Assigning Access Rights to Nodes

Table of Contents

• Example in Demo Server
• Set RolePermissions
• Assign User to Roles

Example in Demo Server

The Demo Server contains example code for assigning access rights to nodes, which can be found in the file Demo → DemoNodeManager.AccessControl.cs and AccessControlManager.cs in the Visual Studio Solution for the Demo Server. It shows how to control the read and write access for Variable values and the browse access for specific nodes.

There are several virtual HasAccess methods defined at the BaseNodeManager. These methods control whether some specific content is send to a client. The default implementation evaluates the RolePermissions defined at the node or the DefaultRolePermissions defined at the NamespaceMetada object of the namespace. The HasAccess methods can be overrided for a custom implementation of the access checks.

In the example the RolePermissions attribute is set at the nodes if required. So all access checks are done by the sdk.

The folder containing nodes with access rights that are different for specific users can be found in the folder Objects → Demo → 005_AccessRights in the Demo Server address space. There are several subfolders:

Folder Name	Description
Access_All	Contains Variables having value attributes that can be read and written by everybody.
Access_John	Contains Variables having value attributes that can be read and written by john only (John_RO, John_RW, John_WO) and Variables where john has full access and other users have restricted access.
Access_Operators	Contains Variables having value attributes that can be read and written by users of the operators group (Operators_RO, Operators_RW, Operators_WO) and Variables where john has full access and other users have restricted access.
Browse_All	Can be browsed by all users.
Browse_John	Can only be browsed by the user john.
Browse_Operators	Can be browsed by users of the operators group.

Set RolePermissions

If the server is not running yet, it is suffucient to set the RolePermissions attribute at a node.

            var rolePermissions = new RolePermissionTypeCollection()
            {
                new RolePermissionType()
                {
                    RoleId = ObjectIds.WellKnownRole_Engineer,
                    Permissions = PermissionTypeDataType.Read | PermissionTypeDataType.Write | PermissionTypeDataType.Browse
                },
                new RolePermissionType()
                {
                    RoleId = ObjectIds.WellKnownRole_Anonymous,
                    Permissions = PermissionTypeDataType.Read | PermissionTypeDataType.Browse
                }
            };

                node.RolePermissions = rolePermissions;

If the server is already running when a node is created, in addition the IRolePermissions property at a node has to be set.

            ObjectNode directoryNode;
            lock (InMemoryNodeLock)
            {
                directoryNode = CreateObject(Server.DefaultRequestContext, settings);

                if (Server.IsRunning)
                {
                    directoryNode.IRolePermissions = ConvertRolePermissions(settings.RolePermissions);
                }
            }

Assign User to Roles

A list of users and their passwords can be found in the description of the User Authentication example.

The Roles are assigned to user by the sdk when the Session is initially activated. The mapping to Roles is described in the RoleConfiguration file (DemoServerRoleConfiguration.xml). This file is installed to %CommonApplicationData%/unifiedautomation/UaSdkNet/RoleConfiguration to ensure that the application has write access to that file.

See the schema file RoleConfiguration.xsd for a detailed description of this configuration file.