I’m using Automation Studio 4.12 and I have a project with MappView visualization that uses RBAC authentication. Users can log in and access pages with advanced settings and similar features.
Now, I need to provide the customer with access to specific PLC data via OPC UA for their MES system. For these data, I plan to create a dedicated role and user/password.
However, when the end customer uses their visualization login credentials, they also gain access to OPC UA data intended only for the visualization (which I don’t want).
How can I separate these two worlds—OPC UA server access and MappView HMI access?
How the concept works you cant split the users because MappView also uses the credentials to login to the OPCUA server.
What would be the issue from a security aspect ? The users have the correct rights to change the variables in the HMI so that is the same as going directly to the OPCUA variable.
The only thing i can think of is that you hide the variables. So remove the browsable or visible to the specific group.
You shouldn’t be able to start the machine from remote, because it could be dangerous for somebody close by the machine.
Maybe some process steps needs to be done in specific sequence or time interval ….which is handled by mappView HMI. E.g. different pages and wizards….Maybe some states are not directly handled on the backed side. So sending some commands over OPC-UA can break stuff….
Customer provide paid tier for remote control as well as for remote data collection. Currently, you can just use operators credentials and implement it yourself.
@job.franken thanks for the hint with visibility/browse. This could be at least some “obstacle”.
I think independent roles definition for mapView and MESS system and configuration rights for respective nodes accordingly is not only an obstacle; it is a valid solution.or maybe Im missing some important piece of information in this puzzle.
@kovarj When I mentioned “obstacle” I was referring to disabling the Browse/Visible node configuration option. The node isn’t truly inaccessible with specific role—it’s just not immediately visible in the UA expert, for example.
If you use the machine operator role (or any other role) and try to connect to the PLCs OPC-UA server from MESS system connector, you will successfully connect to the OPC-UA server. This means you can access all the data that the user sees in the HMI as well. Therefore, you cannot restrict data access only to a dedicated role for MESS system data access. Or at least I don’t know how
