Correct handling of user / user roles within the server and their access rights

[Nils Roettger]

Good evening, 

I would like to introduce User Level on my opc-ua server. First of all, it works fine with encryption, self-signed certificates and so on. 

But now I would like to adjust the UserAccessLevel of Variable Nodes depending on users. If I understood the documentation correctly, the node attributes RolePermissions and UserRolePermission must be used for this, which are not yet supported in open62541, right?

Do you know if this topic is already in progress? I have not found any open pull requests for it. If nothing is available yet, I could take this action by myself and do afterwards a pull request. 

But before I start, I would like to ask if I understand the documentation correctly 

or I am on the wrong track and have to find out via another variable which user has read/ wirte/ brwose rights for which node? And if so, how is this variable called? I already know how to manipulate the SessionContext etc. and how to override the default function. The only thing what is missing is, that I can check for each node, which role it is assigned to.

Thanks in advance. 

BR,

Nils

[Joanna J.]

Hi Nils,

here is an open issue: https://github.com/open62541/open62541/issues/3496

Have you made any progress considering the implementation?

[Joanna J.]

Hi Community,

i will not create another communication thread regarding the roles implementation to open62541.

If the client calls (e.g) a method, the access rights in in ua_services_method.c  shall be verified by checking the method attribute "UserRolePermissions" and the getUserExecutable(OnObject) from accessControl Plugin. Therefore  getUserExecutable(OnObject ) method  has to be rewritten in order to hold the roles in the current usersessioncontext.

Reading the documentation (especially AccessControl Plugin and Attributes) I assume that adding user authorization to open62541 comprises following steps:

Nodes:

1. https://open62541.org/doc/current/common.html#attribute-id Extend ./include/open62541/common.h with writemask
2. https://open62541.org/doc/current/nodestore.html#base-node-attributes -> extended with UserRolePermissions in UA_NodeHead
3. Extend DataType with RolePermissionType[]
4. Check or create Permission Info struct  with setRolePermission method with a, b parameters
   1. Get id from role (nodemanager)
   2. Set permissions (flags 0xFF etc.)
      
5. Set UserRolePermissions or RolePermissions to specific Nodes with a list RolePermissionsType (roleID and permissions)
   

SessionContext / Server Namespace 0: (uncertain)

1.  Delete following line. Question: Why has this been deleted ?   open62541/src/server$ grep -r -i role . ./ua_server_ns0.c:    UA_Server_deleteNode(server, UA_NODEID_NUMERIC(0, UA_NS0ID_SERVER_SERVERCAPABILITIES_ROLESET), true);  
   
2. Am I right that a specific nodeid and object node already exists? /ua-nodeset/AnsiC/opcua_identifiers.h:#define OpcUaId_RoleSetType 156072.
   
   1.  The Definitition on RoleSetType Table F.1 in RoleSetType Definition . Section 2. User Authorization OPC 10000-5  which has to be added to ServerCapabilities which is done above (I guess)
      
3.  Create role objects like Observer/Operator/ConfigureAdmin etc. with properties and methods . Question:  these objects seem to be already generated : ./build/open62541/src_generated/open62541/namespace0_generated.c:  /* Observer - ns=0;i=15668 */   Can I "just" use them / do i have to implement the callbacks for the methods for roletype? and if yes, where i should implement it?
4. add criteratType and criteria like (usernames) to rules which are added to the identity of a Role Object (where in open62541? )
   
5. In the session Context of AccessControlPlugin the specific Roles Objects has to be added due to logged in users ?
   
6. accessControlMethods like allowAddNode/allowAddReference will return the role specific permission bound to the user / sessionContext
   

I am not sure if these steps are correct or incorrect, if i am missing or completely misunderstanding it. It would be nice if I could get some feedback regardings the user authorization.

Best regards,

Joanna