Problem: When PI System AF Explorer is run as different user account, the user account ( let's say AccountA) is able to see the elements which the account is not supposed to see.
Versions: I believe that this problem has come in in the version PI Version 2018 as we didn't had this problem with 2016 R2 version. We migrated directly to 2018 version from 2016R2. The AF Explorer used is 32 bit version, as only 32 bit version supports legacy notifications and we have legacy notification.
More about the problem: The structure of AF is like shown below. The AccountA has access to "Customers" element. Then there are 100+ elements under the "Customers" element. Out of those, "AccountA" has access to only one element (let say to element CustomerA ). All the child elements of "Customers" have the child elements to them.
When AF Explorer is started as user "AccountA". The AF Explorer gets opened the way it is in above snap. Then when I click on plus symbol against "Customers" element. It will take about 20 seconds and displays all the child elements under them. See below snap
This is completely unexpected behavior. But in above snap you may notice that there are no plus symbols against those elements. Then see the below snap, for the element to which access is there, the plus symbol is shown correctly.
Then some magic happens when I right click on "Customers" element and select the Security option. Within fraction of second after showing the security dialog, the AF tree structure gets updated correctly like shown in below. The below view is correct as that is the correct elements to which user have access.
Once I go through above steps, the same problem can't be reproduced with the same account AccountA. Then I need to pick some other account AccountB then problem can be reproduced once.
Same problem is reproducible with PI Web API also.
Has any of you come across the same? Any known work around?
What might be causing this issue?
What exactly happen when I right click on Customers and select security. If I know the steps then I can call the same methods using AF SDK and fix the problem for all the accounts.
OSIsoft support case 943123 is created and it's still under investigation, the case has much more details about the problem and the logs.