By my understanding, only the PI User piadmin and the PI Group piadmins can ever have write access to the Database Security table PIDBSEC, and any write permissions to it assigned to any other PI User, PI Group, or PI Identity is ignored. However, PI Users and PI Groups are deprecated, and the use of piadmin is discouraged.
Please allow any PI User, PI Group, or PI Identity to be assigned write permission to PIDBSEC, just like the other Database Security tables, so then we can finally stop using PI Users and PI Groups and use only PI Identities.
The completion of this suggestion might involve creating a PI Identity that is equivalent to piadmin in the sense of having unrestricted access to the PI Data Archive regardless of any permission settings. If this suggestion cannot be implemented, then at least prevent any PI User, PI Group, or PI Identity from being given write permission to PIDBSEC in PI System Management Tools or other configuration tools, and make sure that piadmin's and piadmins's permissions cannot be edited in or deleted from PIDBSEC's security (i.e. they should remain as piadmin: A(r,w) | piadmins: A(r,w))
