Master's Thesis Recap: OPC UA Role-Based Access Control in Industrial Automation

When I was finishing my studies, I had to do what every student eventually does: pick a master’s thesis topic. Or in my case, mostly get one assigned. My colleagues at Prosys had been aware of OPC UA Role-Based Access Control being added to the specification, but none had the pleasure to take a closer look at what had been defined in the spec, and even less so, how it should be used or implemented in real industrial scenarios.

One thought that came from one of my colleagues was to reuse IT infrastructure, specifically directory services (such as LDAP and AD), on the OT side as well. This has several obvious benefits, like a single source of truth for role assignments and a low barrier to entry due to industry-standard systems. However, as with all OT environments, operational availability is key and must be ensured with such dependencies between OT and IT. This led me to investigate the feasibility of such a system architecture and to consider how to ensure that OT requirements are not compromised.

This post is the short, practical overview of what I looked at and what seems to matter the most.

The complete thesis is available in Tampere University’s Trepo archive.

OPC UA RBAC in Brief

OPC UA separates who you are (authentication) from what you’re allowed to do (authorization). With RBAC, permissions are attached to roles instead of individual users.

  • Clients (users or applications) are mapped to one or more roles for the session.
  • Roles define what’s allowed on nodes.
  • The spec includes well-known roles (like Operator or Engineer) to give everyone a common starting point.
Important: permission checks happen on each server. You can manage role names and assignments centrally if you want, but the server still needs those roles and permissions locally to enforce them.
 

Two main approaches

In my thesis, I focused on two practical ways to assign roles:
  • Directory integration (LDAP/AD). Existing IT directories can be reused so that user and group information is not duplicated. The risk is that if the directory is unreachable, the plant may lose access control definitions. To counter this, the thesis presented a case study with redundant LDAP servers in the OT network (DMZ), ensuring that operations continue even if the corporate IT link is down.
  • Local mappings. Each server maintains its own identity-to-role mapping, along with role permissions. This avoids external dependencies and works even in isolated networks. The drawback is the extra maintenance work and the chance of inconsistencies between servers, especially in larger setups.
A hybrid option is also possible: using an orchestration tool to distribute updates while still storing mappings on the servers themselves.
 

A simulated case study

Initially, I had planned to discuss with industry experts who have real-life setups to gather insight into what their OT access controls look like currently and to ask for their opinions on what they need or how different OT RBAC solutions could benefit them. Unfortunately, due to time constraints (and the fact that the scope of the work was getting out of hand), I couldn’t get in touch with the necessary people and thus lacked some practical examples of network architecture that I could use as a blueprint for my considerations. This led me to create a case study (as shown in the picture below) as an attempt to test different approaches for RBAC information persistence.

Diagram illustrating OPC UA Role-Based Access Control in industrial automation, comparing directory integration with local role mappings
Case study of a hypothetical industrial environment with centralized RBAC using LDAP

No silver bullets

What made this work particularly hard for me was that there wasn’t a clean, clear-cut answer at the end of the tunnel or a “satisfying” resolution. Like for most things in life, the answer to the question of “How should OPC UA RBAC be implemented?” was:
 
It depends.
 
However, some possible remarks came to mind:
  • Directory integration makes sense when identities are already centralized and redundancy is available.
  • Local mappings are straightforward and resilient for smaller or isolated plants.
  • Orchestration might fit large or complex systems that need both coordination and local independence, however, the feasibility and robustness of such tooling is hard to determine as it doesn’t exist.
Which approach is the best depends on system size, existing infrastructure, and how critical it is to keep operations running during IT outages.
 

Final takeaways

At the time of writing this thesis (June 2025), support for RBAC in OPC UA SDKs and devices was still limited. This is why the study was exploratory and focused on what the specification allows rather than on off-the-shelf solutions. Wider support in tools and devices will shape how these options can be applied in practice, alongside the requirements of different industrial environments.
 
RBAC in OPC UA can be useful, but it’s also just one layer in a bigger puzzle. Real requirements of each specific operation and real tooling availability will likely largely dictate how each actor should implement their OT access control system.
 
I hope that my work has a positive impact on the field and produces real, meaningful insights for people working in the industry who are considering implementing such networks, not just for us to understand the complexities of OPC UA and industrial automation, but also for them to gain valuable knowledge.
Headshot of Luukas Lusetti

Luukas Lusetti

Software Engineer

Email: luukas.lusetti@prosysopc.com

Related Posts

i-GuSystem – From MTConnect to OPC UA: Future-Proof CNC Data Collection with Forge

August 20, 2025 No Comments

i-GuSystem Ltd., a Finnish specialist in CNC program transfer and production data acquisition, adopted Prosys OPC UA Forge to extend its data integration from MTConnect into the OPC UA era, ensuring future-proof and scalable solutions. To meet the growing demand for OPC UA, i-GuSystem integrated Prosys OPC UA Forge as a future-proof layer. Forge enables direct OPC UA connectivity with output in XML, ensuring full compatibility with iguXMLsync and downstream systems like VisualFactory, MES, Azure cloud, and Power BI.
The first Forge deployment was completed in just two hours, delivering reliable results and proving the scalability of i-GuSystem’s solutions. By adopting Forge, i-GuSystem has seamlessly extended its CNC data expertise into the OPC UA era, future-proofing its architecture while continuing to provide rapid, hands-on results for its customers.

Read More »
Search Blogs with Key Words

Interested in this topic?

Get updated about new posts through our newsletter!
Subscribe to Our Newsletter