In the essence, operational and IT support roles hierarchy related to PI Server is common for all organizations:

Here, “Area” depicts various organizational groups, e.g. plants, branches, divisions, units, etc.
Based on this hierarchy, following data types (PI points) can be used:
- Area1 PI Points – data type related only to Area1
- Area2 PI Points – data type related only to Area2
- Area… PI Points – data type related only to Area…
- IT/PI System Health PI Points – data type for PI System status monitoring/troubleshooting
- Default PI Points – data type common for all organization
Following responsibilities were defined (for simplicity, it was assumed that the organization has Area1 and Area2):

Following matrices were created based on Security Plan template of Configuring PI Data Archive Security Online Course.
Derived PI Point Data and Point Security Access Matrix (where R – read-only, R/W – read-write, C – configure):
PI Identities | Area1 PI Points | Area2 PI Points | … | PI System Health PI Points | Default PI Points |
Higher Management | R | R | R | R | R |
Area1 Management | R | R | R | ||
Area2 Management | R | R | R | ||
Area… Management | R | R | R | ||
Area1 Senior Operators | R/W | R | R | ||
Area2 Senior Operators | R/W | R | R | ||
Area… Senior Operator | R/W | R | R | ||
Area1 Operators | R | R | R | ||
Area2 Operators | R | R | R | ||
Area… Operators | R | R | R | ||
IT PI Support Team Leads | R | R | R | R | R/W |
IT PI Backup Engineers | R | R | R | R | R |
IT PI Administrators | R | R | R | R/W | R |
Derived Database Security Tables Access Matrix (where R – read-only, R/W – read-write, C – configure):
PI Identities | All PI Databases | PI Point | PIDS | PI Modules (will need to grant R/W on specific MDB Modules) |
Higher Management | R | R | ||
Area1 Management | R | |||
Area2 Management | R | |||
Area… Management | R | |||
Area1 Senior Operators | R | R/W | R/W | R/W |
Area2 Senior Operators | R | R/W | R/W | R/W |
Area… Senior Operator | R | R/W | R/W | R/W |
Area1 Operators | R | R | ||
Area2 Operators | R | R | ||
Area… Operators | R | R | ||
IT PI Support Team Leads | R/W | |||
IT PI Backup Engineers | R/W | |||
IT PI Administrators | R/W |
Proposed high-level structure of PI Identities and Active Directory hierarchy with data types and derived access matrices can be used as the basis during initial PI Data Archive security configuration.
Way cool, some valid points! I appreciate you making this article available, the rest of the site is also high quality. Have a fun.