Client access rules and galaxy security
- Last UpdatedNov 06, 2024
- 2 minute read
Client Access Rules configured for the OPC UA Service interact with the Galaxy security authentication mode to allow or deny different levels of access for authorized users.
There are two configurable Client Access Rules in the OPC UA Service dialog. By default, both rules are enabled:
-
Allow anonymous client connection (no username/password)
-
Allow authenticated Galaxy Users to write to attributes, depending on their security role
The following table defines the level of data access users are allowed under different combinations of Client Access Rule configurations, Galaxy security authentication mode, and the type of OPC UA credentials (anonymous or authenticated user with username/password).
If security for the Galaxy is enabled (Galaxy security = Secured, column 1), encrypted communication between the OPC UA clients and OPC UA service must also be enabled. See Configure and deploy the OPC UA service.
|
Galaxy security |
OPC UA |
Client access rules |
Level of data access |
|||
|---|---|---|---|---|---|---|
|
Authentication mode |
Client credentials |
Allow anonymous connection |
Allow authenticated Galaxy users |
Connect |
Read |
Write (see below) |
|
Secured |
Authenticated |
Enabled |
Enabled |
YES |
YES |
YES |
|
Secured |
Authenticated |
Enabled |
Disabled |
YES |
YES |
NO |
|
Secured |
Authenticated |
Disabled |
Enabled |
YES |
YES |
YES |
|
Secured |
Authenticated |
Disabled |
Disabled |
YES |
YES |
NO |
|
Secured |
Anonymous |
Enabled |
Enabled |
YES |
YES |
NO |
|
Secured |
Anonymous |
Enabled |
Disabled |
YES |
YES |
NO |
|
Secured |
Anonymous |
Disabled |
Enabled |
NO |
N/A |
N/A |
|
Secured |
Anonymous |
Disabled |
Disabled |
NO |
N/A |
N/A |
|
None |
Authenticated |
Enabled |
Enabled |
NO |
N/A |
N/A |
|
None |
Authenticated |
Enabled |
Disabled |
NO |
N/A |
N/A |
|
None |
Authenticated |
Disabled |
Enabled |
NO |
N/A |
N/A |
|
None |
Authenticated |
Disabled |
Disabled |
NO |
N/A |
N/A |
|
None |
Anonymous |
Enabled |
Enabled |
YES |
YES |
NO |
|
None |
Anonymous |
Enabled |
Disabled |
YES |
YES |
NO |
|
None |
Anonymous |
Disabled |
Enabled |
NO |
N/A |
N/A |
|
None |
Anonymous |
Disabled |
Disabled |
NO |
N/A |
N/A |
Important: Whenever Client Access Rules and Galaxy Security allow a user to write data, this permission is always conditioned by whether or not the user's configured security role also allows them to write data to a specific attribute. This means that when Galaxy security is enabled, the user's security role must explicitly allow them to write to attributes, regardless of the OPC UA client access rule setting. If their security role does not allow them to write to attributes, they cannot, even if the level of data access in the above table shows that they can.