Connectivity Software User's Guide and Reference
Examples - Server Access Control - Hierarchical permission assignment

.NET

// This example shows how to create a hierarchical permission assignment in an OPC UA server, for Anonymous, Engineer and
// Operator roles.
// You can use any OPC UA client, including our Connectivity Explorer and OpcCmd utility, to connect to the server. 
//
// Find all latest examples here: https://www.doc-that.com/files/onlinedocs/OPCLabs-ConnectivityStudio/Latest/examples.html .
// OPC client, server and subscriber examples in C# on GitHub: https://github.com/OPCLabs/Examples-ConnectivityStudio-CSharp .
// Missing some example? Ask us for it on our Online Forums, https://forum.opclabs.com/forum/index ! You do not have to own
// a commercial license in order to use Online Forums, and we reply to every post.

using OpcLabs.BaseLib.Security.User.Extensions;
using OpcLabs.EasyOpc.UA;
using OpcLabs.EasyOpc.UA.NodeSpace;
using OpcLabs.EasyOpc.UA.Security.Subject;
using System;

namespace UAServerDocExamples.AccessControl
{
    internal class PermissionAssignment
    {
        public static void Hierarchical()
        {
            // Instantiate the server object.
            // By default, the server will run on endpoint URL "opc.tcp://localhost:48040/".
            var server = new EasyUAServer();

            // Clear the default security roles (Operator) for the Anonymous user.
            server.UserManagers.Anonymous.SecurityRoleIdSet.Clear();

            // Create users with Engineer and Operator roles.
            server.UserManagers.NameAndPassword.CreateWithSecurityRoleIds("engineer", "pass", 
                new string[] {UASecurityRoles.Engineer});
            server.UserManagers.NameAndPassword.CreateWithSecurityRoleIds("operator", "pass", 
                new string[] {UASecurityRoles.Operator});

            // Specify the default permission assignment for the custom nodes under Objects folder. Anonymous users will be
            // able to view only, authenticated users will be also able to modify.
            server.ObjectsNamespaceDefaultPermissionAssignment = UAPermissionAssignment.AuthenticateUserToModify;


            // Define some nodes with different permission assignments.

            // This data variable is readable by anyone, but only writable by authenticated users, because it inherits
            // permission assignments from the Objects folder, which further inherits them from the namespace.
            server.Objects.Add(new UADataVariable("PublicReadableDataVariable").ReadWriteValue(0));

            // This data variable will be readable and writable by anyone. It inherits the read permissions for anyone from
            // the Objects folder, and it adds its own permission assignment for write permissions.
            var publicReadWriteDataVariable = new UADataVariable("PublicReadWriteDataVariable").ReadWriteValue(0);
            publicReadWriteDataVariable.PermissionAssignment = new UAPermissionAssignment
            {
                new UARolePermissions(UASecurityRoles.Anonymous, UAPermissions.ModifyBasic)
            };
            server.Objects.Add(publicReadWriteDataVariable);

            // This data variable will only be accessible to authenticated users. Other users will not even be able to see
            // it (browse for it). We specify that it should not inherit permissions from the namespace, but instead have
            // its own permission assignment.
            var authenticatedDataVariable = new UADataVariable("AuthenticatedDataVariable").ReadWriteValue(0);
            authenticatedDataVariable.PermissionAssignment = new UAPermissionAssignment
            {
                new UARolePermissions(UASecurityRoles.AuthenticatedUser, UAPermissions.ViewBasic | UAPermissions.ModifyBasic)
            };
            authenticatedDataVariable.PermissionsInheritanceType = UAPermissionsInheritanceType.None;
            server.Objects.Add(authenticatedDataVariable);

            // This folder will only be accessible to users with Operator or Engineer security roles. User that do not have
            // any of these security roles will not even be able to see it (browse for it).
            var operatorOrEngineerFolder = new UAFolder("OperatorOrEngineerFolder");
            operatorOrEngineerFolder.PermissionAssignment = new UAPermissionAssignment
            {
                new UARolePermissions(UASecurityRoles.Operator, UAPermissions.ViewBasic | UAPermissions.ModifyBasic),
                new UARolePermissions(UASecurityRoles.Engineer, UAPermissions.ViewBasic | UAPermissions.ModifyBasic),
            };
            operatorOrEngineerFolder.PermissionsInheritanceType = UAPermissionsInheritanceType.None;
            server.Objects.Add(operatorOrEngineerFolder);

            // This data variable will inherit permissions from the OperatorOrEngineerFolder, so it will only be accessible to users
            // with Operator or Engineer security roles. 
            var operatorOrEngineerDataVariable = new UADataVariable("OperatorOrEngineerDataVariable").ReadWriteValue(0);
            operatorOrEngineerFolder.Add(operatorOrEngineerDataVariable);

            // A data variable accessible to Operator but not Engineer (typically, live data).
            var operatorDataVariable = new UADataVariable("OperatorDataVariable").ReadWriteValue(0);
            operatorDataVariable.PermissionAssignment = new UAPermissionAssignment
            {
                new UARolePermissions(UASecurityRoles.Operator, UAPermissions.ViewBasic | UAPermissions.ModifyBasic),
            };
            operatorDataVariable.PermissionsInheritanceType = UAPermissionsInheritanceType.None;
            operatorOrEngineerFolder.Add(operatorDataVariable);

            // A data variable accessible to Engineer but not Operator (typically, configuration data).
            var engineerDataVariable = new UADataVariable("EngineerDataVariable").ReadWriteValue(0);
            engineerDataVariable.PermissionAssignment = new UAPermissionAssignment
            {
                new UARolePermissions(UASecurityRoles.Engineer, UAPermissions.ViewBasic | UAPermissions.ModifyBasic),
            };
            engineerDataVariable.PermissionsInheritanceType = UAPermissionsInheritanceType.None;
            operatorOrEngineerFolder.Add(engineerDataVariable);


            // Start the server.
            Console.WriteLine("The server is starting...");
            server.Start();

            Console.WriteLine("The server is started.");
            Console.WriteLine();

            // Let the user decide when to stop.
            Console.WriteLine("Press Enter to stop the server...");
            Console.ReadLine();

            // Stop the server.
            Console.WriteLine("The server is stopping...");
            server.Stop();

            Console.WriteLine("The server is stopped.");
        }
    }
}
See Also
Examples - Server Access Control - Custom security roles
Examples - Server Access Control - Create named users and assign security roles
Examples - Server Access Control - Allow only anonymous access
Examples - Server Access Control - Allow only users with username and password

OPC Wizard

OPC Wizard Access Control
OPC Wizard Permission Authorization

 

 

Copyright © 2004-2026 CODE Consulting and Development, s.r.o., Plzen. All rights reserved. Web page: www.opclabs.com

Documentation Home, Send Feedback. Resources: Knowledge Base, Product Downloads. Technical support: Online Forums, FAQ.

Missing some example? Ask us for it on our Online Forums! You do not have to own a commercial license in order to use Online Forums, and we reply to every post.

Follow us on X (Twitter) | Follow us on LinkedIn