User Access Control for the Server model object

Questions regarding the use of the .NET SDK 2.0 for Server or Client development or integration into customer products ...

Moderator: uasdknet

Post Reply
jonathang
Hero Member
Hero Member
Posts: 36
Joined: 02 Nov 2015, 19:07

User Access Control for the Server model object

Post by jonathang »

Dear Support Team,

Is there a way to control or limit access to or inside of the Server object (node id = 2253)?
Image

None of the BaseNodeManager.HasAccess methods are triggered when browsing the Server object.

If access control is not possible, is it possible to delete part of that object so that it would not be accessible to the clients?

If deleting part of the object is not possible, is it possible to disable the whole Server object?

There is a server.ServerDiagnostics.EnabledFlag variable but setting it to false does not seem to do anything with the Server object.

What we are looking for is to hide connected client sessions from all connected clients unless they have administrator access.


Sincerely,

Jonathan

User avatar
Support Team
Hero Member
Hero Member
Posts: 3112
Joined: 18 Mar 2011, 15:09

Re: User Access Control for the Server model object

Post by Support Team »

Hi,

no it is not possible to delete the server object. The server object is defined by the OPC Foundation and is mandatory (must have). All clients in the world would expect this object to exist in every server, hence deleting it would not comply to the OPC UA specification. All clients in the world would expect to read different information within the server object (server status, namespace array, operational limits, capabilities, and many other important information), if not available or not accessable would be problematic.

There are recommendation by the OPC Foundation on the access permissions on certain information within the server object, e.g. security relevant information only available to "SecurityAdministrator" role.
Best regards
Unified Automation Support Team

jonathang
Hero Member
Hero Member
Posts: 36
Joined: 02 Nov 2015, 19:07

Re: User Access Control for the Server model object

Post by jonathang »

Dear Support Team,

Thank you for the prompt reply.

How can the access to the Server.ServerDiagnostics.SessionsDiagnosticsSummary be controlled? As mentioned in the original post, BaseNodeManager.HasAccess methods are not triggered when the Server object is accessed.


Sincerely,

Jonathan

User avatar
Support Team
Hero Member
Hero Member
Posts: 3112
Joined: 18 Mar 2011, 15:09

Re: User Access Control for the Server model object

Post by Support Team »

Hi,

You can set RolePermissions at the SessionDiagnosticsSummary in the method OnRootNodeManagerStarted of your ServerManager implementation.
This example re-uses the RolePermissions of the variable SessionSecurityDiagnosticsArray.

Code: Select all

var nodeWithAdminRights = CoreNodeManager.FindInMemoryNode(VariableIds.Server_ServerDiagnostics_SessionsDiagnosticsSummary_SessionSecurityDiagnosticsArray);
CoreNodeManager.SetNodePermissions(ObjectIds.Server_ServerDiagnostics_SessionsDiagnosticsSummary, nodeWithAdminRights.RolePermissions, true);

In addition you need to set the RolePermissions for each Session when it is created.

Code: Select all

            this.SessionManager.SessionCreated += (s, r) =>
            {
                CoreNodeManager.SetNodePermissions(s.Id, nodeWithAdminRights.RolePermissions, true);
            };

The code was tested with version 4.0.1 of the SDK.
Best regards
Unified Automation Support Team

jonathang
Hero Member
Hero Member
Posts: 36
Joined: 02 Nov 2015, 19:07

Re: User Access Control for the Server model object

Post by jonathang »

Dear Support Team,

Thank you very much for the information. This is exactly what we are looking for.

We are currently using SDK 2.6.4 so I will try to get the examples working on that next week.

Thank you very much for your help.


Sincerely,

Jonathan

jonathang
Hero Member
Hero Member
Posts: 36
Joined: 02 Nov 2015, 19:07

Re: User Access Control for the Server model object

Post by jonathang »

Dear Support Team,

Thank you very much for your help. I implemented the following code using SDK 2.6.4 and it is working perfectly.

In ServerManager:

Code: Select all

private Node nodeWithAdminRights;

Code: Select all

protected override void OnRootNodeManagerStarted(RootNodeManager nodeManager)
{
...
    SessionManager.SessionCreated += SessionManager_SessionCreated;
    
    nodeWithAdminRights = CoreNodeManager.FindInMemoryNode(VariableIds.Server_ServerDiagnostics_SessionsDiagnosticsSummary_SessionSecurityDiagnosticsArray);
    CoreNodeManager.SetNodePermissions(ObjectIds.Server_ServerDiagnostics_SessionsDiagnosticsSummary, nodeWithAdminRights.Permissions, true);
...
}

Code: Select all

private void SessionManager_SessionCreated(Session session, SessionEventReason reason)
{
    CoreNodeManager.SetNodePermissions(session.Id, nodeWithAdminRights.Permissions, true);
}

Sincerely,

Jonathan

Post Reply