we have an AFSDK based application which is running on a node that has a piadmin trust. The application has a network access and is able to read tag configuration data and write data by using updateValue().
However, we would like to run the application by using a restricted service account on the node which is member of different AD groups and thus mapped to some Identities, but it seems that the overall trust for the node overwrites the permissions of the restricted Identites. As a result, the application has always full point and data read and write permissions.
I would like to keep the node trust, but integrate an explicit check of the point and data security into the AFSDK application (because it is accessible remotely).
Is there a possibility to compare the tag security attributes to the Identitie(s) under which the application is running? To be more precise, I think of the following steps:
- find out the account under which the application is running
- get the corresponding PI Identities
- for a tag that should be read or written, check the "maximal" permissions of the Identities, i.e. if there is an Identity that is allowed to write the tag, it is ok, if not, throw an exception
It would be great if you can give me some code snippets or examples.