Restrict OPC-UA Clients to Read Only

Herbie · March 19, 2019, 10:17pm

I am wanting to connect a third party OPC-UA client to the Ignition OPC-UA Server. I have setup different credentials for them to use so I can manage their access, but I was wondering if there was a way from the server side to restrict their access to read only. I can’t seem to find a way to only allow a client connection to be read only (Other than an Ignition client, which has the option to be read only).

I have, however, noted that the default user source “opcua-module” has a role of ReadWrite. Does Ignition have some internal hard coded role that could be set (i.e. ReadOnly) that will restrict clients to read only? Do I have to depend on the third-party client enforcing the restriction?

Kevin.Herron · March 19, 2019, 10:30pm

Yes, it’s undocumented, but a user with the “ReadOnly” role will only be allowed to read.

This was supposed to be a temporary holdover until we implemented proper role-based access but it never materialized.

The way this is implemented means it will no longer work in 8.0.

Herbie · March 20, 2019, 2:01pm

Thanks Kevin. That is exactly what I was looking for. One quick question, though. In 8.0, is proper role based access implemented then? I still appears to be using ReadWrite (and I would assume ReadOnly, at least for the build I have installed).

Kevin.Herron · March 20, 2019, 2:08pm

No, it’s not going to make it for 8.0. I’m really not sure when it will happen.

In the 8.0 server right now the roles have no effect at all.

nbrown · January 24, 2020, 10:04pm

Is this still possible in 7.9.12?

Kevin.Herron · January 24, 2020, 10:28pm

I don’t think this stopped working in 7.9.

Herbie · January 27, 2020, 10:21pm

Has there been further discussions on implementing any role based security for the OPC-UA server? I would tend to think we have some certain level of trust from connected clients (we have to authenticate the certificates). We have some control over remote tag providers that are exposed (Read/Write on security through the Gateway Network), but only if we don’t already have write access from this connection. Can this be done through tag permissions then (say at parent folders)?

Is it best to just use another Gateway to connect to all these tags and just give it ReadOnly access so that all exposed tags will ONLY have ReadOnly access?

Kevin.Herron · January 27, 2020, 10:38pm

There’s some work happening on the tag security model in Ignition 8. When this is done, exposed tags over OPC UA should take the permissions of the user that has connected into account for reading and writing.

Access control for all the other tags that might be in the server (devices, basically) are still a while away.

ETA for this tag security stuff is like… maybe 8.0.10? Not sure yet, it’s in progress though.

Herbie · January 27, 2020, 11:35pm

That’s promising to hear!

Eric.Nielsen · September 21, 2020, 11:34am

Hi Kevin, Any update on what OPC UA Server access control updates released with 8.1? Thanks in advance!

Kevin.Herron · September 21, 2020, 12:09pm

Those tag security changes landed in an 8.0.x release.

What this means is that when accessing Exposed Tags (i.e. tags under the Tag Providers folder, when this feature is enabled) through the server the user the connecting client authenticated with is passed through to the tag system and any security settings on your tags will be applied. The auth profile the server is configured to use and the roles assigned to the user the client authenticates with may start to matter to you.

Tags from configured devices (i.e. tags under the Devices folder) still do not have any access control and likely won’t in the near term.