AFSecurity Class
- Last UpdatedNov 18, 2025
- 13 minute read
- PI System
- AF SDK 2024 R2
- Developer
Inheritance Hierarchy
OSIsoft.AFAFSecurity
Namespace: OSIsoft.AF
Assembly: OSIsoft.AFSDK (in OSIsoft.AFSDK.dll) Version: 3.1.1.1182
Syntax
public sealed class AFSecurity
Public NotInheritable Class AFSecurity Dim instance As AFSecurity
public ref class AFSecurity sealed
[<SealedAttribute>] type AFSecurity = class end
The AFSecurity type exposes the following members.
Properties
| Name | Description | |
|---|---|---|
 | CanAnnotate |
This read only property returns if the current user has
Annotate access to the object.
|
| CanDelete |
This read only property returns if the current user has
Delete rights on the object.
|
| CanExecute |
This read only property returns if the current user has
Execute rights on the object.
|
| CanRead |
This read only property returns if the current user has
Read access to the object.
|
| CanReadData |
This read only property returns if the current user has
ReadData access to the object.
|
| CanSubscribe |
This read only property returns if the current user has
Subscribe rights on the object.
|
| CanSubscribeOthers |
This read only property returns if the current user has
SubscribeOthers rights on the object.
|
| CanWrite |
This read only property returns if the current user has
Write access to the object.
|
| CanWriteData |
This read only property returns if the current user has
WriteData access to the object.
|
| HasAdmin |
This read only property returns if the current user has
Admin rights on the object.
|
| Owner |
This read-only property is returns the AFObject that owns this AFSecurity.
|
| OwnerName |
This read-only property returns the owner name for the AFObject associated with this AFSecurity.
|
| SecurityRights |
This read only property returns the security access rights of the
current user for the associated object.
|
| Token |
The security rights token to be used to check the security of the object
without needing to first load the object from the server.
|
Methods
| Name | Description | |
|---|---|---|
  | AddIdentity(PISystem, AFSecurityIdentity, AFSecurityRights, AFSecurityRights, AFSecurityOperation) |
Add security for an AFSecurityIdentity to all objects in the PISystem.
|
| AddIdentity(PISystem, AFSecurityIdentity, IListAFSecurity, AFSecurityRights, AFSecurityRights, AFSecurityOperation, Boolean) |
Add security for an AFSecurityIdentity to specified objects in the PISystem.
|
| AddUser(PISystem, String, AFSecurityRights, AFSecurityRights, AFSecurityOperation) |
Add security for a user account to all objects in the PISystem.
|
| AddUser(PISystem, String, IListAFSecurity, AFSecurityRights, AFSecurityRights, AFSecurityOperation, Boolean) |
Add security for a user account to specified objects in the PISystem.
|
| AreEquivalent |
This method compares two lists of AFSecurityIdentity items for equivalence.
|
 | CheckSecurity(ClaimsIdentity) |
Evaluate the AFSecurityRights of the specified user for the object.
|
| CheckSecurity(WindowsIdentity) |
Evaluate the AFSecurityRights of the specified user for the object.
|
| CheckSecurity(IListAFSecurityIdentity, String) |
Evaluate the AFSecurityRights for the specified list of security identities for a user.
|
| CheckSecurity(PISystem, ClaimsIdentity, IListAFSecurityRightsToken) |
Evaluate the AFSecurityRights of the specified user for a list of
objects without needing to load the object.
|
| CheckSecurity(PISystem, WindowsIdentity, IListAFSecurityRightsToken) |
Evaluate the AFSecurityRights of the specified user for a list of
objects without needing to load the object.
|
| CheckSecurity(PISystem, IListAFSecurityIdentity, IListAFSecurityRightsToken, String) |
Evaluate the AFSecurityRights for the security identities of a user for a list of
objects without needing to load the object.
|
| ClearSecurityRightsCache |
Clears the cache used by the CheckSecurity Overload
methods.
|
| Equals | Determines whether the specified object is equal to the current object. (Inherited from Object.) |
| GetAccessControl | Obsolete.
Gets the access control security descriptor for the associated object.
|
| GetAccountNameForSID(SecurityIdentifier, Boolean) |
Helper method to return the Windows Account name for a security identifier (SID).
|
| GetAccountNameForSID(SecurityIdentifier, Boolean, String) |
Helper method to return the Windows Account name for a security identifier (SID) on a remote machine.
|
| GetHashCode | Serves as the default hash function. (Inherited from Object.) |
| GetIdForRoleName |
Helper method that returns the Id for an OpenID Connect Role.
|
| GetRoleNameForId |
Helper method that returns the Name for an OpenID Connect Role.
|
| GetSecurityEntries |
Get the security entries for this security object.
|
| GetSecurityString |
Gets a cached human readable string which represents the Access Rules of the security
for the associated object.
|
| GetSecurityString(Boolean) |
Gets a human readable string which represents the Access Rules of the security
for the associated object with the option to force getting the latest version
from the server.
|
| GetSIDForAccountName(String) |
Helper method that returns the security identifier (SID) for a windows account name.
|
| GetSIDForAccountName(String, String) |
Helper method that returns the security identifier (SID) for a windows account name on a remote machine.
|
| GetType | Gets the Type of the current instance. (Inherited from Object.) |
| GetUserId |
Get the user identifier for the specified user name.
|
| GetUserIdentities(PISystem, ClaimsIdentity) |
Gets the list of AFSecurityIdentity identities for the specified user
on the PISystem server.
|
| GetUserIdentities(PISystem, WindowsIdentity) |
Gets the list of AFSecurityIdentity identities for the specified user
on the PISystem server.
|
| GetUserIdentityString(PISystem, ClaimsIdentity) |
Gets the security identity string for the specified user on the PISystem server.
|
| GetUserIdentityString(PISystem, WindowsIdentity) |
Gets the security identity string for the specified user on the PISystem server.
|
| RemoveIdentity(PISystem, AFSecurityIdentity) |
Remove all security rights for an AFSecurityIdentity from all objects in the PISystem.
|
| RemoveIdentity(PISystem, AFSecurityIdentity, IListAFSecurity, Boolean) |
Remove all security rights for an AFSecurity from the specified objects in the PISystem.
|
| RemoveUser(PISystem, String) |
Remove all security rights for a user account from all objects in the PISystem.
|
| RemoveUser(PISystem, String, IListAFSecurity, Boolean) |
Remove all security rights for a user account from the specified objects in the PISystem.
|
| SetAccessControl | Obsolete.
Sets the access control security descriptor for the associated object.
|
| SetOwner(ClaimsIdentity) |
Used to take ownership of the AFObject that is associated with this AFSecurity.
|
| SetOwner(NTAccount) |
Used to take ownership of the AFObject that is associated with this AFSecurity.
|
| SetSecurityString |
Sets the access control security rules for the associated object.
|
| ToString |
Returns a String that represents the current object.
(Overrides ObjectToString.) |
| VerifySignature |
Verify the signature of an assembly.
|
Remarks
This object is used to test and/or control the security access to the associated object. It can also be used to determine if the currently logged on user has read and/or write permission to the underlying database for the particular object. For example, a user may be attempting to add an AFElement to the server but may not have sufficient privileges to accomplish this. This object is designed to allow applications to check permissions before creating a series of interrelated objects, rather than trying each one and then trying to remove all the objects if one fails due to permissions.
Versions of the PISystem (PI AF Server) 2.7 or later support mapping Window user identities to an AFSecurityIdentity using the AFSecurityMapping object. This aligns the security model of the PI AF Server with that of the PIServer. Even though these new objects support the IAFSecurable interface, their permissions are defined by PISystem security and cannot be modified. The three built-in security identities Administrators, World, and Owner do not have Write or Delete permission because they cannot be modified. The Owner identity only supports allowing access permissions, it does not support denying any access permissions. The WriteData permission on an identity determines if security mappings can be added. All built-in identities have the WriteData permission except the Owner identity.
When adding a child AFElement, the child element will inherit the security of its parent element at the time of creation if it is added as a Strong or Composition reference. The security rights of an AFElement created at the database level will be calculated from the Element security item associated with the AFDatabase.
At the time of creation, the security access rights for an AFEventFrame that does not have a Strong reference parent are calculated from the AFElementTemplate if it was created from a template. If not created from a template, the security access rights are calculated from the EventFrame security item associated with the AFDatabase. The WriteData permission will control whether users can create, modify, or delete event frames. The ReadData permission will control whether users can read event frames. A child event frame will inherit the security of its parent event frame at the time of creation if it is added as a Strong reference.
For an AFTransfer, the security access rights are calculated from the AFElementTemplate if it was created from a template. If not created from a template, the security access rights are calculated from the Transfer security item associated with the AFDatabase. The WriteData permission will control whether users can create, modify, or delete transfers. The ReadData permission will control whether users can read transfers.
The security access rights for an AFCase are calculated from the AFAnalysis that owns the case. The WriteData permission will control whether users can create, modify, or delete cases. The ReadData permission will control whether users can read cases. The Execute permission will determine if a user can call the CollectElements, CollectInputs, CollectTransfers, Run, and Publish methods of the AFCase.
When an AFAnalysis is associated with an AFNotification, the security access rights for the two objects are synchronized. Similarly when an AFAnalysisTemplate is associated with an AFNotificationTemplate, the security access rights for the two objects are synchronized. This means that changing the security access rights of one object will also change the security access rights of the other associated object.
For all other types of objects, the initial security access rights are calculated from corresponding AFSecurityItem associated with the AFDatabase. For example, the database's NotificationRule security item is used to initialize the security access rights for an AFNotificationRule when it is created.
The following objects always have the Read permission regardless of their security settings: AFCategory, AFNotificationContactTemplate, AFNotificationTemplate, AFAnalysisTemplate, AFElementTemplate, AFEnumerationSet, AFReferenceType, and UOMDatabase. If the following objects have the ReadData, then they will also be granted the Read permission: AFElement, AFModel, AFNotification, AFEventFrame, AFTransfer, and AFCase. The PISystem requires that Read permission is configured in order to connect. However, the full list of PI Systems configured on a client machine is always available since determining the permissions requires an actual connection to be made. The PISystem also always has the Delete permission.
There are two security string formats supported by the SDK: Security Descriptor String Format defined by Microsoft, and the human-readable Security String Format. Each of these are described in the Security Formats topic.