.. _access-control: Access Control Plugin API ========================= The access control callback is used to authenticate sessions and grant access rights accordingly. The ``sessionId`` and ``sessionContext`` can be both NULL. This is the case when, for example, a MonitoredItem (the underlying Subscription) is detached from its Session but continues to run. .. code-block:: c struct UA_AccessControl { void *context; void (*clear)(UA_AccessControl *ac); /* Supported login mechanisms. The server endpoints are created from here. */ size_t userTokenPoliciesSize; UA_UserTokenPolicy *userTokenPolicies; /* Authenticate a session. The session context is attached to the session * and later passed into the node-based access control callbacks. The new * session is rejected if a StatusCode other than UA_STATUSCODE_GOOD is * returned. * * Note that this callback can be called several times for a Session. For * example when a Session is recovered (activated) on a new * SecureChannel. */ UA_StatusCode (*activateSession)(UA_Server *server, UA_AccessControl *ac, const UA_EndpointDescription *endpointDescription, const UA_ByteString *secureChannelRemoteCertificate, const UA_NodeId *sessionId, const UA_ExtensionObject *userIdentityToken, void **sessionContext); /* Deauthenticate a session and cleanup */ void (*closeSession)(UA_Server *server, UA_AccessControl *ac, const UA_NodeId *sessionId, void *sessionContext); /* Access control for all nodes*/ UA_UInt32 (*getUserRightsMask)(UA_Server *server, UA_AccessControl *ac, const UA_NodeId *sessionId, void *sessionContext, const UA_NodeId *nodeId, void *nodeContext); /* Additional access control for variable nodes */ UA_Byte (*getUserAccessLevel)(UA_Server *server, UA_AccessControl *ac, const UA_NodeId *sessionId, void *sessionContext, const UA_NodeId *nodeId, void *nodeContext); /* Additional access control for method nodes */ UA_Boolean (*getUserExecutable)(UA_Server *server, UA_AccessControl *ac, const UA_NodeId *sessionId, void *sessionContext, const UA_NodeId *methodId, void *methodContext); /* Additional access control for calling a method node in the context of a * specific object */ UA_Boolean (*getUserExecutableOnObject)(UA_Server *server, UA_AccessControl *ac, const UA_NodeId *sessionId, void *sessionContext, const UA_NodeId *methodId, void *methodContext, const UA_NodeId *objectId, void *objectContext); /* Allow adding a node */ UA_Boolean (*allowAddNode)(UA_Server *server, UA_AccessControl *ac, const UA_NodeId *sessionId, void *sessionContext, const UA_AddNodesItem *item); /* Allow adding a reference */ UA_Boolean (*allowAddReference)(UA_Server *server, UA_AccessControl *ac, const UA_NodeId *sessionId, void *sessionContext, const UA_AddReferencesItem *item); /* Allow deleting a node */ UA_Boolean (*allowDeleteNode)(UA_Server *server, UA_AccessControl *ac, const UA_NodeId *sessionId, void *sessionContext, const UA_DeleteNodesItem *item); /* Allow deleting a reference */ UA_Boolean (*allowDeleteReference)(UA_Server *server, UA_AccessControl *ac, const UA_NodeId *sessionId, void *sessionContext, const UA_DeleteReferencesItem *item); /* Allow browsing a node */ UA_Boolean (*allowBrowseNode)(UA_Server *server, UA_AccessControl *ac, const UA_NodeId *sessionId, void *sessionContext, const UA_NodeId *nodeId, void *nodeContext); #ifdef UA_ENABLE_SUBSCRIPTIONS /* Allow transfer of a subscription to another session. The Server shall * validate that the Client of that Session is operating on behalf of the * same user */ UA_Boolean (*allowTransferSubscription)(UA_Server *server, UA_AccessControl *ac, const UA_NodeId *oldSessionId, void *oldSessionContext, const UA_NodeId *newSessionId, void *newSessionContext); #endif #ifdef UA_ENABLE_HISTORIZING /* Allow insert,replace,update of historical data */ UA_Boolean (*allowHistoryUpdateUpdateData)(UA_Server *server, UA_AccessControl *ac, const UA_NodeId *sessionId, void *sessionContext, const UA_NodeId *nodeId, UA_PerformUpdateType performInsertReplace, const UA_DataValue *value); /* Allow delete of historical data */ UA_Boolean (*allowHistoryUpdateDeleteRawModified)(UA_Server *server, UA_AccessControl *ac, const UA_NodeId *sessionId, void *sessionContext, const UA_NodeId *nodeId, UA_DateTime startTimestamp, UA_DateTime endTimestamp, bool isDeleteModified); #endif };