OPC-UA ReadOnly User Role

This has been discussed before but didn't see anything recently. Apparently prior to 8.0 there was an undocumented feature where a role of "ReadOnly" would not allow that OPC-UA user to write to a tag.

In 2020 @Kevin.Herron Said: "Tags from configured devices (i.e. tags under the Devices folder) still do not have any access control and likely won’t in the near term."

My questions are:

  • Do the user roles for the OPC-UA server still do nothing?
  • Is there another way to enforce readonly access to OPC-UA tags under the Devices folder?

I have an application where I would like to read tags from a device in the OPC-UA server but have no need or desire for the application to be able to write to the PLC.

No, won't change until sometime in the Ignition 8.3 series, after OPC UA 1.05 support.

That makes me sad, but thanks for the info.

Is there still a possibility or expectation that we'll have role-based OPC-UA connectivity in ver. 8.3?
Similarly, would there ever be a way to filter access to specific parts of the hierarchy such as tag providers, folders, etc?

Trying to figure out if it makes sense to keep hacking our way through third-party OPC-UA support until we get to 8.3, or pick up another piece of software as an intermediary between Ignition's OPC-UA server and other clients/offtakers.

I'm actually working on implementing OPC UA Roles and Permissions in both the Milo SDK and Ignition right now.

The granularity is only going to be per-device and per-provider though, at least for the initial release of the feature.

That is, for any device, or any tag provider, you'll be able to configure whether a role has access to Browse, Read, Write, or Call methods within that device or provider.

2 Likes