Hello Support-Team,
I am very interested in the security of the OPC UA, especially the authorization model.
I actually read many parts of the OPC UA standard but have not found enough material - so I hope you could clarify some points for me.
1- Is there any standard defined for the transaction of access rights or similar?
In the standard I found:
2.4.8. User Authorization
OPC UA provides a mechanism to exchange user credentials but does not specify how the applications use these credentials. Client and Server applications may determine in their own way what data is accessible and what operations are authorized. Profiles exist to indicate the support of user credentials to restrict or control access to data
5.2.4 Authorization
OPC UA does not specify how user or Client Authorization is to be provided. OPC UA Applications that are part of a larger industrial automation product may manage Authorizations consistent with the Authorization management of that product. Identification and Authentication of users is specified in OPC UA so that Client and Server applications can recognize the user in order to determine the Authorization level of the user.
So I was confused is there any standard or not?
2 - Do you only offer the authorization on node level by attaching the allowed user?
To sum up the user does not know anything about his/her access rights, am I right?
3 - Do you use the X.509v3 extensions for access rights?
4 - Have I missed anything related to the security objective authorization?
Thanks in advance!
Authorization Model and Authorization Transfer
Moderator: uasdkcpp
-
Kevin1
- Jr. Member
- Posts: 1
- Joined: 23 Feb 2018, 10:31
-
Support Team
- Hero Member
- Posts: 3070
- Joined: 18 Mar 2011, 15:09
Re: Authorization Model and Authorization Transfer
Hello Kevin,
1) User authentication:
OPC UA defines UserIdentityTokens that can be passed as a parameter in the ActivateSessionRequest. There are different types of tokens defines: AnonymousIdentityToken, UserNameIdentityToken, X509IdentityToken, IssuedIdentityToken.
A client can see which tokens are supported by the server by reading the EndpointDescriptions on the server.
2) Authorization:
The server application defines which permissions a certain session context has. That decision maybe based on a UserToken or on other parameters e.g. The EndPoint the client connected to, the ApplicationUri of the client.
A client can see it's current permissions on a specific node by reading the UserRolePermission attribute.
Note that this feature was added in Spec 1.04 and is not jet available in any released products.
1) User authentication:
OPC UA defines UserIdentityTokens that can be passed as a parameter in the ActivateSessionRequest. There are different types of tokens defines: AnonymousIdentityToken, UserNameIdentityToken, X509IdentityToken, IssuedIdentityToken.
A client can see which tokens are supported by the server by reading the EndpointDescriptions on the server.
2) Authorization:
The server application defines which permissions a certain session context has. That decision maybe based on a UserToken or on other parameters e.g. The EndPoint the client connected to, the ApplicationUri of the client.
A client can see it's current permissions on a specific node by reading the UserRolePermission attribute.
Note that this feature was added in Spec 1.04 and is not jet available in any released products.
Best regards
Unified Automation Support Team
Unified Automation Support Team