I am having odd issues with Ignition v8.3 OPC UA server. I want to allow an external client to connect to Ignition's OPC UA server and write to tags.
Currently, the settings are
- OPC UA Server Settings -> General Settings
- Anonymous Access Allowed: false
- User Source: opcua-module
- Expose tag providers: true
- OPC UA Server Settings -> Permissions
- Created a new role called ReadWrite and gave it RW permissions for both default device & default tag permissions
- User Sources
- Added a user
opcuauserto the user sources with a role of ReadWrite
- Added a user
- Identity Providers
- Created a new provider called
opcua-module - Added a user grant for
opcuauserwith anOperatorgrant
- Created a new provider called
- Tag
- Created a memory tag with a write permission with the
Operatorlevel required
- Created a memory tag with a write permission with the
Using the setup above, my opcuauser can log in to the server, it can browse the tags, but it is unable to write to the memory tag. UaExport shows BadUserAccessDenied error. If I change the tag's write permissions to be only Authenticated (a parent-parent of Operator in the tree), the opcuauser write succeeds.
Are custom security levels not supported for OPC UA writes? I would rather not allow my tags write permissions from all users and so far, that seems like my only option.
Additionally, I am able to login to the OPC UA server using ANY username in ANY User Source, it does not seem to be limited to the users in my opcua-module source. Is there no way to limit what users are allowed to login via OPC UA?