1 Reply Latest reply on Feb 8, 2012 7:19 PM by mhamel

    Reading Effective Permissions on Tags for a set of Windows Users

    rohanar

      Is there any way to determine the effective permissions a user has for a given tag using the PI-SDK or AF-SDK?  For example, I have a list of Window Users and would like know what access each user has for a particular PI tag.  I don’t see any method in the PI-SDK documentation that reads PI permissions given a username other than the user you’re logged in as. 

       

       

       

      Windows provides something like the screenshot below to determine effective permissions on files.  Instead of doing this for a file, I’d like to do it for a PI Tag and multiple Windows Users.  Is this possible given PI’s security model? 

       

       

       

       

       

      2514.EffectivePermissions.png

        • Re: Reading Effective Permissions on Tags for a set of Windows Users
          mhamel

          Hi Rosanne,

           

          Nothing exists such as you provided as an example out-of-the-box to enumerate/list the effective rights for a PI Group, PI User or PI Identity, Windows Group or Windows User. If you want such a tool you will need to create one on your own.

           

          This thread shows how you can extract the ptsecurity and datasecurity attributes that indicate the rights for any PI Identity. Afterward, you will need to verify how your Windows account are connected to the PI identities, what we call PI Mappings. Unfortunately, the PI SDK does not expose the PI Mappings. You would need to maintain an "artificial" list inside your application to get it done right.

           

          Although, a better and efficient way to succeed in your task would be to use the PowerShell Tools for the PI System. This PowerShell module exposes via cmdlets the security and mappings required for. As PowerShell integrates with the .NET Framework, you can perform queries against Active Directory to obtain the group membership for a specific user (if you the proper rights to enumerate in AD). Simply by linking the dot you can confirm if the given user has right to read, write and/or configure the PI Points. The same process can be done with an AF Element.