Dear Unified Automation,
I would like to enable our OPC UA Server to give users different access levels based on their username/password or the certificate.
For example: User1 has Read/Write Privileges on the Server, while User2 has only ReadOnly Privileges.
At login, we know which privilege level the user has (read Only orRead/Write). However, I have not determined a method to setup the server to then assign that privilege to that user. Thus, I was wondering if the C++ SDK had a feature(s) that when called properly would enforce this privilege at the username level. (i.e. ReadOnly or Read/Write). If there are feature(s) within the SDK to enable this functionality a small example would be very appreciated.
Thanks
dmiller
Username/Certificate Based Server Privilege
Moderator: uasdkcpp
-
dmiller
- Sr. Member
- Posts: 13
- Joined: 30 May 2013, 18:27
-
Support Team
- Hero Member
- Posts: 3072
- Joined: 18 Mar 2011, 15:09
Re: Username/Certificate Based Server Privilege
Dear dmiller,
The short answer to your question is, the implementation strongly depends on what you want to achieve, or better said what capabilities your server/system has. But there are some principle steps you must follow, described below. This will give you a guide line:
1) Your own session class derived from UaSession must store what ever you need to know later on for user authorization. This could be a role, the user name, a user group or the OPC UA rights the user have.
2) ServerConfig::createSession() must be implemented to create your application specific session object and ServerConfig::logonSessionUser() must be implemented to authenticate the user and to store the user context in the session object.
If the helper class OpcServer is used to implement the main server entry, the callback interface OpcServerCallback must be implemented.
3) You need to set callback in OpcServer object
4) User Authorization: All SDK interface calls triggered by an OPC UA client service call have the Session object as parameter. You can cast the Session to your class and get all user information you need to decide if the user is allowed to access information.
On the toolkit layer there are different methods you can overwrite or callbacks you can implement to influence behaviour based on the user context.
Best Regards
Support Team.
The short answer to your question is, the implementation strongly depends on what you want to achieve, or better said what capabilities your server/system has. But there are some principle steps you must follow, described below. This will give you a guide line:
1) Your own session class derived from UaSession must store what ever you need to know later on for user authorization. This could be a role, the user name, a user group or the OPC UA rights the user have.
2) ServerConfig::createSession() must be implemented to create your application specific session object and ServerConfig::logonSessionUser() must be implemented to authenticate the user and to store the user context in the session object.
If the helper class OpcServer is used to implement the main server entry, the callback interface OpcServerCallback must be implemented.
3) You need to set callback in OpcServer object
4) User Authorization: All SDK interface calls triggered by an OPC UA client service call have the Session object as parameter. You can cast the Session to your class and get all user information you need to decide if the user is allowed to access information.
On the toolkit layer there are different methods you can overwrite or callbacks you can implement to influence behaviour based on the user context.
Best Regards
Support Team.