How to control access of creating a tag from PI AF for a user? What permissions do we need to remove for not allowing a particular user to directly create tag from PI AF?
I believe as long as the user does not have write access to the PIPOINT table, they should not be able to create new points through PI System Explorer. Their permissions on the PIPOINT table can be checked through PI System Management Tools > Security > Database Security.
To expand on Danielle's reply.
PI Server Database Security tool controls read and write access to administrative functions, such as the ability to create and edit PI points. The PIPOINT table controls top-level access to Points. You can further restrict access permissions for individual points, but you cannot grant more access than is granted for PIPOINT.
Users that belong to more than one Windows group might be mapped to multiple PI identities, PI users, or PI groups. In this case, they get the cumulative access permissions for all the associated PI identities, users, and groups.
Table of access permissions to keep in mind when modifying security.
Retrieving data ...