Hi,
I have a specific need and would like a user with the well-known OPC UA Observer role to be able to write to some variables. I have therefore overridden the beforeSetAttributeValue method and added a check on whether the checkWriteMask should be set or not. For our special user, the intention is to set this flag to False to allow modifications of this node variable even though the user only is an Observer role with the default NodeAccessInfo::PERMISSION_OBSERVATION set.
However, it seems that we don't get that far, the Write service does not call our beforeSetAttributeValue method because the check in IOUaManagerNode::beginWrite: if (pVariable->isWritable(pTransaction->pSession(), d->m_pDefaultAccessPermissions) says this variable is not writeable by the defaultAccessPermission for the current user.
By reading the documentation of beforeSetAttributeValue's checkWriteMask: "Flag indicating if the write mask of the node attribute or the access level for the value attribute should be checked in UaNode::setAttributeValue", I get the impression that method beforeSetAttributeValue is always called, and only if I set the checkWriteMask to TRUE, write permissions will be checked. That would allow me to set checkWriteMask to FALSE for my specific situation in order to bypass the user role permissions that would allow the node variable to be written to. Unfortunately, this is not the case it seems.
A workaround that I'm thinking of is to add PERMISSION_WRITE to the Observer role and always return false for this user role - if not my special condition holds, in which case I proceed and return true. This solution feels fine to me, but I'm wondering if there is another better way to solve this?
Regards,
/Tommy
Allow an Observer to write data...
Moderator: uasdkcpp
-
Support Team
- Hero Member
- Posts: 3073
- Joined: 18 Mar 2011, 15:09
Re: Allow an Observer to write data...
Hi,
You try to find a way to disable the checks that are done in the SDK based on the role configuration. It is probably not smart to user SDK outside its intention.
By hooking in beforeSetAttributeValue you can restrict a permission that has been granted, BUT you can not disable a permission check that was already done! So the approach to allow writing to all users and restrict the write access for all users expect one or more specific users in beforeSetAttributeValue would work, but...
However, we recommend to use the role concept as intended. A permission is granted or not granted based on a role. When a user logs in you can decide which role the user gets. To get the behaviour you want you just keept the read permission for operator and add write permission for another role e.g. operator or some user defined role. When the special user logs in you just assign that additional role to the user context. Everything will then just work out of the box.
You try to find a way to disable the checks that are done in the SDK based on the role configuration. It is probably not smart to user SDK outside its intention.
By hooking in beforeSetAttributeValue you can restrict a permission that has been granted, BUT you can not disable a permission check that was already done! So the approach to allow writing to all users and restrict the write access for all users expect one or more specific users in beforeSetAttributeValue would work, but...
However, we recommend to use the role concept as intended. A permission is granted or not granted based on a role. When a user logs in you can decide which role the user gets. To get the behaviour you want you just keept the read permission for operator and add write permission for another role e.g. operator or some user defined role. When the special user logs in you just assign that additional role to the user context. Everything will then just work out of the box.
Best regards
Unified Automation Support Team
Unified Automation Support Team