12 Replies Latest reply on Oct 5, 2017 5:58 PM by yyang

    Set Annotate Secuirty right

    MikeSpath

      We interface with the AF database in our application through the AF SDK exclusively, our application logs in users from the windows active directory, these users will be setup with rights to our application via our specific application code so the appropriate user level are created. There is a section of our application that deals with acknowledging event frames. If a user that is not part of the built in administrators group, they cannot acknowledge any event frame.

       

      This issue is solved by adding the user to the identity mapping of the Administrators group, so 1.) I'm looking through the AF SDK help file to see examples of how to do this and could use some guidance. But 2.) instead of adding each user to this identity, I'm wondering how to simply just check off the Annotate box for the World, do that once when we install the application and be done with it but I don't know how to set that via the SDK, there seems to be no Access Rights Value string for Annotate, see attached file and this link for explanation of the security codes.

      https://techsupport.osisoft.com/Documentation/PI-AF-SDK/html/bd9b1878-1b6d-45eb-bac2-92f6fd2f9f2c.htm

        • Re: Set Annotate Secuirty right
          David Hearn

          The online documentation has not been updated yet for the latest release, it is being worked on. To answer your question, you would use 'an' in the security string to specify the annotate permission. For example, to set Everyone in the security string to have read, read data, and annotate permission use the following string: "Everyone:A(r,rd,an)".

          1 of 1 people found this helpful
            • Re: Set Annotate Secuirty right
              MikeSpath

              Hi Dave:

              Thanks for the reply, sorry for my delay. When I try to get and set the security rules from code below I get: "Cannot set security on identity mapping must set the security to these objects  on the system collection."

              // Display each Security Identity

                              int securityIdentityCount = MyPISystem.SecurityIdentities.Count;

                              MessageBox.Show(string.Format("Security Identity Count = {0}", securityIdentityCount));

                              foreach (AFSecurityIdentity CurIdentity in MyPISystem.SecurityIdentities)

                              {

                                  MessageBox.Show(string.Format("  Name = {0}", CurIdentity.Name) + string.Format("  Description = {0}", CurIdentity.Description));

                                  if (CurIdentity.Name.Contains("Everyone"))

                                  {

                                      AFSecurity curSec = CurIdentity.Security;

                                      string accessRules = "Everyone:A(r,rd,an)";

                                      curSec.SetSecurityString(accessRules, false);

                                      MyPISystem.CheckIn();

                                      MessageBox.Show(curSec.GetSecurityString());

                                  }

                              }

                • Re: Set Annotate Secuirty right
                  David Hearn

                  You are attempting to set the security on an AFSecurityIdentity which is not allowed. You want to set the security on object that you want to change. For example add annotate permission to the World identity for all new event frames, you would use the AFSecurity.AddIdentity with the 'Merge' operation (e.g. myDatabase.GetSecurity(AFSecurityItem.EventFrame).AddIdentity(myPISystem, myPISystem.SecurityIdentities["World"], AFSecurityRights.Annotate)). If you want to completely change the security settings, then you would use SetSecurityString instead. Similarly, to change the security on an existing object, you would make similar calls on the 'Security' item of the object (e.g. myEventFrame.Security).

                  1 of 1 people found this helpful
                    • Re: Set Annotate Secuirty right
                      MikeSpath

                      Yes, I want to change the setting for World, and do that once on AF database initialization. Not quite sure how to structure the code but will play around with it.

                      Thanks

                      • Re: Set Annotate Secuirty right
                        MikeSpath

                        Hi Dave:

                        This doesn't compile:

                        myDatabase.GetSecurity(AFSecurityItem.EventFrame).AddIdentity(myPISystem, myPISystem.SecurityIdentities["World"], AFSecurityRights.Annotate));

                        since AddIdentity is static it needs to be accessed with a type name

                        Not sure how to access through class, I tried using class name..

                        Mike

                          • Re: Set Annotate Secuirty right
                            David Hearn

                            Sorry, was doing this from memory since I did not have ability to test it first. I ended up combining AddIdentity with SetSecurityString calls in my first response.

                             

                            The security for new objects is controlled by the security settings on the security items for the type of object on the PISystem and AFDatabase. So you need to do something like the following for each type of object that you want to set annotate permission for new objects:

                                 var secItem = myDatabase.GetSecurity(AFSecurityItem.EventFrame);

                                 var secString = secItem.GetSecurityString(); // If you want to update based on existing security setting.

                                 // Update secString by adding or replacing with "World:A(r,rd,an)", if not concerned about existing setting just set to desired security string

                                 secItem.SetSecurityString(secString, false);

                                

                            Then to change for elements, do the same thing but specify AFSecurityItem.Element instead. But make sure you specify the full security string that you want set for all identities, do not just add the permission for World.

                            2 of 2 people found this helpful
                    • Re: Set Annotate Secuirty right
                      MikeSpath

                      Hi Dave:

                      Thank you so much for your help. It looks like I have a way to do my original approach which is a bit shotgun-like but it does what we want on a one-time AF database initialize  See the code below, thanks to Jake Messner at OSI for the help as well!

                      // Implicit connections to PI

                                      PISystem serverAF = new PISystems()["PISERVERNAME"];

                                      AFDatabase databaseAF = serverAF.Databases["AFDATABASENAME"];

                       

                                      // Security item and identity

                                      IList<AFSecurity> eventFrameSecurity = new List<AFSecurity>() { databaseAF.GetSecurity(AFSecurityItem.EventFrame) };

                                      AFSecurityIdentity worldIdentity = serverAF.SecurityIdentities["World"];

                       

                                      string accessRules = "World:A(r,rd,an)";

                                      databaseAF.GetSecurity(AFSecurityItem.EventFrame).SetSecurityString(accessRules, false);

                                     

                                      // Modify security

                                      AFSecurity.AddIdentity(

                                          serverAF,

                                          worldIdentity,

                                          eventFrameSecurity,

                                          AFSecurityRights.Annotate,

                                          AFSecurityRights.None,

                                          AFSecurityOperation.Merge,

                                          true

                                      );

                        • Re: Set Annotate Secuirty right
                          jmessner

                          Hi Mike,

                           

                          I would actually recommend not using these two lines:

                          string accessRules = "World:A(r,rd,an)";

                          databaseAF.GetSecurity(AFSecurityItem.EventFrame).SetSecurityString(accessRules, false);

                           

                          I believe this would completely rewrite all of the access permissions for your Event Frame items on your database (World would be the only identity with permissions specified on the database).

                           

                          If you wish to instead only overwrite the permissions for World this should accomplish that:

                           

                          // Modify security

                          AFSecurity.AddIdentity(

                              serverAF,

                              worldIdentity,

                              eventFrameSecurity,

                              AFSecurityRights.Annotate | AFSecurityRights.Read | AFSecurityRights.ReadData,

                              AFSecurityRights.None,

                              AFSecurityOperation.Merge,

                              true

                          );

                          1 of 1 people found this helpful
                            • Re: Set Annotate Secuirty right
                              MikeSpath

                              Yeah, I found that out,

                              This is what I have now that seems to work, the key was using the Default, the last remaining question is why I cannot modify Contact, database, Notification Contact Template

                              PISystem serverAF = new PISystems()["WIN-486FP1418JB"];

                                              AFDatabase databaseAF = serverAF.Databases["test"];

                               

                                              // Security item and identity

                                              IList() { databaseAF.GetSecurity(AFSecurityItem.EventFrame),

                                                  databaseAF.GetSecurity(AFSecurityItem.Analysis ),

                                                  databaseAF.GetSecurity(AFSecurityItem.AnalysisTemplate ),

                                                  databaseAF.GetSecurity(AFSecurityItem.Element ),

                                                  databaseAF.GetSecurity(AFSecurityItem.ElementTemplate ),

                                                  databaseAF.GetSecurity(AFSecurityItem.NotificationRule ),

                                                  databaseAF.GetSecurity(AFSecurityItem.Notification),

                                                  databaseAF.GetSecurity(AFSecurityItem.NotificationRuleTemplate  ),

                                                  //databaseAF.GetSecurity(AFSecurityItem.SecurityIdentity  ),

                                                  //databaseAF.GetSecurity(AFSecurityItem.SecurityMapping ),

                                                  databaseAF.GetSecurity(AFSecurityItem.ReferenceType ),

                                                  databaseAF.GetSecurity(AFSecurityItem.TableConnection  ),

                                                  databaseAF.GetSecurity(AFSecurityItem.Default  ),

                                                  databaseAF.GetSecurity(AFSecurityItem.Table )

                                              };

                               

                                              AFSecurityIdentity worldIdentity = serverAF.SecurityIdentities["World"];

                               

                                              // Modify security

                                              AFSecurity.AddIdentity(

                                                  serverAF,

                                                  worldIdentity,

                                                  afSecurity,

                                                  AFSecurityRights.All,

                                                  AFSecurityRights.None,

                                                  AFSecurityOperation.Merge,

                                                  true

                                              );

                                • Re: Set Annotate Secuirty right
                                  vkaufmann

                                  I haven't tested this but off the top of my head the security permissions you mention I believe are server level security permissions not database level. Can you try the same technique using a server object and not a database object? Do you get any specific exception when testing?

                                   

                                  --Vince

                                  1 of 1 people found this helpful
                                  • Re: Set Annotate Secuirty right
                                    yyang

                                    The answer can be found by looking at 2 items in our PI PSE. First note that Contact, database, Notification Contact Template are in your serverAF not databaseAF.

                                    (as indicated in the document)

                                     

                                     

                                    Item 1:

                                    databaseAF.GetSecurity(AFSecurityItem.Analysis ) is the same as: right click PI Big Tires CO/Security/Analyses

                                     

                                     

                                     

                                     

                                    Item 2:

                                    Contact, database, Notification Contact Template etc are in PISystem serverAF.  It is the same as click Edit Security-> Click Contacts.

                                     

                                     

                                     

                                    Add separate lines of codes, then you should be good to go

                                     

                                    IList<AFSecurity> MyPISystemSecurity = new List<AFSecurity>() { serverAF.GetSecurity(AFSecurityItem.Contact)};

                                     

                                    // Modify security

                                    AFSecurity.AddIdentity(serverAF, worldIdentity, MyPISystemSecurity,

                                    AFSecurityRights.Annotate,

                                    AFSecurityRights.None,

                                    AFSecurityOperation.Merge,

                                    true