SIST EN IEC 62541-18:2025

SLOVENSKI STANDARD
01-december-2025
Enotna arhitektura OPC - 18. del: Varnost na podlagi vlog (IEC 62541-18:2025)
OPC unified architecture - Part 18: Role-Based Security (IEC 62541-18:2025)
OPC Unified Architecture – Teil 18: Rollenbasierte IT-Sicherheit (IEC 62541-18:2025)
Architecture unifiée OPC - Partie 18: Sécurité fondée sur les rôles (IEC 62541-18:2025)
Ta slovenski standard je istoveten z: EN IEC 62541-18:2025
ICS:
25.040.40 Merjenje in krmiljenje Industrial process
industrijskih postopkov measurement and control
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN IEC 62541-18

NORME EUROPÉENNE
EUROPÄISCHE NORM October 2025
ICS 25.040
English Version
OPC unified architecture - Part 18: Role-Based Security
(IEC 62541-18:2025)
Architecture unifiée OPC - Partie 18: Sécurité fondée sur OPC Unified Architecture - Teil 18: Rollenbasierte IT-
les rôles Sicherheit
(IEC 62541-18:2025) (IEC 62541-18:2025)
This European Standard was approved by CENELEC on 2025-09-19. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Türkiye and the United Kingdom.

European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2025 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN IEC 62541-18:2025 E

European foreword
The text of document 65E/1043/CDV, future edition 1 of IEC 62541-18, prepared by SC 65E "Devices
and integration in enterprise systems" of IEC/TC 65 "Industrial-process measurement, control and
automation" was submitted to the IEC-CENELEC parallel vote and approved by CENELEC as
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2026-10-31
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2028-10-31
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national committee. A
complete listing of these bodies can be found on the CENELEC website.
Endorsement notice
The text of the International Standard IEC 62541-18:2025 was approved by CENELEC as a European
Standard without any modification.
In the official version, for Bibliography, the following note has to be added for the standard indicated:
IEC 62541-5:2020 NOTE Approved as EN IEC 62541-5:2020 (not modified)
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1  Where an International Publication has been modified by common modifications, indicated by (mod),
the relevant EN/HD applies.
NOTE 2  Up-to-date information on the latest versions of the European Standards listed in this annex is available
here: www.cencenelec.eu.
Publication Year Title EN/HD Year
1 2
IEC 62541-1 - OPC unified architecture - Part 1: Overview EN IEC 62541-1 -
and concepts
IEC 62541-3 - OPC Unified Architecture - Part 3: Address EN IEC 62541-3 -
Space Model
IEC 62541-4 - OPC Unified Architecture - Part 4: Services EN IEC 62541-4 -
IEC 62541-5 - OPC Unified Architecture - Part 5: EN IEC 62541-5 -
Information Model
IEC 62541-6 - OPC Unified Architecture - Part 6: EN IEC 62541-6 -
Mappings
IEC 62541-8 - OPC Unified Architecture - Part 8: Data EN IEC 62541-8 -
Access
IEC 62541-12 - OPC unified architecture - Part 12: EN IEC 62541-12 -
Discovery and global services
Under preparation. Stage at the time of publication: IEC/DIS 62541-1:2024.
Under preparation. Stage at the time of publication: prEN IEC 62541-1:2024
IEC 62541-18 ®
Edition 1.0 2025-08
INTERNATIONAL
STANDARD
OPC unified architecture -
Part 18: Role-Based Security
ICS 25.040  ISBN 978-2-8327-0611-4

IEC 62541-18:2025-08(en)
IEC 62541-18:2025 © IEC 2025
CONTENTS
FOREWORD. 3
1 Scope . 5
2 Normative references . 5
3 Terms and definitions . 5
3.1 Terms and definitions . 5
4 Role Model . 5
4.1 General . 5
4.2 RoleSetType . 6
4.2.1 RoleSetType definition . 6
4.2.2 AddRole Method . 7
4.2.3 RemoveRole Method . 8
4.3 RoleSet . 8
4.4 RoleType . 13
4.4.1 RoleType definition . 13
4.4.2 EndpointType . 15
4.4.3 IdentityMappingRuleType . 16
4.4.4 IdentityCriteriaType . 18
4.4.5 AddIdentity Method . 18
4.4.6 RemoveIdentity Method . 19
4.4.7 AddApplication Method . 19
4.4.8 RemoveApplication Method . 20
4.4.9 AddEndpoint Method . 21
4.4.10 RemoveEndpoint Method . 21
4.5 RoleMappingRuleChangedAuditEventType . 22
5 User Management Model . 22
5.1 General . 22
5.2 UserManagementType . 23
5.2.1 UserManagementType definition . 23
5.2.2 PasswordOptionsMask . 24
5.2.3 UserConfigurationMask . 25
5.2.4 UserManagementDataType . 25
5.2.5 AddUser Method . 26
5.2.6 ModifyUser Method . 27
5.2.7 RemoveUser Method . 27
5.2.8 ChangePassword Method . 28
5.3 UserManagement . 29
Bibliography . 30

Figure 1 – Role management overview . 6
Figure 2 – User management overview . 23

Table 1 – RoleSetType definition . 6
Table 2 – RoleSet definition . 9
Table 3 – RoleSet Additional Conformance Units . 9
Table 4 – RoleType definition . 14
IEC 62541-18:2025 © IEC 2025
Table 5 – EndpointType Structure . 16
Table 6 – EndpointType definition . 16
Table 7 – IdentityMappingRuleType . 16
Table 8 – Order for subject name criteria . 17
Table 9 – IdentityMappingRuleType definition . 18
Table 10 – IdentityCriteriaType Values . 18
Table 11 – IdentityCriteriaType Definition . 18
Table 12 – RoleMappingRuleChangedAuditEventType definition . 22
Table 13 – UserManagementType definition . 23
Table 14 – PasswordOptionsMask values . 24
Table 15 – PasswordOptionsMask definition . 24
Table 16 – UserConfigurationMask values . 25
Table 17 – UserConfigurationMask definition . 25
Table 18 – UserManagementDataType structure . 25
Table 19 – DataSetMetaDataType definition . 26
Table 20 – UserManagement definition . 29

IEC 62541-18:2025 © IEC 2025
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
OPC unified architecture -
Part 18: Role-Based Security
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
Publicly Available Specifications (PAS) and Guides (hereafter referred to as "IEC Publication(s)"). Their
preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
may participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence between
any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) IEC draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). IEC takes no position concerning the evidence, validity or applicability of any claimed patent rights in
respect thereof. As of the date of publication of this document, IEC had not received notice of (a) patent(s), which
may be required to implement this document. However, implementers are cautioned that this may not represent
the latest information, which may be obtained from the patent database available at https://patents.iec.ch. IEC
shall not be held responsible for identifying any or all such patent rights.
IEC 62541-18 has been prepared by subcommittee 65E: Devices and integration in enterprise
systems, of IEC technical committee 65: Industrial-process measurement, control and
automation. It is an International Standard.
The text of this International Standard is based on the following documents:
Draft Report on voting
65E/1043/CDV 65E/1101/RVC
Full information on the voting for its approval can be found in the report on voting indicated in
the above table.
The language used for the development of this International Standard is English.
IEC 62541-18:2025 © IEC 2025
This document was drafted in accordance with ISO/IEC Directives, Part 2, and developed in
accordance with ISO/IEC Directives, Part 1 and ISO/IEC Directives, IEC Supplement, available
at www.iec.ch/members_experts/refdocs. The main document types developed by IEC are
described in greater detail at www.iec.ch/publications.
Throughout this document and the other Parts of the series, certain document conventions are
used:
Italics are used to denote a defined term or definition that appears in the "Terms and definitions"
clause in one of the parts of the series.
Italics are also used to denote the name of a service input or output parameter or the name of
a structure or element of a structure that are usually defined in tables.
The italicized terms and names are also often written in camel-case (the practice of writing
compound words or phrases in which the elements are joined without spaces, with each
element's initial letter capitalized within the compound). For example, the defined term is
AddressSpace instead of Address Space. This makes it easier to understand that there is a
single definition for AddressSpace, not separate definitions for Address and Space.
A list of all parts in the IEC 62541 series, published under the general title OPC Unified
Architecture, can be found on the IEC website.
The committee has decided that the contents of this document will remain unchanged until the
stability date indicated on the IEC website under webstore.iec.ch in the data related to the
specific document. At this date, the document will be
• reconfirmed,
• withdrawn, or
• revised.
IEC 62541-18:2025 © IEC 2025
1 Scope
This part of IEC 62541 defines an Information Model. The Information Model describes the basic
infrastructure to model role-based security.
NOTE In the previous version, Role-Based Security was in IEC 62541-5:2020, Annex F.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies.
For undated references, the latest edition of the referenced document (including any
amendments) applies.
IEC 62541-1, OPC Unified Architecture – Part 1: Overview and Concepts
IEC 62541-3, OPC Unified Architecture – Part 3: Address Space Model
IEC 62541-4, OPC Unified Architecture – Part 4: Services
IEC 62541-5, OPC Unified Architecture – Part 5: Information Model
IEC 62541-6, OPC Unified Architecture – Part 6: Mappings
IEC 62541-8, OPC Unified Architecture – Part 8: Data Access
IEC 62541-12, OPC Unified Architecture – Part 12: Discovery and Global Services
3 Terms and definitions
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC 62541-1, IEC 62541-3
and IEC 62541-5 apply.
ISO and IEC maintain terminology databases for use in standardization at the following
addresses:
• IEC Electropedia: available at https://www.electropedia.org/
• ISO Online browsing platform: available at https://www.iso.org/obp
4 Role Model
4.1 General
OPC UA defines a standard approach for implementing role-based security. Servers can choose
to implement part or all of the mechanisms defined here. The OPC UA approach assigns
Permissions to Roles for each Node in the AddressSpace. Clients are then granted Roles when
they create a Session based on the information provided by the Client.
Roles are used to separate authentication (determining who a Client is with a user token and
Client application identity) from authorization (Permissions determining what the Client is
allowed to do). By separating these tasks Servers can allow centralized services to manage
user identities and credentials while the Server only manages the Permissions on its Nodes
assigned to Roles.
IEC 62541-18:2025 © IEC 2025
IEC 62541-3 defines the possible Permissions and the representation as Node Attributes.
Figure 1 depicts the ObjectTypes, Objects and their components used to represent the Role
management.
Figure 1 – Role management overview
4.2 RoleSetType
4.2.1 RoleSetType definition
The RoleSet Object defined in IEC 62541-5 is a RoleSetType which is formally defined in
Table 1.
Table 1 – RoleSetType definition
Attribute Value
BrowseName RoleSetType
IsAbstract False
References Node Class BrowseName DataType TypeDefinition Modelling Rule
Subtype of BaseObjectType defined in IEC 62541-5
HasComponent Object  RoleType OptionalPlacehold
er
HasComponent Method AddRole Defined in 4.2.2 Mandatory
HasComponent Method RemoveRole Defined in 4.2.3. Mandatory
Conformance Units
Base Info ServerType
IEC 62541-18:2025 © IEC 2025
The AddRole Method allows configuration Clients to add a new Role to the Server.
The RemoveRole Method allows configuration Clients to remove a Role from the Server.
4.2.2 AddRole Method
This Method is used to add a Role to the RoleSet Object.
The combination of the NamespaceUri and RoleName parameters are used to construct the
BrowseName for the new Node. The BrowseName shall be unique within the RoleSet Object.
If the optional Properties EndpointsExclude and ApplicationsExclude are available on the Role
Object created with this Method, the initial values of the EndpointsExclude and
ApplicationsExclude Properties shall be TRUE.
The Client shall use an encrypted channel and shall provide user credentials with administrator
rights like SecurityAdmin Role when invoking this Method on the Server.
IEC 62541-3 defines well-known Roles. If this Method is used to add a well-known Role, the
name of the Role from IEC 62541-3 is used together with the OPC UA namespace URI. The
Server shall use the NodeIds for the well-known Roles in this case. The NodeIds for the well-
known Roles are defined in IEC 62541-6.
Signature
AddRole (
[in] String  RoleName,
[in] String  NamespaceUri,
[out] NodeId  RoleNodeId
);
Argument Description
RoleName The name of the Role.
NamespaceUri The NamespaceUri qualifies the RoleName. If this value is null or empty then the
resulting BrowseName will be qualified by the Server's NamespaceUri.
RoleNodeId The NodeId assigned by the Server to the new Node.

Method Result Codes
ResultCode Description
Bad_InvalidArgument The RoleName or NamespaceUri is not valid.
The text associated with the error shall indicate the exact problem.
Bad_NotSupported The Server does not allow more Roles to be added.
Bad_UserAccessDenied The caller does not have the necessary Permissions.
Bad_AlreadyExists The Role already exists in the Server.
Bad_ResourceUnavailable The Server does not have enough resources to add the role.

IEC 62541-18:2025 © IEC 2025
4.2.3 RemoveRole Method
This Method is used to remove a Role from the RoleSet Object.
The RoleNodeId is the NodeId of the Role Object to remove.
The Server can prohibit the removal of some Roles because they are necessary for the Server
to function.
If a Role is removed all Permissions associated with the Role are deleted as well. Ideally these
changes should take effect immediately; however, some lag can occur.
The Client shall use an encrypted channel and shall provide user credentials with administrator
rights like SecurityAdmin Role when invoking this Method on the Server.
Signature
RemoveRole (
[in] NodeId RoleNodeId
);
Argument Description
RoleNodeId The NodeId of the Role Object.

Method Result Codes
ResultCode Description
Bad_NodeIdUnknown The specified Role Object does not exist.
Bad_NotSupported The Server does not allow the Role Object to be removed.
Bad_UserAccessDenied The caller does not have the necessary Permissions.
Bad_RequestNotAllowed The specified Role Object cannot be removed.

4.3 RoleSet
The RoleSet Object defined in Table 2 is used to publish all Roles supported by the Server.
IEC 62541-18:2025 © IEC 2025
Table 2 – RoleSet definition
Attribute Value
BrowseName RoleSet
References Node Class BrowseName DataType TypeDefinition Modelling Rule
ComponentOf the ServerCapabilities Object defined in IEC 62541-5
HasTypeDefinition ObjectType RoleSetType
HasComponent Object Anonymous RoleType
HasComponent Object AuthenticatedUser RoleType
HasComponent Object Observer RoleType
HasComponent Object Operator RoleType
HasComponent Object Engineer RoleType
HasComponent Object Supervisor RoleType
HasComponent Object ConfigureAdmin RoleType
HasComponent Object SecurityAdmin RoleType
Conformance Units
Security Role Server Base 2
Servers should support the well-known Roles which are defined in IEC 62541-3.
The default Identities for the Anonymous Role should be Identities with the criteriaType
IdentityCriteriaType.Anonymous and the criteriaType IdentityCriteriaType.AuthenticatedUser.
The default Identities for the AuthenticatedUser Role should be an identity with the criteriaType
IdentityCriteriaType.AuthenticatedUser.
The additional definition for the conformance units of the instances is defined in Table 3.
Table 3 – RoleSet Additional Conformance Units
BrowsePath Conformance Units
AddRole Security Role Server Management
RemoveRole Security Role Server Management
ConfigureAdmin Security Role Well Known
SecurityAdmin Security Role Well Known
Anonymous Security Role Well Known Group 2
AuthenticatedUser Security Role Well Known Group 2
Observer Security Role Well Known Group 3
Operator Security Role Well Known Group 3
Engineer Security Role Well Known Group 3
Supervisor Security Role Well Known Group 3
Anonymous Security Role Server IdentityManagement
AddIdentity
Anonymous Security Role Server IdentityManagement
RemoveIdentity
Anonymous Security Role Server Restrict Applications
ApplicationsExclude
IEC 62541-18:2025 © IEC 2025
BrowsePath Conformance Units
Anonymous Security Role Server Restrict Applications
Applications
Anonymous Security Role Server Restrict Applications
AddApplication
Anonymous Security Role Server Restrict Applications
RemoveApplication
Anonymous Security Role Server Restrict Endpoints
EndpointsExclude
Anonymous Security Role Server Restrict Endpoints
Endpoints
Anonymous Security Role Server Restrict Endpoints
AddEndpoint
Anonymous Security Role Server Restrict Endpoints
RemoveEndpoint
AuthenticatedUser Security Role Server IdentityManagement
AddIdentity
AuthenticatedUser Security Role Server IdentityManagement
RemoveIdentity
AuthenticatedUser Security Role Server Restrict Applications
ApplicationsExclude
AuthenticatedUser Security Role Server Restrict Applications
Applications
AuthenticatedUser Security Role Server Restrict Applications
AddApplication
AuthenticatedUser Security Role Server Restrict Applications
RemoveApplication
AuthenticatedUser Security Role Server Restrict Endpoints
EndpointsExclude
AuthenticatedUser Security Role Server Restrict Endpoints
Endpoints
AuthenticatedUser Security Role Server Restrict Endpoints
AddEndpoint
AuthenticatedUser Security Role Server Restrict Endpoints
RemoveEndpoint
Observer Security Role Server IdentityManagement
AddIdentity
Observer Security Role Server IdentityManagement
RemoveIdentity
Observer Security Role Server Restrict Applications
ApplicationsExclude
Observer Security Role Server Restrict Applications
Applications
Observer Security Role Server Restrict Applications
AddApplication
IEC 62541-18:2025 © IEC 2025
BrowsePath Conformance Units
Observer Security Role Server Restrict Applications
RemoveApplication
Observer Security Role Server Restrict Endpoints
EndpointsExclude
Observer Security Role Server Restrict Endpoints
Endpoints
Observer Security Role Server Restrict Endpoints
AddEndpoint
Observer Security Role Server Restrict Endpoints
RemoveEndpoint
Operator Security Role Server IdentityManagement
AddIdentity
Operator Security Role Server IdentityManagement
RemoveIdentity
Operator Security Role Server Restrict Applications
ApplicationsExclude
Operator Security Role Server Restrict Applications
Applications
Operator Security Role Server Restrict Applications
AddApplication
Operator Security Role Server Restrict Applications
RemoveApplication
Operator Security Role Server Restrict Endpoints
EndpointsExclude
Operator Security Role Server Restrict Endpoints
Endpoints
Operator Security Role Server Restrict Endpoints
AddEndpoint
Operator Security Role Server Restrict Endpoints
RemoveEndpoint
Engineer Security Role Server IdentityManagement
AddIdentity
Engineer Security Role Server IdentityManagement
RemoveIdentity
Engineer Security Role Server Restrict Applications
ApplicationsExclude
Engineer Security Role Server Restrict Applications
Applications
Engineer Security Role Server Restrict Applications
AddApplication
Engineer Security Role Server Restrict Applications
RemoveApplication
Engineer Security Role Server Restrict Endpoints
EndpointsExclude
IEC 62541-18:2025 © IEC 2025
BrowsePath Conformance Units
Engineer Security Role Server Restrict Endpoints
Endpoints
Engineer Security Role Server Restrict Endpoints
AddEndpoint
Engineer Security Role Server Restrict Endpoints
RemoveEndpoint
Supervisor Security Role Server IdentityManagement
AddIdentity
Supervisor Security Role Server IdentityManagement
RemoveIdentity
Supervisor Security Role Server Restrict Applications
ApplicationsExclude
Supervisor Security Role Server Restrict Applications
Applications
Supervisor Security Role Server Restrict Applications
AddApplication
Supervisor Security Role Server Restrict Applications
RemoveApplication
Supervisor Security Role Server Restrict Endpoints
EndpointsExclude
Supervisor Security Role Server Restrict Endpoints
Endpoints
Supervisor Security Role Server Restrict Endpoints
AddEndpoint
Supervisor Security Role Server Restrict Endpoints
RemoveEndpoint
ConfigureAdmin Security Role Server IdentityManagement
AddIdentity
ConfigureAdmin Security Role Server IdentityManagement
RemoveIdentity
ConfigureAdmin Security Role Server Restrict Applications
ApplicationsExclude
ConfigureAdmin Security Role Server Restrict Applications
Applications
ConfigureAdmin Security Role Server Restrict Applications
AddApplication
ConfigureAdmin Security Role Server Restrict Applications
RemoveApplication
ConfigureAdmin Security Role Server Restrict Endpoints
EndpointsExclude
ConfigureAdmin Security Role Server Restrict Endpoints
Endpoints
ConfigureAdmin Security Role Server Restrict Endpoints
AddEndpoint
IEC 62541-18:2025 © IEC 2025
BrowsePath Conformance Units
ConfigureAdmin Security Role Server Restrict Endpoints
RemoveEndpoint
SecurityAdmin Security Role Server IdentityManagement
AddIdentity
SecurityAdmin Security Role Server IdentityManagement
RemoveIdentity
SecurityAdmin Security Role Server Restrict Applications
ApplicationsExclude
SecurityAdmin Security Role Server Restrict Applications
Applications
SecurityAdmin Security Role Server Restrict Applications
AddApplication
SecurityAdmin Security Role Server Restrict Applications
RemoveApplication
SecurityAdmin Security Role Server Restrict Endpoints
EndpointsExclude
SecurityAdmin Security Role Server Restrict Endpoints
Endpoints
SecurityAdmin Security Role Server Restrict Endpoints
AddEndpoint
SecurityAdmin Security Role Server Restrict Endpoints
RemoveEndpoint
4.4 RoleType
4.4.1 RoleType definition
Each Role Object has the Properties and Methods defined by the RoleType which is formally
defined in Table 4.
IEC 62541-18:2025 © IEC 2025
Table 4 – RoleType definition
Attribute Value
BrowseName RoleType
IsAbstract False
References Node Class BrowseName DataType TypeDefinition Modelling Rule
Subtype of BaseObjectType
HasProperty Variable Identities IdentityMapping PropertyType Mandatory
RuleType []
HasProperty Variable ApplicationsExclu Boolean PropertyType Optional
de
HasProperty Variable Applications String [] PropertyType Optional
HasProperty Variable EndpointsExclud Boolean PropertyType Optional
e
HasProperty Variable Endpoints EndpointType [] PropertyType Optional
HasProperty Variable CustomConfigura Boolean PropertyType Optional
tion
HasComponent Method AddIdentity Defined in 4.4.5. Optional
HasComponent Method RemoveIdentity Defined in 4.4.6. Optional
HasComponent Method AddApplication Defined in 4.4.7. Optional
HasComponent Method RemoveApplicati Defined in 4.4.8. Optional
on
HasComponent Method AddEndpoint Defined in 4.4.9. Optional
HasComponent Method RemoveEndpoint Defined in 4.4.10. Optional
Conformance Units
Base Info ServerType
The Properties and Methods of the RoleType contain sensitive security related information and
shall only be browseable, readable, writeable and callable by authorized administrators through
an encrypted channel.
The configuration of the Roles is done through Method calls. The only exceptions are the
ApplicationsExclude and EndpointsExclude Properties. The two Properties are configured with
the Write Service. All other Properties are configured with the corresponding Method calls. The
CurrentWrite bit of the AccessLevel Attribute for the Properties Identities, Applications and
Endpoints shall be FALSE.
The Identities Property specifies the currently configured rules for mapping a UserIdentityToken
to the Role. If this Property is an empty array and CustomConfiguration is not TRUE, then the
Role cannot be granted to any Session.
The Role shall only be granted to the Session if all of the following conditions are true:
• The UserIdentityToken complies with Identities.
• The Applications Property is not configured or the Client Certificate complies with the
Applications settings.
• The Endpoints Property is not configured or the Endpoint used complies with the Endpoints
settings.
IEC 62541-18:2025 © IEC 2025
The ApplicationsExclude Property defines the Applications Property as an include list or exclude
list. If the ApplicationsExclude Property is not provided or has a value of FALSE then only
ApplicationInstance Certificates included in the Applications Property shall be included in this
Role. All other ApplicationInstance Certificates shall not be included in this Role. If this Property
has a value of TRUE then all ApplicationInstance Certificates included in the Applications
Property shall be excluded from this Role. All other ApplicationInstance Certificates shall be
included in this Role. If the Applications Property is provided with an empty array and all
ApplicationInstance Certificates should be included, the ApplicationsExclude Property shall be
present and the value must be TRUE.
The Applications Property specifies the ApplicationInstance Certificates of Clients which shall
be included or excluded from this Role. Each element in the array is an ApplicationUri from a
Client Certificate which is trusted by the Server. If Applications are configured for include or
exclude, the Role shall only be granted if the Session uses at least a signed communication
channel.
The EndpointsExclude Property defines the Endpoints Property as an include list or exclude
list. If this Property is not provided or has a value of FALSE then only Endpoints included in the
Endpoints Property shall be included in this Role. All other Endpoints shall not be included in
this Role. If this Property has a value of TRUE then all Endpoints included in the Endpoints
Property shall be excluded from this Role. All other Endpoints shall be included in this Role. If
the Endpoints Property is provided with an empty array and all endpoints should be included,
the EndpointsExclude Property shall be present and the value must be TRUE.
The Endpoints Property specifies the Endpoints which shall be included or excluded from this
Role. Each element in the array is an EndpointType that contains an Endpoint description. The
EndpointUrl and the other Endpoint settings are compared with the configured Endpoint that is
used by the SecureChannel for the Session. The EndpointType DataType is defined in 4.4.2.
Fields that have default values as defined in the EndpointType DataType are ignored during
the comparison.
The CustomConfiguration Property indicates that the configuration of the Role and the
assignment of the Role to Sessions is vendor specific. Roles are required to support the
RolePermissions Attribute. If a Server want to support RolePermissions but is not able to support
the standard Role functionality, it can indicate this with the CustomConfiguration Property. If
CustomConfiguration is TRUE, the Server can hide the configuration options completely or the
Server can provide additional vendor specific configuration options.
The AddIdentity Method adds a rule used to map a UserIdentityToken to the Role. If the Server
does not allow changes to the mapping rules, then the Method is not present. A Server should
prevent certain rules from being added to particular Roles. For example, a Server should refuse
to allow an ANONYMOUS_5 (see 4.4.2) mapping rule to be added to Roles with administrator
privileges.
The RemoveIdentity Method removes a mapping rule used to map a UserIdentityToken to the
Role. If the Server does not allow changes to the mapping rules, then the Method is not present.
The AddApplication Method adds an ApplicationInstance Certificate to the list of Applications.
If the Server does not enforce application restrictions or does not allow changes to the mapping
rules for the Role the Method is not present.
The RemoveApplication Method removes an ApplicationInstance Certificate from the list of
Applications. If the Server does not enforce application restrictions or does not allow changes
to the mapping rules for the Role the Method is not present.
4.4.2 EndpointType
This structure describes an Endpoint. The EndpointType is formally defined in Table 5.
IEC 62541-18:2025 © IEC 2025
Table 5 – EndpointType Structure
Name Type Description
EndpointType structure
endpointUrl String The URL for the Endpoint.
securityMode MessageSecurityMode The type of message security.
The MessageSecurityMode type is defined in IEC 62541-4.
The default value is MessageSecurityMode Invalid. The field is
ignored for comparison if the default value is set.
securityPolicyUri String The URI of the SecurityPolicy.
The default value is an empty or null String. The field is ignored
for comparison if the default value is set.
transportProfileUri String The URI of the Transport Profile.
The default value is an empty or null String. The field is ignored
for comparison if the default value is set.

The EndpointType Structure representation in the AddressSpace is defined in Table 6.
Table 6 – EndpointType definition
Attributes Value
BrowseName EndpointType
IsAbstract False
References NodeClass BrowseName IsAbstract Description
Subtype of Structure defined in IEC 62541-5.
Conformance Units
Base Info ServerType
4.4.3 IdentityMappingRuleType
The IdentityMappingRuleType structure defines a single rule for selecting a UserIdentityToken.
The structure is described in Table 7.
Table 7 – IdentityMappingRuleType
Name Type Description
IdentityMappingRuleType Structure Specifies a rule used to map a UserIdentityToken to a Role.
criteriaType Enumeration The type of criteria contained in the identity mapping rule.
The IdentityCriteriaType is defined in 4.4.4.
IdentityCriteriaType
criteria String The criteria which the UserIdentityToken must meet for a
Session to be mapped to the Role. The meaning of the
criteria depends on the criteriaType. The criteria are a null
or empty string for Anonymous and AuthenticatedUser.

If the criteriaType is UserName, the criteria is a name of a user known to the Server, For
example, the user could be the name of a local operating system account or a user managed
by the server as defined in 5.2.
If the criteriaType is Thumbprint, the criteria is a thumbprint of an immediate user Certificate or
an issuer Certificate in its chain which is trusted by the Server. For the criteria, the thumbprint
shall be encoded as a hexadecimal string with upper case characters and without spaces.
IEC 62541-18:2025 © IEC 2025
If the criteriaType is Role, the criteria is a name of a restriction found in the Access Token. For
example, the Role "subscriber" can only be allowed to access PubSub related Nodes.
If the criteriaType is GroupId, the criteria is a generic text identifier for a user group specific to
the Authorization Service. For example, an Authorization Service providing access to an Active
Directory can add one or more Windows Security Groups to the Access Token. IEC 62541-6
defines on how groups are added to Access Tokens.
If the criteriaType is Anonymous, the criteria is a null or empty string which indicates no user
credentials have been provided.
If the criteriaType is AuthenticatedUser, the criteria is a null or empty string which indicates any
valid user credentials have been provided.
If the criteriaType is Application, the criteria is the ApplicationUri from the Client Certificate
used for the Session. The Client Certificate shall be trusted by the Server and the Session shall
use at least a signed communication channel. This criteria type is used if a Role should be
granted to a Session for Application Authentication with Anonymous UserIdentityToken. If a
Role should be granted to a Session for Application Authentication combined with User
Authentication, the Applications Property on the RoleType is combined with the Id
...