm your choices with “OK”. Then save your project.

Step 5: Generate Code

Generate code for your project as shown in Step 9: Generating Code of HowTo: Create a New UaModeler Project With a Method.

Step 6: Add Mapping to Roles in Code

Open the generated project file (in our case named NodeAccessInfoExample.csproj) in Visual Studio.

We have to add an ImpersonateUser event handler to TestServerManager.cs.

First we add the OPC UA Base Library:

using UnifiedAutomation.UaBase;

Then we add the event handler to the method OnRootNodeManagerStarted:

this.SessionManager.ImpersonateUser += new ImpersonateEventHandler(SessionManager_ImpersonateUser);

For this example, we’re using the following users and passwords.

UserName	Password
john	master
joe	god

The user john will have the roles “Operator” and “Observer”, user joe only “Observer”.

Note: For simplicity, the usernames and passwords in this example are specified in code. In real world applications, you should use some kind of database.

Add the following method:

private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
    AnonymousIdentityToken anonynmousToken = args.NewIdentity as AnonymousIdentityToken;
    if (anonynmousToken != null)
    {
        return;
    }
    UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken;
    if (userNameToken.UserName == "john")
    {
        if (userNameToken.DecryptedPassword != "master")
        {
            args.IdentityValidationError = StatusCodes.BadUserAccessDenied;
        }
        else
        {
            args.Identity = new UserIdentity(userNameToken);
            args.Identity.ScopeIds.Add(ScopeMapper.GroupId("Operator"));
            args.Identity.ScopeIds.Add(ScopeMapper.GroupId("Observer"));
        }
        return;
    }
    if (userNameToken.UserName == "joe")
    {
        if (userNameToken.DecryptedPassword != "god")
        {
            args.IdentityValidationError = StatusCodes.BadUserAccessDenied;
        }
        else
        {
            args.Identity = new UserIdentity(userNameToken);
            args.Identity.ScopeIds.Add(ScopeMapper.GroupId("Observer"));
        }
        return;
    }
    args.IdentityValidationError = StatusCodes.BadIdentityTokenRejected;
    return;
}

Step 7: Prepare Certificate Creation

Finally, we have to prepare the creation of a certificate. Copy the application Opc.Ua.CertificateGenerator.exe from [SDK Installation Directory]\bin to the folder bin next to the Visual Studio solution.

Then open the file Program.cs and add the line

ApplicationInstance.Default.AutoCreateCertificate = true;

above of

ApplicationInstance.Default.Start(server, null, server);

Now we are ready to compile the server.

Step 8: Test with UaExpert

To test the implementation, start the server and connect with UaExpert.

Select the variable as anonymous user. As we haven’t granted Read access to “Other”, the status code “BadUserAccessDenied” is shown in the Attributes Window (see screenshot).

Now change the user to joe (choose Server → Change User…. As john has the permission to read the variable, the status code is “Good” and the value is shown (see screenshot).

When trying to write the value (double-click on the cell and enter a new value), the value doesn’t change and the log window shows the following message from the server:

Write to node 'NS2|Numeric|6002' failed [ret = BadUserAccessDenied].

This behaviour is expected, as joe has the role “Observer”, who are only allowed to read, but not to write the variable.

Now we change the user to john and try to write the variable once more. John has the role “Operator” in additon to “Observer”. As john has the permission to write the value, the log window shows

Write to node 'NS2|Numeric|6002' succeeded [ret = Good].

Table of Contents