Hi,
I want to prevent client applications from being able to write new values to specific tags in my Ignition OPC-UA server, while still allowing my scripts to write them. I assume this is possible but please let me know if it is not!
I tried simply setting the ReadOnly property on the tag to true, but this seems to prevent not only the client user but also the script from writing the value.
What identity does the script engine use when it executes its functions?
And how should I set things up in the user roles/security zones to achieve my goal?
I believe the current OPC server implementation doesn't currently follow security rules to allow granular access like you're wanting for OPC clients. I thought I've heard it mentioned in other threads that either some changes are coming in 8.3, or that was going to be something that was being looked into after 8.3 is released.
I think he’s only asking about setting up tag security, not so much security for external OPC UA clients.
Hi @Kevin.Herron and @michael.flagler ,
Thanks for your replies. Just to clarify - the client I am referring to is a PLC acting as an external OPC-UA client.
So I would like the PLC to have read-only access to certain tags, while the Ignition scripts are still able to change the tag values. Is it possible?
It depends on the tag.
There is some ability to control access to “Exposed Tags” by changing the authentication profile used by the OPC UA module to one with users and roles and tag security configured, but this will only apply to exposed tags and not tags directly from any devices/drivers the server is configured with.
That sounds like what I'm after. All of my tags are "exposed tags". So, let's suppose I set up the authentication profile with two users: "User A" that is able to read and "User B" that is able to read & write. I can setup the PLC to login as "User A" no problem, but how do I ensure the script is effectively running as "User B"?
It depends on the context, but the scripting will either execute with the security of the user running that session, or with system privileges.
2 Likes
Thank you @Kevin.Herron ,
I think I've managed to achieve my goal by setting the Write permissions on the tag to allow only authenticated users (instead of the default "Public").
It seems that the user who is logged into the opc-ua server is not considered to be an authenticated user, so they are blocked from writing the tag while the script is still permitted to do so. Does that make sense?