Role-Based Access Control (RBAC) is an authorization mechanism in OPC UA that governs access to Nodes in the Address Space by assigning permissions to predefined roles rather than individual user identities. A role represents a job function—such as Operator, Maintenance Engineer, or Administrator—and is granted specific rights like Read, Write, or Call on designated Variable Nodes and Methods. This decouples user management from access policy, allowing administrators to configure permissions once per role and then assign users to those roles, dramatically simplifying security administration across complex industrial systems.
Glossary
Role-Based Access Control

What is Role-Based Access Control?
Role-Based Access Control (RBAC) is an OPC UA authorization mechanism that assigns permissions to Nodes based on user roles, allowing administrators to restrict access to sensitive data and methods.
RBAC is configured through the OPC UA Session establishment process, where an authenticated user's identity is mapped to one or more roles defined on the Server. The server's authorization engine then evaluates every service request against the role's permissions for the target Node. This mechanism is critical for enforcing the principle of least privilege in manufacturing environments—preventing an operator from modifying safety-critical parameters while allowing a process engineer to execute calibration methods. RBAC integrates with OPC UA's Secure Channel and X.509 Certificate-based authentication to provide a comprehensive, defense-in-depth security posture for industrial data exchange.
Key Features of OPC UA RBAC
OPC UA Role-Based Access Control (RBAC) provides a scalable, policy-driven mechanism to restrict access to Nodes, Methods, and data based on organizational roles rather than individual user identities.
Role-Based Permission Assignment
Permissions are assigned to Roles, not individual users. A Role is a Node of type RoleType in the Address Space. Administrators grant access by adding an IdentityMappingRule to a Role, which specifies criteria (e.g., user identity, application URI) for membership. This decouples user management from access control logic, simplifying administration at scale.
Granular Node-Level Permissions
RBAC enables fine-grained control over every Node in the Address Space. Permissions are defined using the standard RolePermissionType attribute, which specifies:
- Read: View the Node's attributes
- Write: Modify the Node's value
- Call: Execute Methods
- Browse: Discover the Node
- ReceiveEvents: Subscribe to Events Each permission can be independently granted or denied per Role.
IdentityMappingRule Evaluation
When a Session is created, the Server evaluates all IdentityMappingRule criteria against the authenticated user's credentials and the Client's ApplicationInstanceCertificate. Rules can match on:
- User Identity: Specific username or group membership
- Application URI: The Client application's unique identifier
- Endpoint URL: The connection endpoint used Matching Roles are aggregated to determine the effective permissions for the Session.
Well-Defined Default Roles
OPC UA defines a set of standard Roles to bootstrap authorization:
- Anonymous: Unauthenticated users (default: minimal access)
- AuthenticatedUser: Any authenticated identity
- Observer: Read-only access to process data
- Operator: Read and write access to operational variables
- Supervisor: Elevated privileges for configuration
- ConfigureAdmin: Full administrative access
- SecurityAdmin: Manage security policies and certificates These can be extended or restricted per deployment.
Hierarchical Role Inheritance
Roles can be organized hierarchically using Organizes or HasChild References. A child Role inherits all permissions from its parent Role, plus any additional permissions explicitly granted. For example, a SeniorOperator Role can inherit all permissions from Operator and add the ability to acknowledge critical Alarms. This reduces redundant configuration and enforces consistent policy structures.
Auditability and Compliance
All RBAC configuration is stored as Nodes in the Address Space, making it fully discoverable and auditable via standard OPC UA Browse and Read services. The RoleMappingRuleChangedAuditEvent is generated whenever a Role's membership rules are modified. This provides a verifiable audit trail for regulatory compliance, ensuring that access control changes are tracked with timestamps and user attribution.
Frequently Asked Questions
Explore the core concepts of OPC UA authorization, focusing on how roles are defined, assigned, and enforced to protect sensitive industrial data and critical control methods.
Role-Based Access Control (RBAC) in OPC UA is an authorization mechanism that assigns permissions to Nodes in the Address Space based on the Roles a user or application possesses, rather than their specific identity. This allows administrators to restrict access to sensitive data, such as reading a ProductionSpeed Variable or calling a EmergencyStop Method, by defining a set of abstract roles like 'Operator' or 'Maintenance Engineer'. Permissions are configured using a RolePermissions attribute on each Node, which specifies which roles are allowed to perform actions like Read, Write, or Call. This model simplifies security management in complex industrial environments by grouping users with similar job functions, ensuring that only authorized personnel can interact with critical automation assets.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core OPC UA mechanisms and concepts that interact with Role-Based Access Control to form a comprehensive authorization framework.
Node
The fundamental atomic unit within an OPC UA Address Space to which RBAC permissions are assigned. Each Node possesses a unique NodeId and a set of Attributes that describe its value and behavior. Access rights are granted or denied at the Node level, allowing administrators to restrict visibility of specific sensors, actuators, or methods. A Node's RolePermissions attribute stores the list of roles authorized to interact with it.
Session
A long-lived logical connection between an OPC UA Client and Server that carries the authenticated user's identity. Upon session creation, the Server associates the user with their assigned Roles. All service requests within that Session—reads, writes, method calls—are evaluated against the RolePermissions of the target Node. The session's identity context is immutable for its lifetime.
Well-Known Roles
A set of predefined, standardized roles defined by the OPC UA specification to ensure baseline interoperability:
- Anonymous: Unauthenticated users with minimal access
- AuthenticatedUser: Any user who has successfully logged in
- Observer: Read-only access to non-sensitive data
- Operator: Ability to execute methods and acknowledge alarms
- Engineer: Configuration and tuning privileges
- Supervisor: User management and role assignment
- ConfigureAdmin: Full system configuration rights
- SecurityAdmin: Exclusive control over certificates and security policies
Access Restrictions
A complementary OPC UA security mechanism that works alongside RBAC to enforce session-level constraints. While RolePermissions control access based on user identity, Access Restrictions apply additional rules such as:
- Session timeout limits
- Transport layer requirements (e.g., only secure channels)
- IP address allowlists
- Certificate policy enforcement Together, they create a defense-in-depth authorization model.
Identity Mapping
The process by which an OPC UA Server resolves an authenticated user's credentials—X.509 certificate, WS-Security token, or username/password—into a set of assigned roles. This mapping is typically configured through the Server's UserManagement model. Effective RBAC depends on accurate identity mapping; a misconfigured mapping can inadvertently grant elevated privileges to unauthorized users.
Auditing
The OPC UA AuditEvent system generates tamper-proof logs of all access attempts, both permitted and denied. Each event records:
- The SessionId and user identity
- The target NodeId
- The requested action (read, write, execute)
- The RolePermissions evaluated
- The final access decision This audit trail is essential for compliance with IEC 62443 and other industrial security standards.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us