I'm going to assume that you are running a recent version of the AF Server as the security model changed in 2015.
Using PI System Explorer, you can map AD Users or AD Groups to an AF Identity. Please note that the PI Data Archive and AF don't share the same identities. You can then give specific permissions (read, read/write, etc...) to the AF identity to specific AF Objects (AF Server, AF Database, Element, Event Frame, Analysis, etc...).
You can access the identities and mappings from PI System Explorer, File > Server Properties.
You can specify the types of permission by clicking on an AF object > Security. You can do it in bulk by right clicking on the server name > security if you want the changes to apply for all AF database or at the database level by right clicking on the database >security.
You can find all of the information here:
You'll notice that there is a link to a Youtube video in the LiveLibrary which you can follow along with.
Please do not grant everyone administrators access. This is very bad security practice. You should limit access for each user or group to the access they actually need.
Hope this helps,
Thanks for the response. I’m a bit confused though. I’ve got an identity which is mapped to my AD account, but I can’t see how that is linked to any of the database or objects to give me the access rights I have. I can see the administrator and the world plus other identities and where their permissions are, but not for my identity. I am an administrator for the AF server itself (to do software installs if necessary), so would that replicate into the Administrator identity in PI-AF?? I can’t see any other way for me to have the admin permissions I have.
image001.jpg 332 bytes
Yes by default the local administrators group is mapped to the administrators identity of the AF Server:
When a user connects to the AF Server he may be granted multiple AF identities (this is same idea as in the PI Data Archive). Under File > Connections you can see what identity the connection is granted:
For example, in my case my AF user is connected as 4 AF identities:
In your case, I would suspect that you are connecting as multiple identities one of which is administrators. For the other identity you explicitly mapped your account for, it may not have been the proper rights on the AF objects. You can see this when you right click > security on an AF Object. For example, in my system at the database level:
(Sorry I know the first picture is rather small, if you zoom in the resolution should still be good)
You'll notice that my ExampleIdentity doesn't have any rights on any AF Object for this database.