AF SDK Reference

AFSecurity.CheckSecurity Method (PISystem, IList(AFSecurityIdentity), IList(AFSecurityRightsToken), String)

Save PDF

AFSecurity.CheckSecurity Method (PISystem, IList(AFSecurityIdentity), IList(AFSecurityRightsToken), String)

Save PDF

Last UpdatedJan 12, 2026
5 minute read

Evaluate the AFSecurityRights for the security identities of a user for a list of objects without needing to load the object.

Namespace: OSIsoft.AF
Assembly: OSIsoft.AFSDK (in OSIsoft.AFSDK.dll) Version: 3.2.0.7

Syntax

public static IDictionary<Guid, AFSecurityRights> CheckSecurity(
	PISystem system,
	IList<AFSecurityIdentity> userIdentities,
	IList<AFSecurityRightsToken> tokens,
	string userName = null
)

Public Shared Function CheckSecurity ( 
	system As PISystem,
	userIdentities As IList(Of AFSecurityIdentity),
	tokens As IList(Of AFSecurityRightsToken),
	Optional userName As String = Nothing
) As IDictionary(Of Guid, AFSecurityRights)

Dim system As PISystem
Dim userIdentities As IList(Of AFSecurityIdentity)
Dim tokens As IList(Of AFSecurityRightsToken)
Dim userName As String
Dim returnValue As IDictionary(Of Guid, AFSecurityRights)

returnValue = AFSecurity.CheckSecurity(system, 
	userIdentities, tokens, userName)

public:
static IDictionary<Guid, AFSecurityRights>^ CheckSecurity(
	PISystem^ system, 
	IList<AFSecurityIdentity^>^ userIdentities, 
	IList<AFSecurityRightsToken>^ tokens, 
	String^ userName = nullptr
)

static member CheckSecurity : 
        system : PISystem * 
        userIdentities : IList<AFSecurityIdentity> * 
        tokens : IList<AFSecurityRightsToken> * 
        ?userName : string 
(* Defaults:
        let _userName = defaultArg userName null
*)
-> IDictionary<Guid, AFSecurityRights>

Parameters

system: Type: OSIsoft.AFPISystem
The PISystem being used to check each object's security. It must be the sever where the object being checked is saved.
userIdentities: Type: System.Collections.GenericIListAFSecurityIdentity
The list of AFSecurityIdentity identities of the user for the security rights to be checked.
tokens: Type: System.Collections.GenericIListAFSecurityRightsToken
The list of security rights tokens that should be checked for the specified security identities.
userName (Optional): Type: SystemString
The user name for the owner associated with the specified userIdentities to be used when evaluating the owner security identity rights. If , then the owner security identity rights will not be evaluated.

Return Value

Type: IDictionaryGuid, AFSecurityRights
Returns a dictionary of AFSecurityRights with the ObjectId as the key for the specified user for each object represented by the list of security rights tokens. Returns if the tokens parameter is .

Exceptions

Exception	Condition
NotSupportedException	This exception is thrown if the server does not support the SecurityIdentity feature.

Remarks

This method will evaluate and return the security rights for the object based upon the specified list of security identities. This list can be obtained by calling the GetUserIdentities(PISystem, WindowsIdentity) method and then later check the security permissions at a later time based upon the user's identities. The security rights are evaluated in the client and therefore has better performance if the security identities are already known for the user.

Examples

This example shows how to call CheckSecurity for a single user on a single object or with a bulk call on several objects.

// Get the Database
PISystems myPISystems = new PISystems();
PISystem myPISystem = myPISystems.DefaultPISystem;
AFDatabase myDB = myPISystem.Databases.DefaultDatabase;

// Create the Elements
List<AFElement> elements = new List<AFElement>();
AFElement myElement1 = myDB.Elements.Add("MyElement#1");
myElement1.CheckIn();
elements.Add(myElement1);
AFElement myElement2 = myDB.Elements.Add("MyElement#2");
myElement2.CheckIn();
elements.Add(myElement2);

// Obtain the WindowsIdentity of an impersonated user. This
//   can be done with the following code if the current thread
//   has impersonated a user.
//  WindowsIdentity user = WindowsIdentity.GetCurrent();
// Obtain the WindowsIdentity of a different domain user. This
//   can be done with the following code.
//  WindowsIdentity user = new WindowsIdentity("username@domain");
string userName = @"domain\username";
IList<AFSecurityIdentity> userIdentities;
using (WindowsIdentity user = windowsIdentityOfADifferentUser)
{
    // Get Security Identities of a Different User
    userName = user.Name;
    userIdentities = AFSecurity.GetUserIdentities(myPISystem, user);
}

// Check Security Rights of a Different User
AFSecurity security1 = myElement1.Security;
AFSecurityRights rights = security1.CheckSecurity(userIdentities, userName);
Console.WriteLine("SecurityRights for '{0}': '{1}'", myElement1.Name, rights);
Console.WriteLine("    CanRead={0}", rights.CanRead());
Console.WriteLine("    CanWrite={0}", rights.CanWrite());
Console.WriteLine();

// Check Security Rights of a Different User in Bulk
List<AFSecurityRightsToken> tokens = new List<AFSecurityRightsToken>();
tokens.Add(security1.Token);
tokens.Add(myElement2.Security.Token);
IDictionary<Guid, AFSecurityRights> rightsDict =
    AFSecurity.CheckSecurity(myPISystem, userIdentities, tokens, userName);
int notFoundCount = 0;
foreach (AFElement element in elements)
{
    if (rightsDict.TryGetValue(element.ID, out rights))
    {
        Console.WriteLine("SecurityRights for '{0}': '{1}'", element.Name, rights);
        Console.WriteLine("    CanRead={0}", rights.CanRead());
        Console.WriteLine("    CanWrite={0}", rights.CanWrite());
        Console.WriteLine();
    }
    else
    {
        notFoundCount++;
    }
}

This example shows how to search for the object's Security Token and make a bulk call to check security on several objects for the current user.

// Get the Database
PISystems myPISystems = new PISystems();
PISystem myPISystem = myPISystems.DefaultPISystem;
if (myPISystem == null)
    throw new InvalidOperationException("Default PISystem was not found.");
AFDatabase myDB = myPISystem.Databases[dbName];
if (myDB == null)
    throw new InvalidOperationException("Database was not found.");

// Create a search to find all the event frames created from the 'Event'
// template and its 'Level' attribute value is less than 90.
int count;
using (var search = new AFEventFrameSearch(myDB, "FindEventFields", @"Template:'Event' |Level:<90.0"))
{
    search.CacheTimeout = TimeSpan.FromMinutes(10);

    // Do the search
    // 
    // Return event frame security tokens as list and check security for current user.
    count = 0;
    var foundItems4 = search.FindObjectFields("SecurityToken", i => (AFSecurityRightsToken)i[0]);
    Console.WriteLine("Find Object SecurityTokens and Check Security:");
    foreach (var tokenList in foundItems4.ChunkedBy(500))
    {
        // Check Security using Windows Identity.
        var rights = AFSecurity.CheckSecurity(myPISystem, WindowsIdentity.GetCurrent(), tokenList);
        foreach (var rightsItem in rights)
        {
            Console.WriteLine($"  Security Rights for '{myPISystem.CurrentUserName}': {rightsItem.Key} = {rightsItem.Value}");
        }

        // Check Security using Identities.
        rights = AFSecurity.CheckSecurity(myPISystem, myPISystem.CurrentUserIdentities, tokenList, myPISystem.CurrentUserName);
        foreach (var rightsItem in rights)
        {
            Console.WriteLine($"  Security Rights for '{myPISystem.CurrentUserIdentityString}': {rightsItem.Key} = {rightsItem.Value}");
        }
        count += tokenList.Count;
    }
    Console.WriteLine("Found {0} EventFrames.", count);
}

Version Information

AFSDK

Supported in: 3.1.1, 3.1.0, 3.0.2, 3.0.1, 3.0.0, 2.10.11, 2.10.5, 2.10.0, 2.10, 2.9.5, 2.9

AF SDK Reference