I am wanting to connect a third party OPC-UA client to the Ignition OPC-UA Server. I have setup different credentials for them to use so I can manage their access, but I was wondering if there was a way from the server side to restrict their access to read only. I can’t seem to find a way to only allow a client connection to be read only (Other than an Ignition client, which has the option to be read only).
I have, however, noted that the default user source “opcua-module” has a role of ReadWrite. Does Ignition have some internal hard coded role that could be set (i.e. ReadOnly) that will restrict clients to read only? Do I have to depend on the third-party client enforcing the restriction?
Thanks Kevin. That is exactly what I was looking for. One quick question, though. In 8.0, is proper role based access implemented then? I still appears to be using ReadWrite (and I would assume ReadOnly, at least for the build I have installed).
Has there been further discussions on implementing any role based security for the OPC-UA server? I would tend to think we have some certain level of trust from connected clients (we have to authenticate the certificates). We have some control over remote tag providers that are exposed (Read/Write on security through the Gateway Network), but only if we don’t already have write access from this connection. Can this be done through tag permissions then (say at parent folders)?
Is it best to just use another Gateway to connect to all these tags and just give it ReadOnly access so that all exposed tags will ONLY have ReadOnly access?
There’s some work happening on the tag security model in Ignition 8. When this is done, exposed tags over OPC UA should take the permissions of the user that has connected into account for reading and writing.
Access control for all the other tags that might be in the server (devices, basically) are still a while away.
ETA for this tag security stuff is like… maybe 8.0.10? Not sure yet, it’s in progress though.
Those tag security changes landed in an 8.0.x release.
What this means is that when accessing Exposed Tags (i.e. tags under the Tag Providers folder, when this feature is enabled) through the server the user the connecting client authenticated with is passed through to the tag system and any security settings on your tags will be applied. The auth profile the server is configured to use and the roles assigned to the user the client authenticates with may start to matter to you.
Tags from configured devices (i.e. tags under the Devices folder) still do not have any access control and likely won’t in the near term.
Not outright, no. Just for exposed tags of tag providers using Ignition's tag security model and a shared authentication profile as my last post mentions.
Role-based access control for both devices and exposed tag providers is coming in 8.3.