16.2. User Authentication

Authentication of users is applied on a per-connection basis. This means that whenever a client program connects to the OPC DataHub, it must transmit a user name and password in order to authenticate. Until the client program authenticates, it operates with the permissions of the anonymous user. After 5 seconds, the permissions currently in force for the client are checked for the Connect permission. If the client does not have Connect permission, the connection is terminated. The client may authenticate as another user at any time after it has connected. If a client transmits an incorrect user name or password, it is not immediately disconnected, but instead keeps the permissions in force prior to the authentication attempt.

The Anonymous User

The anonymous user represents a client that has not authenticated. When a client first connects, it is given the permissions of the anonymous user. The client may continue to operate with the anonymous user permissions (so long as the anonymous user has the Connect permission), or may authenticate as another user at any time. In essence, the security of the OPC DataHub is no greater than the permissions given to the anonymous user. The default distribution of the DataHub has all anonymous user permissions enabled.

Protocol Users

In addition to the anonymous user, there are special users associated with each connection protocol. These are essentially anonymous users that are associated with just one particular protocol. The protocols are:

DDE: Any connection made from a DDE client to the OPC DataHub.
OPC: Any connection made from an OPC client to the OPC DataHub.
TCP: Any connection made from a third-party program using a direct TCP connection, the DataHub API, or a Java applet embedded in a web browser.
Mirror: A mirror or tunnel connection from another OPC DataHub

When a client connects using one of the above protocols, it is originally given the anonymous user permissions, and then promoted to the protocol user associated with the connection type, once the connection is fully constructed. This allows the OPC DataHub to apply different permissions to anonymous connections of different types. Since the OPC protocol does not provide a mechanism for authentication, this is the only mechanism available to limit the permissions of an OPC client.

The protocol user permissions are originally tied to the anonymous user's permissions. Any change to the anonymous user's permissions will also affect all of the protocol users. If any change is made to the permissions of a protocol user, that protocol user is detached from the anonymous user, and subsequent changes to the anonymous user no longer affect it. A protocol user can be reattached to the anonymous user with a button on the configuration interface. Protocol users do not have a password.

Normal Users

To add a normal user, press the Add button in the Users section of the Security options. You will be prompted to enter a user name and password.

A user name is any combination of letters, numbers and some punctuation characters. A password can be any sequence of characters. A user can be added to a group by choosing the group name from the Group drop-down list.

Each user has an associated set of permissions. When a client transmits a correct user name and password, it acquires the permissions of that user.

User Groups

User groups are a mechanism to simplify the configuration of many users who have identical permissions. To create a group, press the Add button in the Groups section of the Security options. A user can be added to a group at any time. When added to a group, the user's permissions will be altered to match those of the group. If the permissions for the group are subsequently changed, the change will immediately affect all users in the group. A user may only belong to one group at a time.