Consolidate LDAP roles into OPC UA session roles with granular write permissions

Map LDAP groups to custom OPC UA role NodeIds on RoleBasedIdentity.GrantedRoleIds during authentication, replacing the username-to-role side cache. Split ReadWrite into WriteOperate/WriteTune/WriteConfigure so write access is gated per Galaxy security classification. AnonymousCanWrite now behaves consistently regardless of LDAP state. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-29 01:50:16 -04:00
parent 50b9603465
commit 50b85d41bd
21 changed files with 549 additions and 94 deletions
--- a/src/ZB.MOM.WW.LmxOpcUa.Host/appsettings.json
+++ b/src/ZB.MOM.WW.LmxOpcUa.Host/appsettings.json
@@ -46,7 +46,9 @@
      "ServiceAccountPassword": "serviceaccount123",
      "TimeoutSeconds": 5,
      "ReadOnlyGroup": "ReadOnly",
-      "ReadWriteGroup": "ReadWrite",
+      "WriteOperateGroup": "WriteOperate",
+      "WriteTuneGroup": "WriteTune",
+      "WriteConfigureGroup": "WriteConfigure",
      "AlarmAckGroup": "AlarmAck"
    }
  },