OPC UA server, client user authorization
Starting with Niagara Niagara 4.14.u1 and Niagara 4.15, the OpcUaServer component provides access to specific aspects of the OPC UA Server based on user roles and permissions as they are configured in the User Service, Role Service and Category Service. These server-side settings are observed when granting access to specific aspects of the OPC UA Server and include more restrictive access for Anonymous users.
The Niagara OpcUaServer component performs user name and password authentication for users that are created and configured in the Niagara user service. In versions prior to Niagara 4.14.u1 and Niagara 4.15, this component does not consider the user roles and permissions as configured in the User Service, Role Service and Category Service when granting access to specific aspects of the OPC UA Server. Also, in the earlier versions, Anonymous users have the ability to subscribe to (monitor) point values.
-
the user sees only those points and point properties (including units, etc.) where read access is allowed.
-
the user writes to only those points and point properties (including units, etc.) where write access is allowed.
-
the correctly specified user access level types and restrictions are communicated to the Opc Ua client.
Breaking change on version upgrade
OPC UA Server configurations prior to Niagara 4.14.u1 and Niagara 4.15, that rely on username and password authentication might start to see User_Access_Denied errors if the users are not assigned appropriate roles and permissions in the User Service. In addition, existing read subscriptions or monitors for Anonymous users will start to fail.
Resolution
To resolve issues caused by the software update, configure any users that are created for OPC UA authentication with appropriate roles to access specific components of the driver tree.