Authentication
User authentication
The WinCC OA OPC UA server is able to operate with or
withoutuser authentication. This setting can be defined with the
config entry [opcuasrv] enableAnonymous
in the config
file. It is not possible to change this setting at runtime (a restart of the server
manager is necessary). Furthermore this setting also applies for all clients.
If enableAnonymous
is active, the server does not check the user
authentication. That means that it approves all users or the anonymous user
mode.
If enableAnonymous
is inactive (default setting), the server checks
whether there is a valid WinCC OA user. The permissions of the
WinCC OA user are not verified. That means that the user merely has to be
active and the password must be correct in order that the connection is accepted by
the server. In this case the anonymous user mode is not accepted.
By default the OPC UA server manager runs with root
user
privileges.
This means that no additional permissions are checked if the client executes operations related to DP values (e.g. writing).
To increase security related to the OPC UA interface the following options are available:
- Generally reduce the permission of the whole server manager by starting it with
a dedicated user that is not the
root
user. - Active the config entry
useClientUser
, see Client User Activation below. - Configure a group authentication, see Group Authentication below.
Client User Activation
The config entry [opcuasrc] useClientUser allows you to define which user is used for value changes or alarm acknowledgements.
If you set useClientUser = 1
, you can see which actions are
performed by which client (authenticated users connected to the server). By default
(=0), the user that started the server manager is used for that action.
This also means that the permissions of the user connecting via OPC UA server are taken into account.
For example if a UA client is connecting with the user guest
it has
the same write and alarm acknowledgement permissions as the guest
user connecting via a UI manager.
Group authentication
In addition to the user authentication, group authentication can be enabled via the internal data point element Config.GroupAuthentication of the OPC server data point _OPCUAPvssServer.
This DPE contains a list of Group IDs. If this list is empty, the group authentication is disabled (default).
If you define a group ID, the server checks whether the specified user is a member of at least one of the defined groups.
The group IDs can be changed at runtime. If a group ID is deleted, an already logged on user who is member of the deleted group is not automatically disconnected. At the next login attempt the updated group authentication becomes also valid for this user
If enableAnonymous
is active the server does not check the user
authentication or the group authentication.
The anonymous access must only be enabled with care.