User Access Control for the Server model object

[jonathang]

Dear Support Team,

Is there a way to control or limit access to or inside of the Server object (node id = 2253)?


None of the BaseNodeManager.HasAccess methods are triggered when browsing the Server object.

If access control is not possible, is it possible to delete part of that object so that it would not be accessible to the clients?

If deleting part of the object is not possible, is it possible to disable the whole Server object?

There is a server.ServerDiagnostics.EnabledFlag variable but setting it to false does not seem to do anything with the Server object.

What we are looking for is to hide connected client sessions from all connected clients unless they have administrator access.


Sincerely,

Jonathan

[Support Team]

Hi,

no it is not possible to delete the server object. The server object is defined by the OPC Foundation and is mandatory (must have). All clients in the world would expect this object to exist in every server, hence deleting it would not comply to the OPC UA specification. All clients in the world would expect to read different information within the server object (server status, namespace array, operational limits, capabilities, and many other important information), if not available or not accessable would be problematic.

There are recommendation by the OPC Foundation on the access permissions on certain information within the server object, e.g. security relevant information only available to "SecurityAdministrator" role.

[jonathang]

Dear Support Team,

Thank you for the prompt reply.

How can the access to the Server.ServerDiagnostics.SessionsDiagnosticsSummary be controlled? As mentioned in the original post, BaseNodeManager.HasAccess methods are not triggered when the Server object is accessed.


Sincerely,

Jonathan

[Support Team]

Hi,

You can set RolePermissions at the SessionDiagnosticsSummary in the method OnRootNodeManagerStarted of your ServerManager implementation.
This example re-uses the RolePermissions of the variable SessionSecurityDiagnosticsArray.

Code: Select all

var nodeWithAdminRights = CoreNodeManager.FindInMemoryNode(VariableIds.Server_ServerDiagnostics_SessionsDiagnosticsSummary_SessionSecurityDiagnosticsArray);
CoreNodeManager.SetNodePermissions(ObjectIds.Server_ServerDiagnostics_SessionsDiagnosticsSummary, nodeWithAdminRights.RolePermissions, true);

In addition you need to set the RolePermissions for each Session when it is created.

Code: Select all

            this.SessionManager.SessionCreated += (s, r) =>
            {
                CoreNodeManager.SetNodePermissions(s.Id, nodeWithAdminRights.RolePermissions, true);
            };

The code was tested with version 4.0.1 of the SDK.

[jonathang]

Dear Support Team,

Thank you very much for the information. This is exactly what we are looking for.

We are currently using SDK 2.6.4 so I will try to get the examples working on that next week.

Thank you very much for your help.


Sincerely,

Jonathan

[jonathang]

Dear Support Team,

Thank you very much for your help. I implemented the following code using SDK 2.6.4 and it is working perfectly.

In ServerManager:

Code: Select all

private Node nodeWithAdminRights;

Code: Select all

protected override void OnRootNodeManagerStarted(RootNodeManager nodeManager)
{
...
    SessionManager.SessionCreated += SessionManager_SessionCreated;
    
    nodeWithAdminRights = CoreNodeManager.FindInMemoryNode(VariableIds.Server_ServerDiagnostics_SessionsDiagnosticsSummary_SessionSecurityDiagnosticsArray);
    CoreNodeManager.SetNodePermissions(ObjectIds.Server_ServerDiagnostics_SessionsDiagnosticsSummary, nodeWithAdminRights.Permissions, true);
...
}

Code: Select all

private void SessionManager_SessionCreated(Session session, SessionEventReason reason)
{
    CoreNodeManager.SetNodePermissions(session.Id, nodeWithAdminRights.Permissions, true);
}

Sincerely,

Jonathan

[Support Team]

Hi,

we very much encourage you to use current mainline SDK version in your deployments only.