PI AF identities and mappings

A PI AF identity represents a set of access permissions on the PI AF server. Each PI AF mapping points from a Windows user or group to a PI AF identity. Beginning with PI AF Server 2015 (v2.7), you cannot directly grant a Windows user or group access to a PI AF server resource (such as an element collection or objects). Instead, you create a PI AF identity that has that access and then you create a PI AF mapping between the Windows user or group and that PI AF identity.

Members of the Windows groups that are mapped to a PI AF identity are automatically granted the access permissions for that PI AF identity. For example, in the following illustration, the PI AF identity called Engineers has read/write access to the Elements collection. Because the Active Directory (AD) group Engineering Team is mapped to Engineers, all the members in that AD group get read/write permission for the Elements collection.

AD group mapping to a PI AF identity

Multiple identities

A single Windows user can be mapped to multiple PI AF identities, typically via mappings of the various Windows group memberships to which he or she belongs. A user is granted permissions based on all the PI AF identities to which he or she is mapped. Effective permissions are determined by taking the union of all identities' allowed permissions and removing the union of all denied permissions. For example, in the following illustration, the Windows user Bob belongs to both AD groups. Bob therefore gets the permissions that are configured for PI AF IDENTITY1 and PI AF IDENTITY2.

Windows user with cumulative access permissions

Additionally, a user must have read permission on a PI AF database to be able to read any object within it. Likewise, a user must have write permission on a PI AF database to write to any object within it.

For more information on working with identities and mappings, see Manage identities in PI AF and Manage mappings in PI AF.