Galaxy Repository — Security, Users, Roles & Permissions
Overview
The Galaxy Repository uses a role-based access control (RBAC) system with three layers:
- Users — individual accounts in
user_profile
- Roles — assigned to users, control what operations they can perform
- Security Groups — assigned to objects/packages, control which users can see/modify them
- Security Classification — per-attribute write protection levels (0-6)
1. Users (user_profile table)
| Column |
Type |
Description |
user_profile_id |
int |
Primary key |
user_profile_name |
nvarchar |
Username (e.g., SystemEngineer, Administrator) |
user_guid |
uniqueidentifier |
Unique identifier for check-out tracking |
password_hash |
int |
Legacy password hash |
crypto_secure_hashed_pwd |
ntext |
Encrypted password |
default_security_group |
nvarchar |
Default security group for new objects |
roles |
ntext |
Serialized role assignments (binary) |
intouch_access_level |
int |
InTouch HMI access level |
user_full_name |
nvarchar |
Display name |
default_platform_tag_name |
nvarchar |
Default platform for deployments |
default_app_engine_tag_name |
nvarchar |
Default engine for new objects |
default_history_engine_tag_name |
nvarchar |
Default historian engine |
default_area_tag_name |
nvarchar |
Default area for new objects |
Current Users
| ID |
Name |
Security Group |
Roles |
Notes |
| 1 |
SystemEngineer |
Default |
(none) |
Built-in engineering account |
| 2 |
Administrator |
Default |
Administrator |
Has password, admin role |
| 3 |
DefaultUser |
Default |
(assigned) |
Default runtime user |
User Preferences (user_preferences table)
Stores per-user UI preferences as binary blobs, keyed by user_profile_id and preference_type (GUID).
2. Roles & Permissions
Roles are managed through Galaxy runtime attributes, not SQL tables. The Galaxy platform object exposes:
Role Management Attributes
| Attribute |
Description |
RoleList |
Array of defined role names |
AddRole |
Command: create a new role |
DeleteRole |
Command: remove a role |
CurrentRole |
The active role for the current session |
RolePermission |
Array of permission flags per role |
TogglePermission |
Command: toggle a permission flag |
User-Role Assignment Attributes
| Attribute |
Description |
SetUserRole |
Command: assign a role to a user |
DelUserRole |
Command: remove a role from a user |
ListUserRole |
Command: list roles for a user |
Operation Permissions
| Attribute |
Description |
OpPermission |
Operation permission list |
OpPermissionSGList |
Operation permissions per security group |
ToggleOpPermission |
Command: toggle operation permission |
3. Security Groups
Security groups control which users can access which objects. Each package (object version) belongs to a security group.
package.security_group column
- Type: nvarchar
- Default:
"Default"
- All packages in the current Galaxy use the
"Default" security group
Key Stored Procedures
| Procedure |
Description |
list_object_by_security_group |
Lists all objects in a given security group |
internal_change_objects_security_group |
Bulk-changes security groups for objects |
is_package_visible_to_user |
Checks if a user can see a specific package version |
Visibility Rules
- Objects checked out by a user are only visible to that user (exclusive edit)
gobject.checked_out_by_user_guid tracks who has the object checked outis_package_visible_to_user determines which package version (checked-in vs checked-out) a user sees
4. Security Classification (Attribute-Level)
Each attribute has a security_classification value controlling write access:
| Value |
Level |
OPC UA Access |
Description |
| 0 |
FreeAccess |
ReadWrite |
No restrictions |
| 1 |
Operate |
ReadWrite |
Normal operating level (default) |
| 2 |
SecuredWrite |
ReadOnly |
Elevated write access required |
| 3 |
VerifiedWrite |
ReadOnly |
Verified/confirmed write required |
| 4 |
Tune |
ReadWrite |
Tuning-level access |
| 5 |
Configure |
ReadWrite |
Configuration-level access |
| 6 |
ViewOnly |
ReadOnly |
Read-only, no writes |
Distribution in Database
| Classification |
Count |
Example Attributes |
| -1 |
15,905 |
Most system attributes (no restriction) |
| 0 |
2,194 |
Basic attributes |
| 1 |
1,420 |
Description fields, standard attributes |
| 4 |
1,392 |
Tune-level (e.g., _ChangePassword) |
| 5 |
969 |
Configure-level attributes |
| 6 |
2,250 |
ViewOnly (e.g., _ExternalName) |
Lock Types (dynamic_attribute.lock_type)
| Value |
Description |
| 0 |
Standard (unlocked) |
| Other |
Locked by template or system |
5. Authentication
The Galaxy supports multiple authentication modes, configured via the AuthenticationMode attribute on the platform:
| Mode |
Description |
| Galaxy Only |
Users authenticate against Galaxy's internal user_profile table |
| OS Group Only |
Users authenticate via Windows domain groups |
| Windows Integrated Security |
Users authenticate via Windows credentials (SSO) |
Related Attributes
| Attribute |
Description |
AuthenticationMode |
Active authentication method |
SecurityEnabled |
Boolean: whether security enforcement is active |
_SecuritySchema |
XML security schema definition (binary) |
_MasterSecuritySchema |
Master security schema (binary) |
6. Check-Out/Check-In Security
Galaxy objects use an exclusive check-out model for editing:
gobject Column |
Description |
checked_out_by_user_guid |
GUID of user who has the object checked out |
checked_out_package_id |
Package version created for the check-out |
checked_in_package_id |
Last checked-in package version |
Only the user who checked out an object can modify it. Other users see the last checked-in version.
7. Protected Objects
The gobject_protected table lists objects that cannot be modified:
- Contains only
gobject_id column
- Protects system-critical objects from accidental changes
8. Operation/Workflow Groups
| Table |
Description |
ow_group_def |
Operation/workflow group definitions |
ow_group_id |
Group ID tracking |
ow_group_override |
Group overrides with property_bitmask |
Summary
The Galaxy security model operates at four levels:
- Authentication determines who can connect
- Roles determine what operations a user can perform
- Security Groups determine which objects a user can access
- Security Classification determines per-attribute write permissions
For the OPC UA server, the most relevant layer is Security Classification (already implemented — maps to OPC UA AccessLevel). The server currently uses anonymous access and does not enforce user/role/security-group checks.
bfd360a6db