Authentication

User authentication

The WinCC OA OPC UA server is able to operate with or withoutuser authentication. This setting can be defined with the config entry [opcuasrv] enableAnonymous in the config file. It is not possible to change this setting at runtime (a restart of the server manager is necessary). Furthermore this setting also applies for all clients.

If enableAnonymous is active, the server does not check the user authentication. That means that it approves all users or the anonymous user mode.

If enableAnonymous is inactive (default setting), the server checks whether there is a valid WinCC OA user. The permissions of the WinCC OA user are not verified. That means that the user merely has to be active and the password must be correct in order that the connection is accepted by the server. In this case the anonymous user mode is not accepted.

By default the OPC UA server manager runs with root user privileges.

This means that no additional permissions are checked if the client executes operations related to DP values (e.g. writing).

To increase security related to the OPC UA interface the following options are available:

  1. Generally reduce the permission of the whole server manager by starting it with a dedicated user that is not the root user.
  2. Active the config entry useClientUser, see Client User Activation below.
  3. Configure a group authentication, see Group Authentication below.

Client User Activation

The config entry [opcuasrc] useClientUser allows you to define which user is used for value changes or alarm acknowledgements.

If you set useClientUser = 1, you can see which actions are performed by which client (authenticated users connected to the server). By default (=0), the user that started the server manager is used for that action.

This also means that the permissions of the user connecting via OPC UA server are taken into account.

For example if a UA client is connecting with the user guest it has the same write and alarm acknowledgement permissions as the guest user connecting via a UI manager.

Group authentication

In addition to the user authentication, group authentication can be enabled via the internal data point element Config.GroupAuthentication of the OPC server data point _OPCUAPvssServer.

This DPE contains a list of Group IDs. If this list is empty, the group authentication is disabled (default).

If you define a group ID, the server checks whether the specified user is a member of at least one of the defined groups.

The group IDs can be changed at runtime. If a group ID is deleted, an already logged on user who is member of the deleted group is not automatically disconnected. At the next login attempt the updated group authentication becomes also valid for this user

If enableAnonymous is active the server does not check the user authentication or the group authentication.

The anonymous access must only be enabled with care.