About access permissions on the PI Data Archive server

The Data Archive server has a variety of resources to which you can control access. These resources include points, modules, archive configuration, backups, batches, audit trails, and so on. We refer to those PI resources for which you can set access permissions as secure objects.

Each secure object can be configured to have access permissions for an unlimited number of PI identities, as the following illustration shows.

The Data Archive server stores the settings for each object in an access control list (ACL). Each secure object on the Data Archive server has an ACL that defines access permissions for that object. (Points have two ACLs: one for the point data and one for the point configuration.) The ACL contains an entry for each identity (or user or group) for which access permissions are set on that object. The ACL for the TEST_POINT data in the illustration above would look like this:

Identity1:A(r,w) | Identity2:A(r,w) | Identity3:A(r) | IdentityN:A(r,w)

Access permissions for each PI identity are separated by the pipe (|) symbol. Each entry is called an access control entry (ACE) and consists of the PI identity name, then a colon (:) followed by the access privileges, which are defined in the format: A(r,w). The A in this notation stands for Allow and "r,w" indicates the allowed access privileges – read and write, in this example.

The possible types of access privileges are read and write. The possible unique privilege combinations are "r" for read only, "w" for write only, "r,w" for read and write, and "" (empty) for none.

Note: Unlike Windows, the Data Archive server does not allow you to explicitly deny access privileges.