Security Formats
- Last UpdatedNov 18, 2025
- 4 minute read
- PI System
- AF SDK 2024 R2
- Developer
This topic describes the security formats used when getting or setting security on an object in the PI AF Server.
This topic contains the following sections:
There are two formats for specifying security that are supported by the PI AF Server. There is the human-readable Security String Format which is the preferred format for versions 2.7 or later of the server. In server versions 2.7 or greater, user identities are represented by the names of the AFSecurityIdentity objects. On older servers, the human-readable format uses the names of Windows Identities instead.
The other supported format is the Security Descriptor String Format defined by Microsoft. This format is intended for servers previous to 2.7, but some backward compatibility capabilities exist for converting this format into the new security model.
Security String Format
The Security String Format is a more readable text format than the native Security Descriptor String Format and is the preferred format for AF Server versions 2.7 or later. This string format which is used to specify the access control rules has the following format:
userid1:ace_type1(rights1)|userid2:ace_type2(rights2)|... useridN:ace_typeN(rightsN)
For PI AF Server 2.7 and later which support the newer AFSecurityIdentity objects, the userid is the name of the AFSecurityIdentity for the access control rule. For older servers which only support the Security Descriptor String Format, the userid identifies the trustee of the ACE in NT Account form. If the account cannot be resolved, then the SID or common account abbreviation is used, as described in the SID Name Table in the Security Descriptor String Format Section.
The ace_type indicates the type of the access rule. This table lists the supported ACE type strings:
ACE Type Name | ACE Type String Value |
|---|---|
Allow Access | A |
Deny Access | D |
The rights string indicates the access rights controlled by the ACE. This string is a comma separated list of access right abbreviations as listed below or specify 'all' for all rights:
Access Rights Name | Access Rights Abbreviation |
|---|---|
Read | r |
Write | w |
Delete | d |
Execute | x |
Admin | a |
ReadData | rd |
WriteData | wd |
Subscribe | s |
SubscribeOthers | so |
Annotate | an |
Here are a few examples of this format:
Administrators:A(r,w,rd,wd,x,d,a)|World:A(r,rd)
Operators:D(r,rd,wd)|Administrators:A(r,w,rd,wd,x,d,a)|Engineers:A(r,w,rd,wd)
Operators:D(r,rd,wd)|Administrators:A(all)|Engineers:A(all)
BUILTIN\Admin:A(r,w,rd,wd,x,d,a)|Everyone:A(r,rd)
Security Descriptor String Format
The Security Descriptor String Format is a format defined by Microsoft (search for Security Descriptor String Format in MSDN for more information). For AF Server 2.7 and later, this format is obsoleted however is still available for backward compatibility. When used with an AF Server 2.7 and later, the windows users that are mapped to the security identities in the server's ACL will be auto-expanded into individual ACEs. Additionally, a manufactured SID will be included to represent the AF security identity. When used to write ACL's to the AF Server 2.7 or later, AF mappings and identities will be auto-created, when possible.
The format is a string with tokens to indicate each of the four main components of a security descriptor: owner(O:), primary group (G:), DACL (D:), and SACL (S:). AF does not use the SACL portion of the security descriptor. The string format most commonly used is specified in the following format:
O:owner_sid G:group_sid D:(string_ace1)(string_ace2)... (string_aceN) S:(string_ace1)(string_ace2)... (string_aceN)
The owner_sid and group_sid can use either the standard string representation of a SID (S-R-I-S-S...) or a well-known SID string constant. This table lists some of the most common well-known SID string constants:
SID Name | SID String Constants |
|---|---|
Account Operators | AO |
Authenticated Users | AU |
Built-in Administrators | BA |
Built-in Users | BU |
Domain Administrators | DA |
Domain Users | DU |
Everyone | WD |
Local Administrators | LA |
Local Service Account | LS |
Local System Account | SY |
Network Logon Users | NU |
Network Service Account | NS |
Power Users | PU |
Service Logon Users | SU |
A string_ace is a string that describes an ACE in the security descriptor's DACL or SACL (search for ACE Strings in MSDN for more information). Each ACE string is enclosed in parentheses. The commonly used fields of the ACE are in the following order and are separated by semicolons (fields that are not normally set are shown as empty):
ace_type;;rights;;;account_sid
The ace_type indicates the value of the AceType member of the ACE_HEADER structure. This table lists some of the most common ACE type strings:
ACE Type Name | ACE Type String Value |
Allow Access | A |
Deny Access | D |
The rights string indicates the access rights controlled by the ACE. This string can be a hexadecimal string representation of the access rights or it can be a concatenation of the access right strings. This table lists the ACE access rights string constants used by AF:
Access Rights Name | Access Rights Value |
Read | CC |
Write | DC |
Delete | LC |
Execute | SW |
Admin | RP |
ReadData | WP |
WriteData | DT |
Subscribe | LO |
SubscribeOthers | CR |
The account_sid identifies the trustee of the ACE in the same format as the owner_sid and group_sid described above.
Here are a few examples of this format:
O:BAG:BAD:(A;;CC;;;WD)(A;;CCDCLCSWRP;;;BA)
O:BAG:BAD:(A;;CCDCLCSWRPWPDTLOCR;;;BA)(A;;CCDCWP;;;WD)
O:BAG:BAD:(D;;RP;;;S-1-5-21-2084324470-1890137325-1469997231-17242)(A;;CCDCLCSWRPWPDTLOCR;;;BA)(A;;CCWP;;;WD)