Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

Asset Framework and PI System Explorer (PI Server 2024 R2)

TABLE OF CONTENTS

Learn about identities and mappings

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedMay 15, 2025
  • 2 minute read

A PI Asset Framework (AF) identity represents a set of access permissions on the PI AF server. Each PI AF mapping points from a Windows user or group or an Identity provider role to a PI AF identity.

A role represents a group of users with similar job functions and access permissions. Roles are stored and managed by the Identity provider service. The AVEVA Identity Manager is the provided identity service for PI Server 2024. A role that is mapped to a PI AF identity inherits the access permissions for that identity.

Beginning with PI AF Server 2015 (version 2.7), you cannot directly grant a Windows user or group access to a PI AF server resource (such as an element collection or objects). Instead, you create a PI AF identity that has that access and then you create a PI AF mapping between the Windows user or group and that PI AF identity.

Members of the Windows groups that are mapped to a PI AF identity are also automatically granted the access permissions for that PI AF identity. For example, in the following illustration, the PI AF identity called Engineers has read/write access to the Elements collection. Because the Microsoft Active Directory group Engineering Team is mapped to Engineers, all the members in that group get read/write permission for the Elements collection.

Microsoft Active Directory group mapping to a PI AF identity

An illustration that shows three users who belong to a Windows Entra ID group that are circled with a line to the Engineers PI AF identity.

Multiple identities

A single Windows user can be mapped to multiple PI AF identities, typically with mappings of the various Windows group memberships to which the individual belongs. A user is granted permissions based on all the PI AF identities to which he or she is mapped. Effective permissions are determined by taking the union of all identities' allowed permissions and removing the union of all denied permissions. For example, in the following illustration, the Windows user Bob belongs to both Active Directory groups. Bob therefore gets the permissions that are configured for PI AF IDENTITY1 and PI AF IDENTITY2.

Windows user with cumulative access permissions

Additionally, a user must have read permission on a PI AF database to be able to read any object within it. Likewise, a user must have write permission on a PI AF database to write to any object within it.

For more information on working with identities and mappings, see Manage identities in PI AF and Manage mappings in PI AF.

TitleResults for “How to create a CRG?”Also Available in