Staging tags for external access options (OPC UA?)

I have an external party requesting access to a subset of tags for one of my tag providers. I know there are ways to set up an OPC client with access to all our tag providers, but there isn't an obvious way to assign read/write permissions to the clients. This older thread mentions something about tag-level security where the read and write permissions are set up for each tag individually, but I don't see how that translates to the OPC module roles that I have. There is no option in my security levels to specify that a role is an OPC user.

On top of the read/write permissions, I would also only like to expose a very limited number of tags to this client, not every single tag in every tag provider on my gateway, which to my knowledge is the only option when configuring the OPC server.

Is there something I am missing with the OPC server-client configuration here? Or is there a different system that would be better suited to give this other party read access to these tags?

This level of access control just isn't available right now.

Exposed tags from tag providers are all or nothing. They do obey the user/role permissions, but that's about it.

I might be confused about exactly how the roles work because the roles that I provide to the OPC Modules user source are not available to be chosen on the tag security levels. Do I need to add those somehow? The security levels feature has always seemed a little scattered to me.

I think you need to change the user profile the OPC module is using in the OPC UA > Server settings on the gateway to one that you're using with your tags.

Keep in mind that, in addition to exposing your tags, your external user will have access to all of the OPC data your drivers are producing. Writably, IIRC.

An alternative would be to expose selected data through a server-mode driver with a common protocol, where you deliberately copy data from your tags to OPC items in such a driver. I happen to offer two such drivers as third party modules:

/shameless plug

At the moment, all of my tags are public:
I have been dealing with read/write security through perspective project permissions, as that was the only way for these tags to be interfaced with. This project gateway has hundreds of thousands of tags present (mostly UDT instances, but hundreds of UDT's). Is the only way forward to go through each UDT and set up read/write permissions for the tags? Seems like a nightmare that I have been putting off as I have no idea how the changes in tag permissions will affect the rest of our project 'ecosystem'. On top of that, we have a similar issue with the MQTT engine tags, where they are all public and the OPC server provides access to that tag provider, so I will need to update the UDTs for each Edge instance to also reflect these security configurations?

Have I been doing data security wrong here?

So these modules essentially create a separate OPC server that I can reference tags towards individually?

No, I don't think that's it.

Like I said, external access controls for the OPC UA server just aren't adequate right now. It's something we're going to improve later, after OPC UA 1.05 and some other OPC-related enhancements are done.

No. They create what appears to outside systems as PLCs using the corresponding protocols. Modbus is supported by just about everything under the sun, and Rockwell support isn't far behind.

I've honestly never thought about setting up a modbus tcp/ip connection over the internet before. Makes sense that it would work, but never really occurred to me.

Ewww. Well, these PLC protocols have no security....

Yeah, the idea here is I am trying to expose my Cloud Gateways tags to another SCADA platform. The only connection between the two is open internet. Not some on-site/ on network connection

I wonder if the WebDev module is what I should actually be looking into here to allow outside sources to request data. I haven't messed with it much before though.

Hmm. I was going to suggest you could use something like Kepware as an intermediate/proxy, but depending on your cloud setup/OS that may not work.

They have a UA client driver that you could connect to Ignition. Install it locally, bring in only the tags you want exposed to 3rd parties, then connect the 3rd parties to that Kepware instance.