Because an event subscription service API is a window for applications to see generic system-wide activity, applications must be prevented from unauthorized snooping of system behavior at this access point. In addition, access to the HPOM message flow in read-write mode allows an external application to discard messages, without a user being made aware that a message was generated. The APIs must, therefore, apply authentication mechanisms to prevent users and applications from unauthorized access to the HPOM message flow.
According to the current HPOM concept, which regards HPOM as an open application providing a high level of flexibility to integrate applications, HPOM allows external programs to define actions for messages that are passed to the message agent. Event correlation can be seen as an advance on the existing concept of message conditions ("if attributes match then set attributes and actions") to a higher level ("if rule fires then set attributes and actions"). It is, therefore, essential that these external applications are allowed to perform these modifications.
An appropriate authorization mechanism at the API level guarantees that only authorized users can apply the APIs. However, as the checking of a user ID belongs to the OS level with its superuser concept, this conflicts somewhat with the existing HPOM concept where the administrator is responsible for the configuration of user roles.
HPOM for Windows provides a possibility to enable and disable the interface functionality. In addition, you can configure whether actions can be defined by an application that is writing to the interface. This concerns all interface types.
You can also define whether each message is allowed for output to the Message Stream Interface in the HPOM for Windows policy editors. For example, an administrator can prevent the output of certain messages so that external applications do not receive secure information by reading these messages from the HPOM message flow.
Per default the interfaces are disabled and it is not allowed to define actions.
To enable the message stream interface on a managed node create a nodeinfo policy containing
OPC_AGTMSI_ENABLE TRUE
and deploy it to the managed nodes.
If actions are disallowed, an appropriate error text is added to the annotations field and the action disabled.
To allow the definition of automatic actions add the following to the nodeinfo policy:
OPC_AGTMSI_ALLOW_AA TRUE
To allow the definition of operator initiated actions add the following to the nodeinfo policy:
OPC_AGTMSI_ALLOW_OA TRUE