I have an external party requesting access to a subset of tags for one of my tag providers. I know there are ways to set up an OPC client with access to all our tag providers, but there isn't an obvious way to assign read/write permissions to the clients. This older thread mentions something about tag-level security where the read and write permissions are set up for each tag individually, but I don't see how that translates to the OPC module roles that I have. There is no option in my security levels to specify that a role is an OPC user.
On top of the read/write permissions, I would also only like to expose a very limited number of tags to this client, not every single tag in every tag provider on my gateway, which to my knowledge is the only option when configuring the OPC server.
Is there something I am missing with the OPC server-client configuration here? Or is there a different system that would be better suited to give this other party read access to these tags?
I might be confused about exactly how the roles work because the roles that I provide to the OPC Modules user source are not available to be chosen on the tag security levels. Do I need to add those somehow? The security levels feature has always seemed a little scattered to me.
Keep in mind that, in addition to exposing your tags, your external user will have access to all of the OPC data your drivers are producing. Writably, IIRC.
An alternative would be to expose selected data through a server-mode driver with a common protocol, where you deliberately copy data from your tags to OPC items in such a driver. I happen to offer two such drivers as third party modules:
I have been dealing with read/write security through perspective project permissions, as that was the only way for these tags to be interfaced with. This project gateway has hundreds of thousands of tags present (mostly UDT instances, but hundreds of UDT's). Is the only way forward to go through each UDT and set up read/write permissions for the tags? Seems like a nightmare that I have been putting off as I have no idea how the changes in tag permissions will affect the rest of our project 'ecosystem'. On top of that, we have a similar issue with the MQTT engine tags, where they are all public and the OPC server provides access to that tag provider, so I will need to update the UDTs for each Edge instance to also reflect these security configurations?
Like I said, external access controls for the OPC UA server just aren't adequate right now. It's something we're going to improve later, after OPC UA 1.05 and some other OPC-related enhancements are done.