High Performance OPC UA Server SDK
1.7.1.383
|
This document shows possible keys and values in the roles configuration file, which can be included in the main configuration file at session.authorization_roles_file. It also uses the same syntax as the main configuration file, explained at Settings File Format. A general explanation of roles and permission can be found at Authorization.
[nstable]
The following section uses nodeids, to universally load these, a mapping for the namespace indicies to the respective namespace urls is required. An entry in the namespace table is needed for each namespace which is used by the nodeids below.
Key | Description |
---|---|
nstable/size | Number of entries in the namespace table. |
nstable/N/url | The URL of the namespace, e.g. http://opcfoundation.org/UA/ for namespace 0, the special name <server> can be used to map indices to the server namespace (which alwaway has index 1 in the running server). The index N is used as namespace index for nodeids in this file to refer to the respective namespace. |
[roles]
Each role to be configured needs an entry in the roles array, the most important fields are the nodeid, name and identities array the other fields can be omitted for most use cases.
Key | Description |
---|---|
roles/size | Number of roles. |
roles/N1/nodeid | Unique identifier of the role, mandatory. |
roles/N1/name | Text part of the browsename of the role object, as namespace index the index of the nodeid is used. Mandatory if the role object is created by the SDK. |
roles/N1/ignore_permissions | If true node permission checks are skipped for users possesing this role. Should only enabled for debugging and is not recommended for production use. Optional, default is false. |
roles/N1/custom_configuration | The value of this field is shown in the CustomConfiguration property of the role object. Optional, default is false. |
roles/N1/identities/size | Number of identities (a.k.a. identity mapping rules) for this role. If no identities are given, the role cannot be assigned to any user. |
roles/N1/identities/N2/criteria_type | Criteria type of the identity, one of: ANONYMOUS, AUTHENTICATEDUSER, USERNAME, THUMBPRINT, ROLE, GROUPID, APPLICATION, X509SUBJECT. Mandatory. |
roles/N1/identities/N2/criteria | Criteria value of the identity, depends on the criteria_type, the the user's name for USERNAME. Ignored for ANONYMOUS and AUTHENTICATEDUSER otherwise mandatory. |
roles/N1/applications_mode | Determines the handling of the following applications array, one of: IGNORE, INCLUDE, EXCLUDE. Optional, default is IGNORE. |
roles/N1/applications/size | Number of applications, the behavior when this array is empty depends on the applications_mode. |
roles/N1/applications/N3/uri | ApplicationUri of the client to match. |
roles/N1/endpoints_mode | Determines the handling of the following endpoints array, one of: IGNORE, INCLUDE, EXCLUDE. Optional, default is IGNORE. |
roles/N1/endpoints/size | Number of endpoints, the behavior when this array is empty depends on the endpoints_mode. |
roles/N1/endpoints/N4/endpoint_url | The URL of the endpoint to match, may also include a hostname placeholder like opc.tcp://[hostname]:4840, mandatory. |
roles/N1/endpoints/N4/security_mode | The security mode to match or invalid, one of: INVALID, NONE, SIGN, SIGNANDENCRYPT. Optional, default is INVALID. |
roles/N1/endpoints/N4/security_policy_uri | The security policy uri to match or null, for example "http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256" . Optional, default is null. |
roles/N1/endpoints/N4/transport_profile_uri | The transport profile uri to match or null, the only meaningful value is http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary. Optional, default is null. |