View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0010547 | NodeSets, XSDs and Generated Code | Implementation Bug | public | 2025-09-30 13:51 | 2025-11-12 15:01 |
| Reporter | Frank Fischer | Assigned To | Randy Armstrong | ||
| Priority | high | Severity | major | Reproducibility | have not tried |
| Status | assigned | Resolution | open | ||
| Product Version | 1.05.04 | ||||
| Summary | 0010547: Set ReceiveEvents permissions at EventTypes | ||||
| Description | Clients receive events, when the ReceiveEvents permission is set on both the EventType and the SourceNode (https://reference.opcfoundation.org/Core/Part3/v105/docs/8.55). Currently for the ServerObject (i=2253) the ReceiveEvents permission is set for ConfigureAdmin and SecurityAdmin Roles while EventTypes have no specific permissions set and use the application defined default permissions. This is problematic as the SeverObject is used as SourceNode for a lot of Events, some are of interest for many clients like SystemStatusChangeEventType (https://reference.opcfoundation.org/Core/Part5/v105/docs/6.4.30) or sub-types of BaseModelChangeEventType (https://reference.opcfoundation.org/Core/Part5/v105/docs/6.4.31) other Events may contain sensitive information and need to be restricted to certain Roles, especially AuditEvents. So for a fine-grained control of Events that use the ServerObject as SourceNode, the ServerObject should have the ReceiveEvents permission set for Anonymous and/or AuthenticatedUsers and the specific EventTypes should have permissions set to further restrict access depending on the EventType. For AuditEvents it may be favorable to introduce a own Role like "Auditors" and also set the AccessRestrictions to EncryptionRequired so the Events are only transported encrypted. | ||||
| Tags | No tags attached. | ||||
| Commit Version | 1.05.06 | ||||
| Fix Due Date | 2025-10-16 | ||||
| related to | 0010559 | assigned | Jeff Harding | 10000-005: Information Model | No statement that AuditEvents shall use an encrypted channel |
|
|
This does not only affect audit events. With the current NodeSet2.xml an anonymous user cannot receive ANY events on server node. This includes ModelChangeEvents and SemanticChangeEvents! |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2025-09-30 13:51 | Frank Fischer | New Issue | |
| 2025-10-14 16:31 | Jim Luth | Assigned To | => Randy Armstrong |
| 2025-10-14 16:31 | Jim Luth | Status | new => assigned |
| 2025-10-14 16:31 | Jim Luth | Commit Version | => 1.05.06 |
| 2025-10-14 16:31 | Jim Luth | Fix Due Date | => 2025-10-16 |
| 2025-10-14 16:36 | Matthias Damm | Relationship added | related to 0010559 |
| 2025-11-12 15:01 | Thomas Merk | Note Added: 0023526 |
