Set Communication to all PLC to read only

What would the steps be to configure the gateway to only read devices and not write?

I think it has to be done with security authentication, roles and OPC-UA settings, but it is not very clear in the manual.

I currently have the OPC-UA settings authentication profile set to opcua-module with allowed roles set to ReadWrite.

then the ReadWrite role is just a name I do not see any where that you set what access level the role has to the devices.

Thank you,

This isn’t actually possible right now… that role name just hints at some future functionality that hasn’t been implemented yet.

You’ll need to enforce this in your projects somehow instead.

That being said, it might be pretty easy to add this functionality to an upcoming release. I’ll take a look and let you know.

In my opc sql tags I have all my access rights on my tags set to “Read Only”, but it appears that when I click a boolean value in the sql tag browser it still writes to the PLC. Is there somewhere else i need to set read only access? I want to protect from errant clicking when in the designer.

You can turn the designer to read-only mode. Would that help?

When designing the majority of the time I have the designer in full read/write mode because I am working on windows that have update and insert queries to various databases that have no relation to devices or SQLTags. I was just looking for a good way to fail safe against accidentally writing to a device/PLC when in the designer because in our setup we never write to devices/PLCs.

In our old factorysql system we never used SQLTags and we pushed all data in one direction through a SQL server publication so we never had to worry about writing back to a PLC.

It would be great if a future release had a gateway setting that only allowed read only access to the opc-ua server.

I’ve implemented this and it will be in the next 7.3 release (7.3.4).

The way it works is any user with the role “ReadOnly” will be denied write access - even if the other role named “ReadWrite” is present. If you make a special user with only the “ReadOnly” role make sure you also add “ReadOnly” to the list of allowed roles in the UA configuration.

After adding the role to the user you have to force a reconnect (edit/save) to the server; the server is only going to be looking at the users roles at the time it connected. Changes to roles made after the connection is established won’t be seen until a reconnect is made.

This is a hold-over until we can implement separate configuration of Read/Write permissions on any roles present.