OPC UA Well-Known Roles
The table below is a re-write of "Well-Known Roles" table from OPC 10000-3 (OPC Unified Architecture Part 3: Address Space Model), Release 1.05.06. We have created columns for the distinct separate permissions, and filled in the grid according to the prose in the original table.
| BrowseName | Browse and read non-security related Nodes | Browse and read all type Nodes | Browse | Read live data | Read historical data/events | Subscribe to data/events | Write live data | Call Methods | Read/write configuration data | Change the non-security related configuration settings | Change security related settings |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Anonymous | only in the Server Object |
yes | |||||||||
| AuthenticatedUser | yes | ||||||||||
| TrustedApplication | yes | ||||||||||
| Observer | yes | yes | yes | yes | |||||||
| Operator | yes | yes | yes | yes | some[1] | some[1] | |||||
| Engineer | yes | yes | yes | yes | yes | ||||||
| Supervisor | yes | yes | yes | yes | yes | ||||||
| ConfigureAdmin | yes | ||||||||||
| SecurityAdmin | yes |
It should be noted that both the original table, and our rewritten table are quite imprecise. They certainly cannot serve as normative references. Definitions of many terms (such as "configuration data", "live data") are missing. Also, the suggested permissions are clearly incomplete: For example, to achieve many practical configuration tasks, it will be necessary that the ConfigureAdmin role gets a permission to perform at least some browsing outside the type nodes.
Additional information about the well-known roles can be found in OPC 10000-18 (OPC Unified Architecture Part 18: Role-Based Security), Release 1.05.06. From there, it can be inferred that the Anonymous, AuthenticatedUser and TrustedApplication roles are reserved in a sense that they cannot be changed or deleted. Depending on the circumstances, they are also used as implicit roles, assigned automatically based on rules described in the specification.
OPC 10000-14 (OPC Unified Architecture Part 14: PubSub), Release 1.05.06 defines additional well-known roles for SKS (Security Key Service):
- SecurityKeyServerAdmin
- SecurityKeyServerAccess
- SecurityKeyServerPush
Other OPC UA specifications may define further well-known roles.
