Use case: Publish a subset of gateway ‘A’ connected PLC tags for use by gateway ‘B’ with AD role-based access restrictions.
OPC Connection from Gateway ‘B’ to Gateway ‘A’ has been established.
Mutual TLS using CA root and signed certs between both gateways (maybe not relevant). Would like to integrate “all the security” for this solution.
The gateway ‘A’ tags display on server ‘B’ as expected, but only for ‘Authenticated’ users.
When I change the [Connections -> OPC -> OPC UA Server Settings -> Permissions] Tag Provider Permissions Role to an AD provided one, the tags are no longer accessible - even tough the user has that group (verified in Session Props). I am using the tag browser for testing (I assume it uses the currently logged in user role)
I’m probably missing something relatively simple.
No, not how it works...
The OPC UA connection configuration includes the authentication used by that connection.
Your user in the Designer, or Client, or Perspective Session, is entirely irrelevant.
The Ignition Gateway maintains a single, shared connection, to each OPC UA server you configure. Each user/session doesn't get their own.
Ah! I used a service account for the OPC connection itself.
What’s the right way to do this? I want to give user based access to whoever logs in to the designer - let them go to town developing on the unrestricted PLC tags only.
I don't think there's any way to do that, at least not with OPC / OPC connections.
You might be able to figure something out using Remote Tag Providers and Tag Permissions, but I'm not sure.
Hmm, I thought that was a major use case for OPC/UA in general. I suppose the entire gateway can just be dedicated to that particular “restriction” case - though I was planning on that being quite a bit more flexible by user.
Thanks for setting me straight, in any case.
Every user having their own private session to every OPC UA server wouldn't scale very far. Many servers, especially those on PLCs, allow a fairly limited number of sessions.
I’m sure. I can still want it 
It does make sense in the classic HMI / PLC (OPC UA Server) pair case... where it's just the single hardware HMI that has one logged on user at any given time... but less sense in a big SCADA system like Ignition is typically used for, with many concurrent logged on users at any given time.
1 Like
That’s a good point. It probably makes sense to keep Gateway ‘A’ tag provider(s) restricted by the single role (user, service account, whatever) on that gateway. Developers with access to designer have access to those tags. I assume end users can have their own set of restrictions that can be placed on them (haven’t developed in ignition much yet - only setting things up right now).