| OPC DataHub™ : Version 6.4 | ||
|---|---|---|
 | Chapter 16. Security |  |
| OPC DataHub™ : Version 6.4 | ||
|---|---|---|
| | Chapter 16. Security | |
Every client program connected to the OPC DataHub is associated with exactly one user at any given time. Each user is authorized to access certain features of the DataHub according to its user permissions. When a client first connects, it is immediately associated with the anonymous user, and gets those permissions. Then it gets switched to the protocol user and gets the permissions for that protocol. If the client subsequently authenticates itself as a normal user, it is then granted that user's permissions. A client's permissions are always the entire permission set for the user that it is currently associated with.
To edit user permissions select the user name in the Users list and press the button. This will open the Permission Editor.
Permissions are defined as follows:
This user is allowed to maintain a connection to the OPC DataHub. When a connection is made, the client has a 5-second grace period in which to authenticate before the client is disconnected. If the client does not have permissions after the grace period expires, it will be disconnected.
This user is allowed to read point values and subscribe to point value changes.
This user is allowed to write a new point value to the OPC DataHub.
This user is allowed to create new points in existing data domains in the OPC DataHub.
This user is allowed to delete a point from the OPC DataHub.
![[Important]](images/important.gif) | Normally, no client should be allowed to delete points from the OPC DataHub. Deleting points can be very disruptive for existing clients. Use this permission with caution. |
This user is allowed to create new data domains. Normally you should also set permission when you set this permission for a user.
This user is allowed to tell the OPC DataHub to load a specific configuration file.
This user is allowed to create and edit users and groups non-interactively.
This user is allowed to transmit commands to the OPC DataHub to alter the DataHub's configuration. This normally includes actions like enabling and disabling particular interfaces and functions within the DataHub.
This user may change the flag indicating whether the OPC DataHub should automatically create a data domain when a user requests a point in a non-existent data domain.
This user may transmit an exit command to the OPC DataHub, causing it to shut down.
In addition to assigning permissions to the user, it is also possible to limit the number or timing of a connection. There are three additional options to limit the user's login:
If this option is selected the user will be limited to N concurrent connections, regardless of the connection type. For example, if N is 2, the user would be allowed to make 2 TCP connections, or one TCP and one DDE connection. This option also applies to anonymous users.
This user is allowed to connect to the OPC DataHub at most N times, ever. Once the user has connected to the DataHub this many times, future attempts to log in will be refused. The DataHub remembers the login count for each user even after it has been restarted.
If this option is selected, the user will be allowed to log in to the OPC DataHub up to, but not including, the date selected.
Each time the DataHub receives a command from a client, it checks the client's user permissions. Before executing the command, the DataHub compares the user's permissions to the permissions required to run the command (shown in the table below). If the user has the necessary permissions, the command is executed, otherwise an error message is returned.
| |  | |
| 16.2. User Authentication |  | 16.4. How To Configure a Common Scenario |
Copyright © 1995-2010 by Cogent Real-Time Systems, Inc. All rights reserved.