16.3. Authorization and User Permissions

Every client program connected to the OPC DataHub is associated with exactly one user at any given time. Each user is authorized to access certain features of the DataHub according to its user permissions. When a client first connects, it is immediately associated with the anonymous user, and gets those permissions. Then it gets switched to the protocol user and gets the permissions for that protocol. If the client subsequently authenticates itself as a normal user, it is then granted that user's permissions. A client's permissions are always the entire permission set for the user that it is currently associated with.

To edit user permissions select the user name in the Users list and press the Add button. This will open the Permission Editor.

Permissions are defined as follows:

Connect

This user is allowed to maintain a connection to the OPC DataHub. When a connection is made, the client has a 5-second grace period in which to authenticate before the client is disconnected. If the client does not have Connect permissions after the grace period expires, it will be disconnected.

Read and register points

This user is allowed to read point values and subscribe to point value changes.

Change point values

This user is allowed to write a new point value to the OPC DataHub.

Force value changes

If the user has Change point values permission, he may also have this permission. In this case, the user will able to send the force and cforce commands to the DataHub, which will override the read-only status and timestamp check for a point, thereby forcing a write to succeed where it would otherwise fail.

Create new points

This user is allowed to create new points in existing data domains in the OPC DataHub.

Delete an existing point

This user is allowed to delete a point from the OPC DataHub.

[Important]

Normally, no client should be allowed to delete points from the OPC DataHub. Deleting points can be very disruptive for existing clients. Use this permission with caution.

Create a new data domain

This user is allowed to create new data domains. Normally you should also set Create new points permission when you set this permission for a user.

Load a configuration file

This user is allowed to tell the OPC DataHub to load a specific configuration file.

Create and edit users and groups

This user is allowed to create and edit users and groups non-interactively.

Change the program configuration

This user is allowed to transmit commands to the OPC DataHub to alter the DataHub's configuration. This normally includes actions like enabling and disabling particular interfaces and functions within the DataHub.

Change auto domain creation

This user may change the flag indicating whether the OPC DataHub should automatically create a data domain when a user requests a point in a non-existent data domain.

Shut down the program

This user may transmit an exit command to the OPC DataHub, causing it to shut down.

In addition to assigning permissions to the user, it is also possible to limit the number or timing of a connection. There are three additional options to limit the user's login:

Allow a maximum of N concurrent logins

If this option is selected the user will be limited to N concurrent connections, regardless of the connection type. For example, if N is 2, the user would be allowed to make 2 TCP connections, or one TCP and one DDE connection. This option also applies to anonymous users.

Allow a maximum of N logins

This user is allowed to connect to the OPC DataHub at most N times, ever. Once the user has connected to the DataHub this many times, future attempts to log in will be refused. The DataHub remembers the login count for each user even after it has been restarted.

Expire on YYYY/MM/DD

If this option is selected, the user will be allowed to log in to the OPC DataHub up to, but not including, the date selected.

Permissions for the OPC DataHub Command Set

Each time the DataHub receives a command from a client, it checks the client's user permissions. Before executing the command, the DataHub compares the user's permissions to the permissions required to run the command (shown in the table below). If the user has the necessary permissions, the command is executed, otherwise an error message is returned.

Command NamePermissions Required
acksuccessnone
addChange point values
alivenone
appendChange point values
assemblyChange the program configuration
attributeChange the program configuration
authnone
authgroupChange the program configuration
authuserChange the program configuration
auto_create_domainsChange auto domain creation
auto_timestampChange the program configuration
bandwidth_reducenone
bridgeChange the program configuration , Change point values
bridge_removeChange the program configuration
bridge_transformChange the program configuration
cforceChange point values, Force value changes
creadRead and register points, Create new points
createCreate new points
create_domainCreate a new data domain
reportRead and register points, Create new points
csetChange point values, Create new points
cwriteChange point values, Create new points
debugChange the program configuration
defaultpropChange the program configuration
deleteDelete an existing point
deletedDelete an existing point
divChange point values
domainnone
drop_licenseConnect
dumpChange the program configuration
echoChange point values
enable_bridgingChange the program configuration
enable_connect_serverChange the program configuration
enable_dde_clientChange the program configuration
enable_dde_serverChange the program configuration
enable_mirror_masterChange the program configuration
enable_mirror_slaveChange the program configuration
enable_opc_clientChange the program configuration
enable_opc_serverChange the program configuration
enable_scriptingChange the program configuration
enable_tcp_serverChange the program configuration
errornone
exception_bufferChange the program configuration
execute_pluginChange the program configuration
exitShut down the program
failed_licenseChange the program configuration
flushChange the program configuration
forceChange point values, Force value changes
formatConnect
heartbeatnone
ignoreRead and register points
ignore_old_dataChange the program configuration
includeLoad a configuration file
instanceChange the program configuration
load_config_filesLoad a configuration file
load_pluginChange the program configuration
load_scriptsChange the program configuration
lockChange point values
log_fileChange the program configuration
log_to_fileChange the program configuration
master_hostChange the program configuration
master_serviceChange the program configuration
mirror_masterChange the program configuration
mirror_master_2Change the program configuration
multChange point values
on_changeChange the program configuration
pointChange point values
private_attributeChange the program configuration
propertyChange the program configuration
qualityChange point values
readRead and register points
readidRead and register points
register_datahubRead and register points
reportRead and register points
report_allRead and register points
report_domainRead and register points
report_errorsRead and register points
requestRead and register points
request_initial_dataRead and register points
secureChange point values
setChange point values
show_dataChange the program configuration
show_debug_messagesChange the program configuration
show_event_logChange the program configuration
show_iconChange the program configuration
show_propertiesChange the program configuration
show_script_logChange the program configuration
slaveRead and register points
subassemblyChange the program configuration
successnone
syncChange point values
taskdiedChange the program configuration
taskstartedChange the program configuration
tcp_serviceChange the program configuration
timeoutnone
transmit_insignificantChange the program configuration
typeChange the program configuration
unload_pluginChange the program configuration
unreportRead and register points
versionnone
warn_of_license_expiryChange the program configuration
writeChange point values
DDE-specific commands 
DDEAdviseChange point values
DDEConnectChange the program configuration
DDEInitChange the program configuration
DDEServiceChange the program configuration
DDEUnadviseChange point values
DDEUnadvisePointChange point values
EnableDDEServerChange the program configuration
OPC-specific commands 
OPCAddItemChange point values
OPCAttachChange the program configuration
OPCDetachChange the program configuration
OPCInitChange the program configuration