To meet increased security requirements, anonymous remote (networked) connections in DataHub version 11 and above are not assigned data access roles by default. This applies to the following Internal users:

The default roles for local connections are BasicConnectivity and AllDataFullAccess, while remote connections are given only BasicConnectivity. These default settings protect system data from unauthorized remote users, while giving full access to local anonymous connections.

To enable remote data access, the recommended way is to add a new user for each protocol you need, one that has both BasicConnectivity and AllDataFullAccess roles. When doing so, you should uncheck the RequireTOTPAuthenticaion role for that user, since the user is non-interactive and cannot use two-factor authentication. With this new user defined you can make remote slave or client connections by entering its username and password credentials when configuring the connection.

Alternatively, you can allow anonymous access by modifying the remote IP address principal of the internal Mirror, MQTT, OPCUA or TCP user so that it has BasicConnectivity and AllDataFullAccess roles. This is not best practice because it bypasses security. To access the internal users, choose Internal from the Organization: dropdown in the top left corner of the security window.

In either case, it is possible to further restrict access by IP address, interface protocol and data domain. Again, the recommended approach is to create a new user, rather than modify an internal user.

Example

Here is an example for how to add a built-in user essential permissions for remote connections:

Now any remote user that logs in with the NetworkUser username and password will be able to connect and access data for reading and writing. To enhance this essential security by restricting access based on a communication protocol, IP address pattern, or DataHub data domain, please see Restricting Access.