AfwOpcDaSurrogate as read only Interface ?
What is the correct way to limit the Accessrights of external Applications through the surrogate opc to read only?
On the standard installation the surrogate opc provides full write access. Also write operations through the surrogate opc were not logged in audit trail!
Voted best answer
I always suggest creating a *dedicated* account to run the surrogate server on (dcomcnfg.exe->AfwDsOPCSurrogate->Launch Identity->*this user*).
If readonly is required, make this account member of Everyone group in 800xA.
If read/write is required, add this account to the Operator group(s) in 800xA.
Do not use the Service Account!
If audit trail is enabled in the system, the external client connecting via the surrogate *could* optionally be exempted from audit via a simple registry setting.
On one Node this works without trouble, on the secend Node it does not.
The AfwOpcDaSurrogate.exe is starting as the read-only-User, but it get no system access. The memory usage and the count of used windows handles are increasing endless.
To get the surrogate working on this Node i had to add the read-only-User to the local Administrator group.