3 Replies Latest reply on Mar 22, 2018 1:37 PM by sraposo

    How are users authenticated in PI-AF when using the PI Explorer client?

    caffreys_col

      Hi Everyone,

       

      Can someone tell me how users are authenticated when they use PI system Explorer to access a PI-AF configuration? I have a feeling its through PI Identities (and Active directory) but I'm not sure. I need to add some new users to the PI system that can create PI AF analyses and elements, but I'm not sure what level of access to give them? Do I make them PI admins or can they be PI engineers? Would a PI engineer have enough permissions to create analyses and elements in AF? I can link the users to PI Identities but I'm not sure if that's just for the PI server or it applies to PI-AF as well.

       

      Thanks

       

      Col

        • Re: How are users authenticated in PI-AF when using the PI Explorer client?
          sraposo

          Hi Colin,

           

          I'm going to assume that you are running a recent version of the AF Server as the security model changed in 2015.

           

          Using PI System Explorer, you can map AD Users or AD Groups to an AF Identity. Please note that the PI Data Archive and AF don't share the same identities. You can then give specific permissions (read, read/write, etc...) to the AF identity to specific AF Objects (AF Server, AF Database, Element, Event Frame, Analysis, etc...).

           

          You can access the identities and mappings from PI System Explorer, File > Server Properties.

           

          You can specify the types of permission by clicking on an AF object > Security. You can do it in bulk by right clicking on the server name > security if you want the changes to apply for all AF database or at the database level by right clicking on the database >security.

           

          You can find all of the information here:

           

          PI Server

           

          You'll notice that there is a link to a Youtube video in the LiveLibrary which you can follow along with.

           

          Please do not grant everyone administrators access. This is very bad security practice. You should limit access for each user or group to the access they actually need.

           

          Hope this helps,

          Seb

            • Re: How are users authenticated in PI-AF when using the PI Explorer client?
              caffreys_col

              Seb,

               

              Thanks for the response. I’m a bit confused though. I’ve got an identity which is mapped to my AD account, but I can’t see how that is linked to any of the database or objects to give me the access rights I have. I can see the administrator and the world plus other identities and where their permissions are, but not for my identity. I am an administrator for the AF server itself (to do software installs if necessary), so would that replicate into the Administrator identity in PI-AF?? I can’t see any other way for me to have the admin permissions I have.

               

              Regards

               

              Col

                • Re: How are users authenticated in PI-AF when using the PI Explorer client?
                  sraposo

                  Hi Colin,

                   

                  Yes by default the local administrators group is mapped to the administrators identity of the AF Server:

                   

                   

                  When a user connects to the AF Server he may be granted multiple AF identities (this is same idea as in the PI Data Archive). Under File > Connections you can see what identity the connection is granted:

                   

                  For example, in my case my AF user is connected as 4 AF identities:

                   

                   

                  In your case, I would suspect that you are connecting as multiple identities one of which is administrators. For the other identity you explicitly mapped your account for, it may not have been the proper rights on the AF objects. You can see this when you right click > security on an AF Object. For example, in my system at the database level:

                   

                   

                  (Sorry I know the first picture is rather small, if you zoom in the resolution should still be good)

                   

                  You'll notice that my ExampleIdentity doesn't have any rights on any AF Object for this database.


                  Thanks,

                   

                   

                  Seb