When applying Active Directory security to AF, should/can I disable the World identity?
Yes! For a new install, we recommend to disable the World Identity. For more seasoned AF Server, we must consider it's impact.
You can remove Mapping for Everyone from the World Identity.
Removing a Mapping and disabling an Identity are not quite the same thing. The World Identify cannot be disabled or deleted by my understanding.
Can you remind us of why it is recommended to not use the World identity? It says in the documentation that "This identity has read access permissions to every collection and object on the PI AF server.". Does this mean that World has read permission on everything even if explicit read access is not given to it?
World by default is mapped to "Everyone" and has Read/Read data access to all AF objects.
Be sure not to reverse the principle: set "Deny" for the world Identity: Re: PI AF conflict
Indeed! That is an extreme example, but even in general Deny should be used sparingly. Since absence of an Allow prevents access, a whitelisting approach should be used whenever possible instead of blacklisting. Deny should only be used against a specific user (or subset group) to override permissions explicitly granted with an Allow rule to a group that user is a member of.
Retrieving data ...