Introduction

The access control allows to define which data shall be accessible for a user. It is possible to define rights specifically for single nodes (variables, displays, etc.) or entire subtrees. Thus, the access to atvise functions, engineering or visualization can also be controlled.

Caution

• Old projects (atvise version < 3.6) must be converted properly. Otherwise they cannot be used anymore.

• The first login depends on the used project:

  • If it is a new project or a converted project, where OPC UA authentication was not required, log in with user root and no password. For security purposes, it is recommended to set a password for root after the first login.

  • If it is a converted project, where OPC UA authentication was required, logging in with root is not possible by default. In this case, an already existing user (created in the old project) must be used to log in. In order to prevent accidentally locking the project, the password for root shall be defined after the first login.

• If you want to use atvise without access control as before, proceed as follows:

  • Define user root and all other users as project administrators (refer to user editor for more information).

  • Enable option Set anonymous and NTLM users as project administrator.

Basics

Access control rights are determined by:

• Users – User-specific settings and rights like OPC UA or visualization access.

• Groups – atvise groups are regarded as OPC UA roles.

• Nodes – Rights for groups and assigned users are stored on nodes.

When connecting to the OPC UA server, the configured OPC UA roles are assigned to the user and stored in the session. The rights of all associated roles are retrieved when the user tries to perform an action on a node. The combination of these rights determine the user's access to the respective node.

Overview

General settings

General settings for the project can be configured via Access Control ‣ Settings. In addition, it is possible to define policies for using passwords or e-mail addresses and to enable two-factor authentication.

Users

The user editor allows to define if the user is

• project administrator.

• allowed to log in via OPC UA or to the visualization.

• allowed to use the node browser.

• exempt from specific access control policies.

Groups

The group editor allows to assign users to groups in order to define specific rights. In a new project, only the groups "Anonymous" and "AuthenticatedUser" are provided by default. It is not possible to delete these groups or manually assign users to them. Anonymous users are automatically assigned to the "Anonymous" group, identified (logged in) users to the "AuthenticatedUser" group. Users of group "AuthenticatedUser" automatically get the rights defined for group "Anonymous" as well.

Node rights

The access control editor (Access Control ‣ Assign rights…) can be used to define rights for nodes, e.g. to manage access to displays or subtrees in the address space. This editor can be opened by all users, but it will only allow to see or change information for which according access rights are available.

You can also use the access control functions to set rights by a script.

Hint

There are predefined default rights for some nodes and functions to ensure that atvise is working properly (see system functions and default rights).

Visualization rights

The Quick Dynamic access control element notifier can be used to define access rights for specific visualization elements.

Use cases

This chapter provides more information on common use cases.

Informationen and notes

This chapter provides information on atvise default rights and important notes regarding several atvise functions or modules.

First configuration steps

Refer to Tutorials > How-tos > Configure access control for the first time.