Understand how Data Archive access permissions work

Each user's access permissions are determined by the PI identities with which that user is associated. Active Directory (AD) groups are mapped to PI identities. Windows users that belong to that group get the access permissions for that PI identity.

Look at the access needs for all your Windows users. Which AD groups does the user belong to? Which PI identities do those groups map to? Users that belong to more than one AD group get the cumulative access permissions for all the associated PI identities. For example, in the following illustration, the Windows user, Bob, belongs to both AD groups. Bob therefore gets the permissions configured for PI Identity1 and the permissions for PI Identity2.

Similarly, users get the cumulative access permissions for all parent AD groups (for nested AD groups). For example, in the following illustration, Windows user, Bob, belongs to ADGroup2. Since ADGroup2 is nested inside ADGroup1, the users in ADGroup2 get all the access permissions of ADGroup1, as well as those of ADGroup2.

Note: Though you can map individual AD users to PI identities, it is not a recommended practice. Mappings based on AD users will prevent you from managing your Data Archive security access by manipulating group memberships.