Restrict OPC-UA Clients to Read Only

I am wanting to connect a third party OPC-UA client to the Ignition OPC-UA Server. I have setup different credentials for them to use so I can manage their access, but I was wondering if there was a way from the server side to restrict their access to read only. I can’t seem to find a way to only allow a client connection to be read only (Other than an Ignition client, which has the option to be read only).

I have, however, noted that the default user source “opcua-module” has a role of ReadWrite. Does Ignition have some internal hard coded role that could be set (i.e. ReadOnly) that will restrict clients to read only? Do I have to depend on the third-party client enforcing the restriction?

Yes, it’s undocumented, but a user with the “ReadOnly” role will only be allowed to read.

This was supposed to be a temporary holdover until we implemented proper role-based access but it never materialized.

The way this is implemented means it will no longer work in 8.0.

Thanks Kevin. That is exactly what I was looking for. One quick question, though. In 8.0, is proper role based access implemented then? I still appears to be using ReadWrite (and I would assume ReadOnly, at least for the build I have installed).

No, it’s not going to make it for 8.0. I’m really not sure when it will happen.

In the 8.0 server right now the roles have no effect at all.

Is this still possible in 7.9.12?

I don’t think this stopped working in 7.9.

Has there been further discussions on implementing any role based security for the OPC-UA server? I would tend to think we have some certain level of trust from connected clients (we have to authenticate the certificates). We have some control over remote tag providers that are exposed (Read/Write on security through the Gateway Network), but only if we don’t already have write access from this connection. Can this be done through tag permissions then (say at parent folders)?

Is it best to just use another Gateway to connect to all these tags and just give it ReadOnly access so that all exposed tags will ONLY have ReadOnly access?

There’s some work happening on the tag security model in Ignition 8. When this is done, exposed tags over OPC UA should take the permissions of the user that has connected into account for reading and writing.

Access control for all the other tags that might be in the server (devices, basically) are still a while away.

ETA for this tag security stuff is like… maybe 8.0.10? Not sure yet, it’s in progress though.

That’s promising to hear!

Hi Kevin, Any update on what OPC UA Server access control updates released with 8.1? Thanks in advance!

Those tag security changes landed in an 8.0.x release.

What this means is that when accessing Exposed Tags (i.e. tags under the Tag Providers folder, when this feature is enabled) through the server the user the connecting client authenticated with is passed through to the tag system and any security settings on your tags will be applied. The auth profile the server is configured to use and the roles assigned to the user the client authenticates with may start to matter to you.

Tags from configured devices (i.e. tags under the Devices folder) still do not have any access control and likely won’t in the near term.