Non simplistic security model in PI DA

Discussion created by CameronLee Champion on Dec 16, 2019
Latest reply on Dec 16, 2019 by Bryan Owen



I have learned that one identity can have multiple Windows AD SIDs (user or group for example) mapped to it.

One Windows AD SID however may only be mapped to one PI Identity.


Does this mean that the only way to manage nested security, is to push any nesting / inheritance into Windows AD Groups.


Example is user A (or group A) is responsible for pumps, user B (or group B) is responsible for fans , and User C (or group C... you get the point) can do both.

We have a fans identity and pumps identity that have data security set for the tags associated with these assets.


user A --> PUMPS

user B --> FANS

user C --> PUMPS, FANS


eg: for Data Security, I wish to have:

  • piadmin: A(r,w) | piadmins: A(r,w) | PUMPS: A(r,w) | PIWorld: A(r)   (for pump tags)
  • piadmin: A(r,w) | piadmins: A(r,w) | FANS: A(r,w) | PIWorld: A(r)   (for fan tags)


I used FANS and PUMPS as an example, equally it could be site A and site B, or any other segregation of responsibility by asset or business group whereupon there could be crossover in the security model.


We really like the fine grained nature of managing tags, but are struggling with the security modelling (have seen the youtube vids and for years we have used a simplistic model of admins who can do everything and the general population who consume data)