.NET Based OPC UA Client/Server SDK  3.1.0.500
Assigning Access Rights to Nodes

The Demo Server contains example code for assigning access rights to nodes, which can be found in the file Demo → DemoNodeManager.AccessControl.cs and AccessControlManager.cs in the Visual Studio Solution for the Demo Server. It shows how to control the read and write access for Variable values and the browse access for specific nodes.

There are several virtual HasAccess methods defined at the BaseNodeManager. These methods control whether some specific content is send to a client. The default implementation always returns true.

In the example, all knowledge needed for access control is hard-coded. In real world applications, the information should be received by some kind of database.

The folder containing nodes with access rights that are different for specific users can be found in the folder Objects → Demo → 005_AccessRights in the Demo Server address space. There are several subfolders:

Access_All
contains Variables having value attributes that can be read and written by everybody.
Access_John
contains Variables having value attributes that can be read and written by john only (John_RO, John_RW, John_WO) and Variables where john has full access and other users have restricted access
Access_Operators
contains Variables having value attributes that can be read and written by users of the operators group (Operators_RO, Operators_RW, Operators_WO) and Variables where john has full access and other users have restricted access.
Browse_All
can be browsed by all users.
Browse_John
can only be browsed by the user john.
Browse_Operators
can be browsed by users of the operators group.

A list of users and their passwords can be found in the description of the User Authentication example.

In this example, the class AccessControlManager

  • manages the users (AccessControlManager.AddUser),
  • has hard coded user groups (enum AccessControlGroup),
  • and checks whether a node’s content can be accessed.

To use this class, we add the AccessControlSettings to the UserData of a node (see DemoNodeManager.SetupAccessControl()). When the SDK calls the methods

  • HasAccess(RequestContext context, BrowseHandle browseHandle)
  • or HasAccess(RequestContext context, NodeAttributeHandle nodeHandle, UserAccessMask accessMasks),

the UserData is checked. If the UserData has the correct type, the HasAccess method of the AccessControlManager is called.