Inferensys

Glossary

Role-Based Access Control

An OPC UA authorization mechanism that assigns permissions to Nodes based on user roles, allowing administrators to restrict access to sensitive data and methods.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
AUTHORIZATION MECHANISM

What is Role-Based Access Control?

Role-Based Access Control (RBAC) is an OPC UA authorization mechanism that assigns permissions to Nodes based on user roles, allowing administrators to restrict access to sensitive data and methods.

Role-Based Access Control (RBAC) is an authorization mechanism in OPC UA that governs access to Nodes in the Address Space by assigning permissions to predefined roles rather than individual user identities. A role represents a job function—such as Operator, Maintenance Engineer, or Administrator—and is granted specific rights like Read, Write, or Call on designated Variable Nodes and Methods. This decouples user management from access policy, allowing administrators to configure permissions once per role and then assign users to those roles, dramatically simplifying security administration across complex industrial systems.

RBAC is configured through the OPC UA Session establishment process, where an authenticated user's identity is mapped to one or more roles defined on the Server. The server's authorization engine then evaluates every service request against the role's permissions for the target Node. This mechanism is critical for enforcing the principle of least privilege in manufacturing environments—preventing an operator from modifying safety-critical parameters while allowing a process engineer to execute calibration methods. RBAC integrates with OPC UA's Secure Channel and X.509 Certificate-based authentication to provide a comprehensive, defense-in-depth security posture for industrial data exchange.

Authorization Architecture

Key Features of OPC UA RBAC

OPC UA Role-Based Access Control (RBAC) provides a scalable, policy-driven mechanism to restrict access to Nodes, Methods, and data based on organizational roles rather than individual user identities.

01

Role-Based Permission Assignment

Permissions are assigned to Roles, not individual users. A Role is a Node of type RoleType in the Address Space. Administrators grant access by adding an IdentityMappingRule to a Role, which specifies criteria (e.g., user identity, application URI) for membership. This decouples user management from access control logic, simplifying administration at scale.

02

Granular Node-Level Permissions

RBAC enables fine-grained control over every Node in the Address Space. Permissions are defined using the standard RolePermissionType attribute, which specifies:

  • Read: View the Node's attributes
  • Write: Modify the Node's value
  • Call: Execute Methods
  • Browse: Discover the Node
  • ReceiveEvents: Subscribe to Events Each permission can be independently granted or denied per Role.
03

IdentityMappingRule Evaluation

When a Session is created, the Server evaluates all IdentityMappingRule criteria against the authenticated user's credentials and the Client's ApplicationInstanceCertificate. Rules can match on:

  • User Identity: Specific username or group membership
  • Application URI: The Client application's unique identifier
  • Endpoint URL: The connection endpoint used Matching Roles are aggregated to determine the effective permissions for the Session.
04

Well-Defined Default Roles

OPC UA defines a set of standard Roles to bootstrap authorization:

  • Anonymous: Unauthenticated users (default: minimal access)
  • AuthenticatedUser: Any authenticated identity
  • Observer: Read-only access to process data
  • Operator: Read and write access to operational variables
  • Supervisor: Elevated privileges for configuration
  • ConfigureAdmin: Full administrative access
  • SecurityAdmin: Manage security policies and certificates These can be extended or restricted per deployment.
05

Hierarchical Role Inheritance

Roles can be organized hierarchically using Organizes or HasChild References. A child Role inherits all permissions from its parent Role, plus any additional permissions explicitly granted. For example, a SeniorOperator Role can inherit all permissions from Operator and add the ability to acknowledge critical Alarms. This reduces redundant configuration and enforces consistent policy structures.

06

Auditability and Compliance

All RBAC configuration is stored as Nodes in the Address Space, making it fully discoverable and auditable via standard OPC UA Browse and Read services. The RoleMappingRuleChangedAuditEvent is generated whenever a Role's membership rules are modified. This provides a verifiable audit trail for regulatory compliance, ensuring that access control changes are tracked with timestamps and user attribution.

ROLE-BASED ACCESS CONTROL IN OPC UA

Frequently Asked Questions

Explore the core concepts of OPC UA authorization, focusing on how roles are defined, assigned, and enforced to protect sensitive industrial data and critical control methods.

Role-Based Access Control (RBAC) in OPC UA is an authorization mechanism that assigns permissions to Nodes in the Address Space based on the Roles a user or application possesses, rather than their specific identity. This allows administrators to restrict access to sensitive data, such as reading a ProductionSpeed Variable or calling a EmergencyStop Method, by defining a set of abstract roles like 'Operator' or 'Maintenance Engineer'. Permissions are configured using a RolePermissions attribute on each Node, which specifies which roles are allowed to perform actions like Read, Write, or Call. This model simplifies security management in complex industrial environments by grouping users with similar job functions, ensuring that only authorized personnel can interact with critical automation assets.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.