Authorization Model
Effective permission = role permissions ∩ token scopes
An operator with an ads:read-only token can only read.
Roles
| Role | Permissions |
|---|---|
viewer | Read variables, browse symbols, device info, read files |
operator | + Write variables, upload files |
admin | + Start/stop/reset PLC |
Scopes
| Scope | Grants |
|---|---|
ads:read | All read operations |
ads:write | Write operations (variables, files) |
ads:lifecycle | PLC lifecycle control |
Policies
| Policy | Requirements |
|---|---|
ReadAccess | plc_access check + role >= viewer + scope ads:read |
WriteAccess | plc_access check + role >= operator + scope ads:write |
LifecycleAccess | plc_access check + role = admin + scope ads:lifecycle |
Per-PLC Access Control
Add a plc_access claim to the JWT with an array of allowed PLC aliases:
{
"plc_access": ["Line1", "TestRig"]
}- If
plc_accessis present, the user can only access listed PLCs - If
plc_accessis absent, access to all PLCs is granted (default allow) - Accessing a denied PLC returns
403withPLC_ACCESS_DENIED