Professional Documents
Culture Documents
PI Data Archive 2018 SP3 Security Configuration Guide EN
PI Data Archive 2018 SP3 Security Configuration Guide EN
PI Data Archive 2018 SP3 Security Configuration Guide EN
Security configuration................................................................................................ 1
Tightening security.................................................................................................. 67
Upgrade PI API.............................................................................................................................................. 67
Retire PI trusts............................................................................................................................................... 67
Protect piadmin in PI SMT............................................................................................................................. 68
Disable explicit logins for piadmin............................................................................................................. 68
Disable PI password authentication (explicit logins)...................................................................................... 69
Disable all explicit logins............................................................................................................................69
Disable explicit logins with blank passwords.............................................................................................. 70
Disable explicit logins for individual user accounts..................................................................................... 70
Retire SDK trusts........................................................................................................................................... 71
Windows authentication versus SDK trusts................................................................................................ 71
Configure SDK authentication protocols in SMT........................................................................................ 71
Disable SDK trusts..................................................................................................................................... 72
Configure PI Firewall...................................................................................................................................... 73
Disable PIWorld............................................................................................................................................. 73
How will PI API 2016 for Windows Integrated Security affect clients and interfaces?......79
Authentication
Before the PI Server 3.4.380 release, two methods of authentication were available: PI trusts
and PI password authentication (also called explicit logins). Starting with PI Server 3.4.380, a
third, and the most secure method of authentication becomes available: Windows
authentication.
The three models for authentication on a PI Data Archive are:
• Windows authentication
Windows authentication allows users to log onto their Windows accounts and automatically
become authenticated on the PI Data Archive server. Rather than requiring individual user
accounts on the PI Data Archive server, in the new model you define user categories, called
PI identities, on the PI Data Archive server. You then create mappings from groups of
Windows users to the relevant user categories. PI identities and PI mappings are new objects
in PI Server 3.4.380.
This authentication model provides single sign-on for PI users, requires less maintenance
for PI administrators, and significantly increases security over the previous model. Both PI
trusts and explicit logins remain as authentication mechanisms on the PI Data Archive
server. However, the use of PI trusts and explicit logins progressively disabled except for
backward compatibility with clients lacking support for Windows authentication. For
example, a deployment scenario where an Interface node is located on a control system
network which doesn't support Windows authentication.
Starting with the with the release of PI API 2016 for Windows Integrated Security, support
for Windows authentication is extended to all PI API-based client applications, such as PI
interfaces. Before this release, Windows authentication was not available for PI interfaces,
even though PI Data Archive supported it as an authentication model for its users. With PI
API 2016 for Windows Integrated Security and PI Server 3.4.380 or later, Windows
authentication extends across the PI system to the PI interface node or any other PI API-
based application connecting to PI Server 3.4.380 or later, in the following deployment
scenarios:
• PI trusts
Prior to the availability for Windows authentication on PI API enabled by the release of PI
API 2016 for Windows Integrated Security, PI trusts were typically used to authenticate PI
API-based client applications that ran unattended, such as PI interfaces. Trust
authentication works by comparing the connection credentials of the connecting
application to the trust records in the trust database. Human intervention is not required at
the time of connection.
PI trust authentication is a weak form of authentication due to potential for fake credentials.
Windows authentication offers more defenses and is the recommended approach for
assuring PI Data Archive connections are legitimate.
PI trusts are still available as a method for authenticating PI interfaces, or any other PI API-
based client application. However, the use of PI trusts for interfaces should be reserved to
cases where Windows authentication cannot be used.
Caution:
PI API 2016 for Windows Integrated Security does not support PI trusts or explicit
logins. Before upgrade, PI Mappings to a Windows logon or service account must be
configured on the PI Data Archive to avoid any potential data loss.
• Explicit logins
Users connecting to PI Data Archive through client applications were typically authenticated
through explicit logins, which means that the user logs on to PI Data Archive by typing in a
PI user name and password. Explicit logins have a number of drawbacks: They require users
to log in separately to Windows and to PI Data Archive; they require system managers to
maintain separate user accounts for every user on PI Data Archive; and they are not
especially secure.
Although the password mechanism performs as designed, public vulnerability disclosure
CVE-2009-0209 is a weakness due to the use of a proprietary cypher developed in the
1990s that has been deprecated in favor of industry standard cryptography and password
management policy enforcement by the Windows operating system. In short, explicit login
as an authentication method is not secure from malicious actors.
Authorization
The new security model includes a much more flexible model for access permissions. In
previous versions of the PI Data Archive server you could set permissions only for one owner,
one user group, and for world access (everyone else). With the new security model, each PI
Data Archive object can have read and/or write permissions defined for any number of PI
identities.
Members of the Windows groups that are mapped to a PI identity are automatically granted
the access permissions for that PI identity. For example, in the following illustration, the PI
identity called PIEngineers has read/write access to the data for the TestTag point. Because the
Active Directory (AD) group EngineeringTeam is mapped to PIEngineers, all the members in
that AD group get read/write permission for the point data.
Each PI Data Archive resource (such as the TestTag in the illustration above) can have defined
access permissions for any number of PI identities. Although the Windows user gets access
permissions through one or more PI identities, the PI Data Archive server keeps track of the
specific Windows user ID both in the audit trail and in the last change information.
Note:
Although the PI Data Archive server can use Windows security for authentication, you
still need to define access permissions explicitly on the PI Data Archive server. See
Configure access permissions.
Note:
The PI Identities tab appears only if you are connected to at least one PI Server 3.4.380 or
later. If not, then only the PI Users and PI Groups tabs appear.
To see what identities you are currently connected as, look at the connection information at the
bottom left of PI SMT. It displays your Windows user ID, followed by the list of your identities
(and/or PI users and groups).
If you click the identities, a dialog box tells you how you are connected (for example, through a
mapping, a trust or as a default user).
Note:
Your Windows account is always displayed, even if you are not connected to the PI Data
Archive server through a mapping.
To manage PI mappings in PI SMT, use the Mappings & Trusts tool. Click the Mappings tab to
see all the PI mappings defined for all connected PI Data Archive.
Note:
The Mappings tab appears only if you are connected to at least one PI Server 3.4.380 or
later. If not, then only the Trusts tab appears.
Note:
There is also a hidden user and a hidden group: PIUserIncompatible and
PIGroupIncompatible. PI Data Archive uses them to display an owner and group in older
administrative tools that do not support Windows authentication. They do not appear in
the list of identities by default. To show them, use the Options button.
might need to reconfigure the piadmins access permissions in order to use this PI group for
administrative tasks. To do this, add read/write access for piadmins to:
The PIWorld identity replaces the world access of earlier versions of the PI Data Archive server;
world access was always granted to all authenticated users, but there was no explicit world
user account. On PI Server 3.4.380 and later, the previously implied world access is now made
explicit with the PIWorld identity.
By default, PIWorld is granted read access to most PI Data Archive databases and objects. The
PIWorld identity does not have access to the following tables: PIARCADMIN, PIARCDATA,
PIBACKUP, PIMSGSS, PIReplication, PITuning, PIAFLINK, PIAUDIT, PIMAPPING, and PITRUST.
You can change the access permissions granted PIWorld, but you cannot delete this identity.
The PIWorld identity cannot be used in a mapping or a trust.
• Improved Security:
◦ Secure authentication
Connections are authenticated through Microsoft's Security Support Provider Interface
(SSPI). If you're using AD, then this means the most secure Kerberos authentication,
which greatly improves your PI Data Archive security.
• Option 1:
Quick-start configuration describes a simple configuration that you can use while you are
working on a more comprehensive security configuration plan. While very quick to
implement, this configuration is not as secure or as flexible as the recommended
configuration. However, options for improving the security and flexibility of this
configuration are included. For simple systems, this might be sufficient for your needs.
• Option 2:
Recommended configuration explains how to create and implement a custom PI Data
Archive security configuration that uses Microsoft Active Directory (AD) for authentication
(but not for PI access permissions; these are still defined directly on the PI Data Archive
server). This is the recommended configuration path.
The above configuration options assume that you are using AD for authentication and that all
users are on the same domain or on fully-trusted domains. If the PI Data Archive server will be
accessed by client applications across non-trusted domains, then these configurations might be
difficult to implement. You can alternatively use local Windows security alone or in conjunction
with AD. See Other security configurations to determine your options.
For instructions on upgrades, see Configuring security for PI Data Archive upgrades.
Quick-start configuration
This configuration provides a quick implementation option that you can use while you are
developing a more complete security plan. For very simple systems, you could use this
configuration long term; in that case, consider making some adjustments to improve security
and increase flexibility.
• piadmins:
piadmins is a built-in PI group that is preconfigured with read-write access to all PI Data
Archive resources. Because we use piadmins, we do not need to explicitly set access
permissions for the read-write group. We simply create a mapping between piadmins and
the AD group or groups that require read-write access.
Note:
piadmins has read-write access to everything on new installations. Upgrades do not
automatically reconfigure the access permissions for piadmins, so this configuration
option does not work. See Configuring security for PI Data Archive upgrades.
• PIWorld:
PIWorld is a built-in PI identity that is preconfigured with read access to most PI Data
Archive resources. You cannot use PIWorld directly in a mapping. However all authenticated
users on the PI Data Archive server get at least PIWorld access. Map an AD group to any PI
identity (or PI group or PI user). All the Windows users in that AD group will automatically
get the access that is preconfigured for PIWorld. See The PIWorld identity for more on
PIWorld.
Note:
This configuration relies on PIWorld access. It does not work if you disable PIWorld.
Procedure
1. Identify which AD group or groups will have administrator (read/write) privileges on the PI
Data Archive server. Identify which groups will have read-only access.
2. Map the AD group that represents PI administrators to the built-in PI group called piadmins.
You can map multiple AD groups to piadmins if needed. Because piadmins has predefined
read/write access to all PI Data Archive configuration and data, all the Windows users in
those AD groups will then get that level of access.
Note:
Be sure to use the piadmins group and not the piadmin user.
3. Map the AD group containing your read-only access users to the built-in PI group piusers.
You can map multiple AD groups to piusers if needed. All the Windows users in those
groups will be authenticated as piusers. Since all authenticated users get read access
through the PIWorld identity, you do not need to explicitly configure access permissions for
piusers.
• To make the quick-start security configuration more flexible, you can add PI identities to
represent different user categories. For example, you might want to grant IT administrators
permission to perform backups. To do that, you create a PI identity and give it the necessary
access permissions. Then create a mapping between AD group for the IT administrators and
that PI identity.
• To make the quick-start security configuration more secure, you can explicitly set the access
permissions for the piusers group, rather than relying on the PIWorld access permissions. In
the quick-start configuration we relied on PIWorld in order to make the configuration
process quicker and easier. However, it is a better practice to use explicitly-configured
access permissions. If you rely on PIWorld, it becomes difficult over time to determine
which users or applications are relying on that access.
The following examples demonstrate how to implement each of these suggested
improvements.
1. For every entry in the Database Security tool, set the access permissions for piusers to read-
only. See Set permissions in the Database Security tool.
2. Set permissions for built-in points. The PI Data Archive installation includes several default
points. These are useful for test purposes. To explicitly grant read access to the piusers
group, edit the points themselves. You can do this using Point Builder (for a small number of
points) or PI Builder (for many points). See Set permissions on specific points and modules.
3. Set permissions for existing modules. At a minimum, the PI Data Archive installation
includes the built-in module %OSI. Depending on what client applications you have
installed, there might be others. To explicitly grant read access to the piusers group, edit the
modules themselves. You can do this using the Module Database tool in PI SMT.
When you create new modules, the piusers group will automatically have read-only access.
This is because new modules automatically have the same access permissions as the
PIModules entry in the Database Security tool. See Default access for new points and
modules for instructions.
Recommended configuration
These instructions assume that you are using Microsoft Active Directory (AD) for
authentication. You can use local Windows security instead, but it is not quite as secure and
extra configuration is required. See Use local Windows security.
Procedure
1. Configure user authentication.
In most cases this simply means creating a PI identity for each AD group that requires PI
access and creating a mapping between them.
Give your PI identities access to the necessary PI Data Archive resources. The access
permissions specify what tasks each PI identity is allowed to perform on the PI Data Archive
server. See Configure access permissions.
3. Configure PI Interface (and PI Client) access to the PI Data Archive server.
a. Configure access for PI interfaces.
Similar to configuring user authentication earlier in Step 1, you need to set up PI
mapping between the Windows AD group or users and PI identity on interfaces that will
connect to the PI Data Archive server. This process involves identifying the Windows AD
users or group for that PI interface, identifying a PI identity for that interface, and
mapping the users or group to the PI identity to grant the required access permissions
for that interface. See Configure PI interface connections using PI trusts for instructions
on creating PI mappings for interfaces.
b. Configure access for client applications (optional).
Client applications typically connect to the PI Data Archive server using PI SDK. You need
SDK 1.3.6 or later to use Windows authentication. You need PI SDK 2016 or later to
utilize transport security. Certain PI client applications require a connection to a separate
application server in addition to a PI Data Archive server (for example, PI DataLink for
Excel Services (DLES) and PI WebParts). These types of applications require additional
configuration steps. See How will PI Server 3.4.380 affect my clients and interfaces? for
more information.
Configure authentication
This section discusses the recommended approach to configuring your PI Data Archive
authentication.
Note:
If you already know which AD group or groups will have PI Data Archive access, then you
can simply create a PI identity for each of these groups and map each AD group to the
appropriate identity.
Procedure
1. Identify user access categories.
2. Create PI identities.
3. Review AD configuration.
4. Map AD groups to PI identities.
Create PI identities
Once you have identified user categories, you designate a PI identity or group for each category.
You can create your own PI identities, or you can use some of the built-in PI identities and
groups that are included in the PI Data Archive installation.
Most of these are sample identities, not configured with access permissions. However the
piadmins group is preconfigured with read/write access to all PI Data Archive resources. Using
piadmins for your main administrator category can save you some configuration time.
The following example shows you how you might use built-in PI identities for the four user
categories described in Identify user access categories.
• Users:
Use the built-in PI group called piusers. This group does not have any preconfigured access
permissions, so you will have to set those manually. As a short-cut you could rely on the
PIWorld access permissions, rather than explicitly setting permissions for piusers. However,
this model is less secure.
• Engineers:
Use the built-in PI identity called PIEngineers. This identity does not have any
preconfigured access permissions, so you will have to set those manually.
• Administrators:
Use the built-in PI identity called piadmins. By default, this identity has read/write access to
all PI Data Archive resources. You can adjust these access permissions as needed.
• IT Administrators:
Create a PI identity called ITAdmins. You will need to set the access permissions manually.
Creating PI identities is just the first step. You also need to:
Create a PI identity
When you create a new identity, the identity name is required. Note the following restrictions
on identity names:
• The name must be unique.
• The name cannot include the vertical pipe (|) character or the colon (:) character.
• The name cannot be a positive integer, although it can contain numbers. For example, the
name 407 is not valid, but the name Admins407 is valid.
• The name is not case sensitive.
Procedure
1. Under the Servers panel (or if you have a collective deployment, Collectives and Servers),
select a server.
2. Under System Management Tools, select Security > Identities, Users, & Groups.
3. Select the PI Identities tab.
4. Click the New Identity button to open the New Identity dialog box, where you can create
and configure a new PI identity.
5. In Identity, type in a name for the new identity.
This field is required. If you try to create an identity with an invalid name, an error message
appears and the identity is not created. Note that you can change an identity name any time
after creation.
6. Select the appropriate server from the drop-down Server list.
This list is populated from the selected servers under Servers (or if you have a collective
deployment, Collectives and Servers). Only PI Server versions 3.4.380 and later appear in the
list.
Review AD configuration
In most cases you can rely on existing AD groups and you will not need to do any AD
configuration. Work with your Windows domain administrator to review existing groups and
make any necessary adjustments.
Note:
Although the PI Data Archive server can use AD for authentication, it does not use
Windows access permissions to determine PI Data Archive access levels. You still have to
set access permissions explicitly on the PI Data Archive server.
• Make sure you have appropriate AD groups for each type of PI Data Archive user. For each PI
identity, you should ideally have a single corresponding AD group. Users that belong to
more than one AD group get the cumulative access permissions for all the associated PI
identities.
• Review your AD group memberships to ensure that all Windows users will get the
appropriate PI Data Archive permissions (PI Data Archive access permissions and AD).
• Establish a naming convention for PI identities and/or AD groups so that it is clear which
group is mapped to which identity. Over time, you will be able to control user access to the
PI Data Archive server simply by editing group memberships in AD or Windows
Once you have a workable set of AD groups, you are ready to map AD groups to PI identities.
Note:
If your current AD groups do not suffice and you cannot get your AD domain
administrator's support, use a simple workaround: Create local Windows groups on your
PI Data Archive server and then place existing AD groups within the local groups.
Look at the access needs for all your Windows users. Which AD groups does the user belong
to? Which PI identities do those groups map to? Users that belong to more than one AD group
get the cumulative access permissions for all the associated PI identities. For example, in the
following illustration, the Windows user, Bob, belongs to both AD groups. Bob therefore gets
the permissions configured for PI Identity1 and the permissions for PI Identity2.
Similarly, users get the cumulative access permissions for all parent AD groups (for nested AD
groups). For example, in the following illustration, Windows user, Bob, belongs to ADGroup2.
Since ADGroup2 is nested inside ADGroup1, the users in ADGroup2 get all the access
permissions of ADGroup1, as well as those of ADGroup2.
Note:
Though you can map individual AD users to PI identities, it is not a recommended
practice. Mappings based on AD users will prevent you from managing your PI Data
Archive security access by manipulating group memberships.
Procedure
1. Open PI SMT.
2. Under Collectives and Servers, select the server. Note that if you have a collective
deployment, this PI SMT panel will appear as Collectives and Servers.
3. Under System Management Tools, select Security > Identities, Users, & Groups.
4. Select the PI Identities tab.
5. Select the identity that you want to map.
6. In the toolbar, click the Properties button .
The Properties dialog box opens.
7. In the Properties dialog box, click the Mappings and Trusts tab.
The top portion of the dialog box shows all existing mappings for this PI identity. The
bottom portion shows all existing PI trusts for this PI identity.
8. Click the Add button under the mappings portion of the dialog box.
There is also an Add button under the trusts portion, so be sure to click the right button.
Note:
The Add button is disabled if the selected PI identity is flagged as disabled or not
usable in a mapping.
◦ Type in the account name. If you choose to type in the account name, click the resolve SID
button to verify that this is a valid account. If the account is valid, an SID appears in
the field. Otherwise, a dialog box with an error message opens.
See Specifying AD users and groups for more information.
To find the security identifier (SID) or to check the validity of a domain principal, you can use
the psgetsid utility. This utility is part of a set of command-line tools called PsTools, that are
available on the Microsoft TechNet Web site. If you run the utility from the PI Data Archive
server, the SID that psgetsid returns is guaranteed to be valid for the mapping.
For example, after installing psgetsid, you could type the following from a command window
on the PI Data Archive server:
psgetsid.exe domain\somegroup
The PI Data Archive server stores the settings for each object in an access control list (ACL).
Each secure object on the PI Data Archive server has an ACL that defines access permissions for
that object. (Points have two ACLs: one for the point data and one for the point configuration.)
The ACL contains an entry for each identity (or user or group) for which access permissions
are set on that object. The ACL for the TEST_POINT data in the illustration above would look
like this:
Identity1:A(r,w) | Identity2:A(r,w) | Identity3:A(r) | IdentityN:A(r,w)
Access permissions for each PI identity are separated by the pipe (|) symbol. Each entry is
called an access control entry (ACE) and consists of the PI identity name, then a colon (:)
followed by the access privileges, which are defined in the format: A(r,w). The A in this
notation stands for Allow and "r,w" indicates the allowed access privileges – read and write, in
this example.
The possible types of access privileges are read and write. The possible unique privilege
combinations are "r" for read only, "w" for write only, "r,w" for read and write, and "" (empty)
for none.
Note:
Unlike Windows, the PI Data Archive server does not allow you to explicitly deny access
privileges.
• The PIWorld identity has read-only access to most PI resources. If the PIWorld identity is
not disabled, then all authenticated users get at least PIWorld access.
• For new installations, the piadmins group has read/write access to all PI Data Archive
resources. On PI Data Archive servers that are upgraded from an earlier version, the
piadmins group has no preconfigured access permissions.
• The piadmin user is the super-user account. It has guaranteed read/write access to all PI
Data Archive resources, regardless of security settings.
The PI Data Archive server also includes the PI Operators, PI Engineers, and PI Supervisors
identities. These sample identities have no preconfigured access permissions, so they do not
really do anything. However, you can use them as a starting point. These sample PI identities
are completely configurable and can be deleted.
• Set default access permissions for new points and modules. After you do this, all new points
and modules that you create will automatically have these default settings. See Default
access for new points and modules.
• Set top-level access permissions in the PI SMT Database Security tool. These include
permissions to configure archives, view the audit trail, change tuning parameters, run
backups, and so on. See Set permissions in the Database Security tool.
• Configure access permissions for individual points and modules by editing the points
themselves. The PI Data Archive installation includes tools for doing this. See Set
permissions on specific points and modules.
Procedure
1. Open PI SMT.
2. Under Collectives and Servers, select the server. Note that if you have a collective
deployment, this PI SMT panel will appear as Collectives and Servers.
3. Under System Management Tools, select Security > Database Security.
The Database Security tool appears.
4. Double-click the table for which you want to set access (see below).
The Properties dialog box opens.
5. Select the PI identity, PI user, or PI group for which you want to modify access permissions.
If the PI identity, user, or group does not appear in the list, click the Add button to add it.
6. Check the appropriate boxes to assign read and/or write access to that PI identity.
For information about what access privileges are necessary for specific tasks, see Review
access permissions.
• Use Local Windows Security: You can use local Windows security for authentication, rather
than AD. There are two disadvantages to this:
◦ Local Windows security uses NTLM for authentication, which is not as secure as
Kerberos (AD uses Kerberos).
◦ Extra configuration is required. The Windows user accounts on the PI Data Archive must
exactly match the accounts on each client workstation. If you have a lot of client
workstations with a lot of users, then Windows authentication might not be a good
choice for you.
However, authenticating through local Windows security is still far more secure than
authenticating through PI trusts or PI user accounts. See Use local Windows security.
• Use a Combination of Local Windows Security and AD: If you want to use AD for
authentication but are not able to configure AD groups to meet your needs, then consider
this workaround. You can use local Windows groups to organize AD users. Then map the
local groups to your PI identities. See Use local Windows security with AD.
• Use Windows Credential Manager: Consider using this option for scenarios where one
machine is in one domain and the other machine is in another domain. You can still use a
combination of local account and AD for this scenario. See Windows Credential Manager.
• Use PI Password Authentication: If you cannot use local Windows security or AD for
authentication, only two authentication methods are available: PI Data Archive user
accounts/passwords and PI trusts. Typically you configure user authentication through PI
user accounts. Use PI groups to group the users so that you do not need to define access
permissions for each individual user. See Use PI users and PI groups.
Note:
Increasing number of OSIsoft client applications require Windows authentication and
PI mappings, and are not viable with PI password authentication.
Procedure
1. Identify user access categories.
Identify the users who need access to the PI Data Archive server. Understand their roles, and
the types of access they need. For example: who needs permission to create points? Who
should be allowed to edit modules? Who will perform PI Data Archive backups? See Identify
user access categories.
2. Create PI identities.
On the PI Data Archive server, create PI identities for people with similar access needs. See
Create a PI identity.
3. Configure local Windows groups.
In Windows, identify the Windows groups that represent your PI Data Archive roles. See
Configure Windows groups.
4. Map Windows groups to identities.
See Create mappings.
5. Grant PI access permissions.
Give your PI identities access to the necessary PI Data Archive resources. The access
permissions specify what tasks each PI identity is allowed to do on the PI Data Archive
server. See Configure access permissions.
6. Configure access for client applications.
Client applications typically connect to the PI Data Archive using PI SDK. You need SDK 1.3.6
or later to use Windows authentication. You need PI SDK 2016 or later to utilize transport
security. Certain PI client applications require a connection to a separate application server
in addition to a PI Data Archive server (for example, PI DLES and PI WebParts). These types
of applications require additional configuration steps. See How will PI Server 3.4.380 affect
my clients and interfaces? for more information.
7. Configure access for interfaces.
You need to set up a mapping for the interfaces that will connect to the PI Data Archive
server. Each mapping is based on a PI identity. See Configure PI interface connections using
PI trusts.
Procedure
1. Configure user accounts on client and server workstations.
To use Windows users and groups, the Windows user accounts on the PI Data Archive
server must exactly match the accounts on each client workstation. The account names and
passwords must be identical.
2. Configure Windows groups and PI identities so that you have a 1:1 relationship between
them.
Follow these guidelines:
Look at the access needs for all your Windows users. Which Windows groups do the users
belong to? Which PI identities do those Windows groups map to? Make sure that each
Windows user belongs to the appropriate Windows groups.
Create mappings
Once you have the necessary PI identities and Windows groups, you need to map each
Windows group to a PI identity. The mapping associates the specified PI identity with the
specified Windows group. Members of that Windows group will be authenticated automatically
on the PI Data Archive server as the specified PI identity.
Procedure
1. Open PI SMT.
2. Under Collectives and Servers, select the server.
3. Under System Management Tools, select Security > Identities, Users, & Groups.
4. Select the PI Identities tab.
If you do not see the PI Identities tab, verify that you are connected to a PI Server 3.4.380 or
later. This tab does not appear in PI SMT with earlier versions of the PI Data Archive server.
5. Double-click the identity to open the Properties dialog box.
6. Click the Mappings and Trusts tab.
The top portion of the dialog box shows all existing mappings for this PI identity. The
bottom portion shows all existing PI trusts for this PI identity.
7. Click the Add button under the mappings portion of the dialog box to open the Add New
Mapping dialog box.
There is also an Add button under the trusts portion, so be sure to click the right button.
Note:
The Add button is disabled if the selected PI identity is flagged as disabled or not
usable in a mapping.
◦ Type in the account name. If you choose to type in the account name, click the resolve SID
button to verify that this is a valid account. If the account is valid, an SID appears in
the field. Otherwise, a dialog box with an error message opens.
9. Enter a description of the mapping (optional).
There are no restrictions on the contents of this field.
10. Click OK.
The new mapping appears under Mappings.
Procedure
1. Identify user access categories.
Identify the users who need access to the PI Data Archive server. Understand the types of
access they need. For example: who needs permission to create points? Who should be
allowed to edit modules? Who will perform PI Data Archive backups? See Identify user
access categories.
2. Create PI groups:
On the PI Data Archive server, create a PI group for each user category. See Create a new PI
group.
3. Grant PI access permissions.
Give each PI groups access to the necessary PI Data Archive resources. The access
permissions specify what tasks each PI group can do on the PI Data Archive server. See
Configure access permissions.
4. Create PI Data Archive user accounts.
Each user who needs access to the PI Data Archive server should have an associated
account. See Create a new PI user. If you allow multiple users to share a single PI Data
Archive account, then you will not have any way to know who made what changes on the PI
Data Archive server.
5. Configure group memberships.
Add each PI user to the appropriate PI group or groups.
6. Configure access for interfaces.
Set up mappings for the interfaces that will connect to the PI Data Archive server. Each
mapping is based on a PI user, a PI group, or a PI identity. See Configure PI interface
connections using PI trusts.
7. Upgrade administrative client applications.
If you have existing client computers that will connect to this PI Data Archive server,
upgrade any applications that configure access permissions (Administrative client
applications).
Procedure
1. Under Collectives and Servers, select the server or collective.
2. In the System Management Tools pane, select Security > Identities, Users, & Groups.
3. Click the PI Users tab.
4. Click the New button to open the New User dialog box.
5. In Username, type the a name of the new PI user. This field is required.
6. Select the appropriate server from the drop-down Server list. This list shows the servers
selected under Collectives and Servers.
7. Optionally, enter a brief description in Description. There are no restrictions on the contents
of this field.
8. In Password, enter a password for the PI user.
9. Click Create. The new PI user now appears in the PI Users tab.
Procedure
1. Under Collectives and Servers, select the server or collective.
2. In the System Management Tools pane, select Security > Identities, Users, & Groups.
3. Click the PI Groups tab.
4. Click the New button to open the New Group dialog box.
5. In Group, type the name for the new PI group. This field is required.
6. In Server, select the appropriate server. This list shows the servers selected under
Collectives and Servers.
7. In Description, enter a brief description, if desired. There are no restrictions on the contents
of this field.
8. Click Create to create the new PI group.
Caution:
PI API 2016 for Windows Integrated Security does not support PI trusts or explicit
logins. If you require PI trusts for authentication, do not upgrade to PI API for
Windows Integrated Security to avoid any potential data loss
• Transport Security
Transport security improves message integrity and privacy. PI API 2016 for Windows
Integrated Security internally routes messages to the local PI Network Manager, which
manages transport security with the PI Data Archive server.
Data integrity provides increased security against malicious attacks and intrusions into
your data infrastructure. Transport security provides an additional layer of defense
essential to protecting against data breaches, injection attacks, unauthorized
eavesdropping, etc. Transport security not only protects your deployment, but the
confidentiality of any secondary infrastructure or client connecting to your system.
For the most secure experience, OSIsoft recommends customers run PI Data Archive 3.4.395
(2015) or later, and PI API 2016 for Windows Integrated Security. Transport security is
supported on all client applications using PI API 2016 for Windows Integrated Security
automatically when connection is to a PI Data Archive server version 2015 or later. If a
buffering node connects to multiple PI Data Archive servers of different versions, transport
security is enabled only on the connections to the PI Data Archive servers with version
3.4.395 or later and PI API 2016 for Windows Integrated Security deployed.
• Software Security
PI API 2016 for Windows Integrated Security is the most secure version of PI API released.
Additionally, PI API 2016 for Windows Integrated Security leverages the greatest number of
Microsoft software security defenses provided by the compiler and operating system. PI API
2016 for Windows Integrated Security was developed specifically for modern Windows
platforms, and enables the server operating system defenses in accordance with Microsoft
security development lifecycle (SDL) guidance. Updated software is critical to defending
against malicious attacks and unauthorized intrusions in your system.
PI API 2016 for Windows Integrated Security is supported on most UniInt PI Interfaces, such
as: PI Interface for OPC DA, PI to PI interface, and Random simulator interface.
Note:
PI API 2016 for Windows Integrated Security is NOT supported on interfaces running on
UNIX or Linux platforms.
OSIsoft recommends upgrading from PI trusts and explicit login to Windows authentication
through the use of PI mappings as the authentication model throughout your PI system.
Applications using PI API 2016 for Windows Integrated Security require a Windows logon or
service accounts to connect with the PI Data Archive server. Therefore, before upgrading to PI
API 2016 for Windows Integrated Security, you must configure PI mappings to replace any
existing PI trusts used by PI interfaces. PI trusts and explicit logins are disabled on PI API 2016
for Windows Integrated Security.
Procedure
1. Task 1: Ensure system requirements.
2. Task 2: Identify all PI trusts and corresponding PI identities.
3. Task 3: Identify Windows account for your interfaces.
4. Task 4: Change the login credentials for your interfaces.
5. Task 5: Create PI mappings between the Windows account and PI identities.
6. Task 6: Retire PI trusts.
Procedure
1. Check the PI Data Archive version number.
a. Open a command prompt window.
b. Go to the %PISERVER%\adm directory.
c. Type: piversion -v at the command prompt.
2. If the version number is earlier than 3.4.380, upgrade your PI Data Archive server to the
most recent version.
Procedure
1. Determine the name of the configured PI trust using the PI SMT Network Statistics plug-in.
a. Open PI SMT and expand Operation on the left pane.
b. Select Network Manager Statistics.
c. Identify the PI Data Archive in the Server list.
d. Identify the interface by the service name (interfaces run as services) and PeerAddress.
Identify the corresponding name of the trust in the Trust column for that interface. For
interfaces that are not running, the trust can be determined by examining the trust table
under Mappings & Trusts as described in the following steps.
2. Open PI SMT and expand Security on the left pane.
3. Select Mappings & Trusts.
4. Select the Trust tab.
5. For interfaces that are not running, identify the trust based on the Application Name,
Network Path and/or IP Address. Identify the PI User associated with this trust. Identify the
interface(s) on your Interface node under Application Name.
6. For interfaces that are running, identify the trust based on the service name (interfaces run
as services) determined in Step 1 and identify the PI user for that trust. Each of these trusts
enable an authentication model where the connection credentials of the interface is
compared to records in the trust database. Each PI trust is defined against a single PI
identity (one type of PI user), PI group (a group of PI users), or PI user (listed under the PI
User column). Take note of this PI Identity (Identity1) for later tasks of the upgrade. When
Procedure
1. Open Services on the Interface node machine by using the Start Menu > services.msc
command.
2. Select each interface currently running as a service.
3. Right-click on Properties.
4. Click the Log on tab.
5. Identify the name of the Windows account, referred to as User1.
6. Identify the type of account by identifying how the Interface node is accessing the data
source: Local System account or Windows account.
Consider the following factors on whether to preserve your existing Windows account or
create a new account for the PI API upgrade under the following scenarios:
• The Interface node is on a trusted domain computer. For this type of scenario, if the
Windows account is either a domain Managed Service account (MSA) or custom domain
account, you can just use the same account for the upgraded PI API. An acceptable
alternative can be to use a Network Service account or Virtual account.
• The Interface node is on a workgroup or untrusted domain. For this type of scenario, if the
Windows account is a Local System account (domain account using Windows Credentials
Manager), you can just use the same account for the upgraded PI API. However, if the
Windows account is a Local System Account (mirrored Local System account on PI Data
Archive), we recommend creating a new account for better security.
In addition, consider the following when changing the log on properties for the interface
(running as a service).
• The new user account should have the permissions to the data source. Refer to the interface
user guide specific to your interface for this information, available at the OSIsoft Customer
Portal (https://my.osisoft.com/).
• The new user account should have permissions to access folders and files on the Interface
node required for the interface to run correctly. You can determine whether any specific
folders and file permissions are necessary by referencing the specific PI interface user guide
available from the OSIsoft Customer Portal (https://my.osisoft.com/).
Procedure
1. Open Services in your Interface node machine by using the Start menu > services.msc
command. The PI interfaces run as services and will show up in this window.
2. Click on Properties.
3. Select each PI interface, listed as a service.
4. Enter the log on credentials for each interface to reflect the selected Windows account
determined in an earlier task. See Task 3: Identify Windows account for your interfaces.
5. Restart the interface.
6. Verify that the interface is able to function correctly and still connecting to PI Data Archive
through trusts. This verifies that the new user account for the interface does not have
permission issues with the data source.
Note:
As a preliminary step for each of the following deployment scenarios, upgrade your PI
Data Archive server to PI Data Archive 2015 R2 SP1 (version 3.4.395.80 or later) to use
Windows authentication and transport security.
Procedure
1. Open PI System Management Tool (SMT). From the Windows Start menu, choose All
Programs > PI System > PI System Management Tools.
2. Expand Security in the left pane. The
3. Select Mappings & Trusts.
4. Click the Mappings tab.
5. Click the New icon to create a new PI mapping.
6. In the Windows Account field, enter the Windows service account, local system account, or
domain account identified in Task 3: Identify Windows account for your interfaces (User1).
The PI mapping associates the PI identity (or PI user or PI group) with the Windows service
account, local system account, or domain account. Authenticated Windows accounts are
automatically authenticated on PI Data Archive through the mapping.
7. In the Server field, select the PI Data Archive server to which you want to create the
mapping. In the PI Identity field, enter the PI user or PI group from Task 2: Identify all PI
trusts and corresponding PI identities (Identity1).
This PI mapping associates the PI identity (or PI user or PI group) to the Windows service
account, local system account, or domain account. With mappings, your accounts are
granted access and permissions based upon the corresponding PI identity associated with
the mapping on the PI Data Archive server.
Scenario: Interface node and PI Data Archive on the same domain or on trusted
domains
In this deployment scenario, the Interface node and PI Data Archive are located in the same
domain, or different but trusted domains. In the case of trusted domains, if there is one-way
trust between the domains, then the direction of the trust is important. The domain with PI
Data Archive must trust the domain with the Interface node. The objective is to map User1 to
Identity1.
Procedure
• If the Windows account (User1) is a Local System account or Network Service account, map
the interface node name (<Domain>\<InterfaceNodeName>$) to your PI identity
(Identity1).
• If the Windows account (User1) is a domain account, map the account (User1) to your PI
identity (Identity1) as described in the earlier scenario. See Scenario: Interface node and PI
Data Archive on the same node.
• If the Windows account (User1) is a local account, then either:
◦ Change the user account for the interface to a domain account. See Task 4: Change the
login credentials for your interfaces.
◦ Map the account (User1) to a domain account (DomainUser1) in Windows Credential
Manager on the Interface node (see Windows Credential Manager). Map DomainUser1 to
Identity1 on PI Data Archive using PI SMT.
◦ Create the same account (User1) on PI Data Archive with the same credentials as the
account on the Interface node. Map ServerNode\User1 to Identity1 .on PI Data Archive
using PI SMT.
Caution:
Identical user accounts and passwords is a form of credential reuse. Verify identical
accounts are consistent with your IT policies.
Procedure
• If the Windows account (User1) is a local account or a domain account on the Interface node
domain, then either:
◦ Map Windows account (User1) to a PI Data Archive domain account (ServerDomain
\DomainUser1) in Windows Credential Manager on the Interface node. See Windows
Credential Manager. Map ServerDomain\DomainUser1 to Identity1 on PI Data Archive.
◦ Create the same Windows account (User1) on thePI Data Archive node with the same
credentials as the account on the Interface node. Map ServerNode\User1 to Identity1.
• If Windows account (User1) is either a Local System account or Network Service account,
change the user account of the Interface node to enable Windows authentication (see Task
4: Change the login credentials for your interfaces).
In deployment scenarios where the PI Data Archive server exists in an untrusted Domain
\Workgroup, a user can save the Windows credentials used for authenticating into that
untrusted Domain\Workgroup in Windows Credential Manager. As a result, when the user
connects to a PI Data Archive through Windows authentication and there is a saved set of
Windows credentials for the network path of that PI Data Archive, the stored Windows
credentials will be used in place of the user's actual Windows credentials.
See the OSIsoft Knowledge Base article KB00354 - Supported Windows Security
Configurations in Domains and Workgroups for the PI Data Archive (https://
customers.osisoft.com/s/knowledgearticle?knowledgeArticleUrl=KB00354) for more
information about the used of Windows Credential Manager.
Procedure
• If the Windows account (User1) is a local account, then create the same account (User1) on
the PI Data Archive with same credentials as the account on the Interface node. Map
ServerNode\User1 to Identity1.
• If the Windows account (User1) is a either Local System account or Network Service
account, you must change the user account for the Interface node to use a local account to
enable Windows authentication. See Task 4: Change the login credentials for your
interfaces.
Procedure
1. Create the necessary number of new Windows domain account to accommodate each
different PI identity used for the mappings to access Create a new Windows domain
account.
2. Map a new account to a distinct PI identity used on the Interface node. Repeat until all of the
distinct PI identities are mapped.
Procedure
1. Open PI SMT and expand Security on the left pane.
2. Select Mappings & Trusts.
3. Select the Trust tab.
4. Disable or delete the trust(s) from the Interface node.
Procedure
1. Download the setup kit on the Interface node from the OSIsoft Customer Portal (https://
my.osisoft.com/).
2. Run the installation program to install the PI API 2016 for Windows Integrated Security
files. The setup kit will use the existing installation path.
3. Specify the PI Data Archive hostname for a new PI API installation. For a PI API upgrade, the
setup will use the existing settings.
4. Follow the remaining prompts to finish the installation.
5. Run the interface as an automatic Windows service.
6. Verify that the interface is running properly.
a. Open PISDKUtility to view the logged interface messages.
b. Open PI SMT and expand Operation on the left pane.
c. Select Network Manager Statistics.
d. Ensure that the connection is using the proper account and PI Identity.
7. Disable the existing PI trust(s) replaced by the new PI mapping(s).
Procedure
1. Open Windows Control Panel.
2. Select PI API 2016 for Windows Integrated Security from the Add or Remove Programs.
3. Remove PI API 2016 for Windows Integrated Security from the list.
Procedure
1. Identify all the PI interfaces that need access to the PI Data Archive server.
2. Consult the documentation for each interface and gather the information you need to
configure the PI trust. You need to know the connection type (Connection types (PI API and
PI SDK)). The type of connection determines what information you can use to define the
trust. You will also need to specify at least one of the following:
◦ The correct application name to use when defining the trust (The application name)
◦ IP information for the connecting computer (IP information in SMT)
◦ For SDK connections only, you have the option to specify Windows account information,
but this is not recommended (Windows account information)
3. Decide how many PI trusts you will create.
You can create explicit individual trusts for each PI interface or you can group them
according to subnet, host machine, or username. A group of PI interfaces can share the same
privileges.
4. For each PI trust, create a PI identity.
See Create a PI identity.
5. Give that PI identity all the access permissions required by the PI trust.
See Product access permissions reference and configuration issues as well as the
documentation for the interface.
6. Create a trust based on that PI identity.
See Create a trust.
About PI trusts
PI trusts allow applications to access the PI Data Archive server without explicitly logging onto
Windows (or onto the PI Data Archive server). In earlier versions of PI API, you used trusts for
PI interfaces, which ran unattended. Starting with PI API 2016 for Windows Integrated
Security, we recommend using Windows authentication for PI interfaces. However, PI trusts are
still supported by the PI Data Archive for scenarios where Windows Integrated Security is not
an option, and if the API-based client applications is not running PI API 2016 for Windows
Integrated Security.
Each PI trust is defined against a PI identity, a PI group, or a PI user. The trust gives the
interface the same access permissions as the associated identity, group, or user. Trust
authentication works by comparing the connection credentials of the connecting application to
the trust records in the trust database.
Create a trust
Procedure
1. Under Servers (or if you have a collective deployment, Collectives and Servers), select the
server.
2. Under System Management Tools, select Security > Mappings & Trusts.
The Mappings & Trusts tool appears.
3. Select the Trusts tab.
◦ Application Name
This is slightly different for PI API and PI SDK connections.
▪ API
Connecting PI API applications send an identifier called an application process name,
or procname. This is a four-character string with an E appended (for example, the
procname for the Perfmon interface is PIPeE).
▪ SDK
The full name of the connecting application, including the extension, but not the path
(for example, PI-ICU.exe).
◦ IP Address
The IP address of the interface node.
◦ Net Mask
The net mask for the interface node (for example, 255.255.255.255).
For SDK connections only, you also have the following optional fields:
◦ Windows Domain
The Windows domain of the user who runs the application (for example, osi).
◦ Windows Account
The Windows user name of the user who runs the application (for example, my_account).
8. Select the PI identity that you want to use for this trust.
Applications authenticated through this trust have all the access permissions granted to this
PI identity. Alternatively, you can select a PI group or a PI user for this step.
• Applications that connect through PI API send an identifier called an application process
name, or procname. This is a four-character string with an E appended. For example, the
procname for the Perfmon interface is: PIPeE
Note:
PI API versions before 1.6.0 always send a five-character string: 4 characters plus a
capital E. For PI API versions 1.6.0 and later, up to 8 characters may be specified as the
procname, if configured to do so (in this case, there is no longer an E appended to the
procname).
• For applications that connect through PI SDK, use the full name of the connecting
application, including the extension, but not the path. For example, the application name for
PI ICU is: PI-ICU.exe
If you are running the same PI interface on another PI Data Archive server, then you can use PI
SMT to determine the correct application name. Select Operation > Network Manager
Statistics. Find the interface in the list. The application name is listed under Name. See the
OSIsoft Knowledge Base article How to recognize connecting application names in the PI
Network Manager Statistics table and message logs (https://customers.osisoft.com/s/
knowledgearticle?knowledgeArticleUrl=KB00505).
IP information in SMT
A PI trust can specify IP information about the computer running the PI interface or client
application for which you are defining the trust. To collect this information, you can run
pidiag -host on the computer where the interface or client application runs. This returns
the connection credentials as retrieved from the local operating system.
Note:
Using pidiag -host is helpful, but it is not a guarantee of getting the right information,
depending on many factors, including the type of interface, the version of the SDK (if SDK-
based), and whether there are firewalls / NAT devices in between the interface computer
and the PI Data Archive computer. If you have difficulty configuring the trust, visit the
OSIsoft Customer Portal (https://my.osisoft.com/).
• Network Path. The fully-qualified domain name. For PI API, this should match what the PI
Data Archive server thinks based on a reverse-name lookup using the interface's IP address.
For PI SDK (1.3.6.x and later), this should match what the client thinks, based on the
Windows configuration (you can use pidiag –host on the client to see this information). For
example, my_laptop.my_company.com
• IP Address.
• Netmask. If you specify an IP address, you must also explicitly provide a netmask value.
Failure to do so will generate an error. If you require an exact match on an IP address,
specify the netmask as 255.255.255.255. If you specify a class C subnet, specify the
netmask as 255.255.255.0 and the fourth field of the IP address as 0.
Note:
When applications run on machines with multiple network cards, you cannot predict
which credentials the application will send to the PI Data Archive server for the trust
authorization. OSIsoft thus recommends that you either avoid such configurations, or
create a PI trust for every IP address on the machine where the application runs.
• Windows Domain
The Windows domain of the user who runs the application.
• Windows Account
The Windows user name of the user who runs the application.
• Windows Authentication
Previous versions of PI Data Archive had two methods of authentication: PI trusts and PI
password authentication (typing in PI user name and password). PI Server 3.4.380 adds a
third method: Windows authentication. This method is more secure than the other two and
is now the recommended method for authenticating connections.
• PI Identities
The old model had only PI users and PI groups. This model was based on the necessity for
managing user accounts on the PI Data Archive server. The new model provides PI
identities. The PI identity is essentially an abstraction layer. It allows you to map Windows
groups or users to categories of access on the PI Data Archive server without creating a
separate set of credentials.
• Mappings
Mappings are the mechanism for associating Windows users or groups with PI identities.
You can also create mappings to existing PI users and PI groups.
Note:
Previous versions of PI Data Archive had a built-in PI user and a built-in PI group that
were both named piadmin. The name of the PI group called piadmin has been changed to
piadmins (plural) for consistency. Similarly, previous versions of PI Data Archive had a
built-in PI user and a built-in PI group that were both named piuser.
• Improves Security
You can now use Windows authentication to control user access to the PI Data Archive
server. PI password authentication (typing in a PI user name and password) are nowhere
near as secure as Windows authentication. If you configure your PI Data Archive server for
Windows authentication, you will greatly improve security. Windows AD is preferable
because it uses the more secure Kerberos protocol. However, you can use local Windows
authentication if necessary.
Procedure
1. Configure authentication for piadmin.
Map a Windows group to the piadmin account. All the Windows users that are a member of
this Windows group will then get piadmin access permissions simply by logging on to
Windows.
a. In Windows AD, identify the Windows group that will get administrative privileges on
the PI Data Archive server.
If the appropriate group does not exist, ask your domain administrator to set one up for
you. If your domain administrator will not help, try the workaround described in Use
local Windows security with AD.
b. Create a mapping between that AD group and the piadmin account.
Now all users in that AD group have the same privileges as piadmin.
2. Configure authentication for pidemo.
a. In Windows AD, identify the Windows group that will get the pidemo access permissions
on the PI Data Archive server.
b. Create a mapping between that AD group and the pidemo account.
Now all users in that AD group have the same privileges as pidemo.
• The biggest security hole in this quick-start plan is that pidemo and piadmin are still
accessible through PI user passwords. PI user passwords are not especially secure. To fix,
disable explicit logins (typing in a PI user name and password) for the pidemo and piadmin
accounts. Then the PI Data Archive server disallows user-name and password access for
those accounts and only provides access through the mappings you created or through PI
trusts. See Disable explicit logins for individual user accounts for instructions.
• Review the follow-up steps, which include upgrading the SDK on client workstations,
upgrading administrative applications, and so on. You can choose if and when to complete
each step. See Follow-up steps.
• Follow-up Steps
Perform these follow-up steps over time. See Follow-up steps.
If your existing configuration relies on very few PI users or PI groups, the Quick-start security
migration might work better for you.
Procedure
1. Review existing access permissions.
Export the access permissions for all existing points and modules and for all the entries in
the PI SMT Database Security tool. See Review access permissions.
2. Create a list of unique access strings.
You will use this list to determine the needed sets of access permissions. See Create a list of
unique access strings.
3. Create a configuration plan.
Identify which PI groups you will keep and which are redundant. If you have any sets of
access permissions that are not covered by existing PI groups, determine how you will fill
those gaps. See Create a configuration plan.
4. Create new identities to fill gaps.
If you decided to create new PI identities to fill configuration gaps, create them now. See
Create PI identities to fill gaps.
5. Review AD groups.
Determine how your AD groups correspond with your configuration plan. You might need to
create new AD groups or adjust group membership. See Review AD groups.
6. Create the mappings.
Set up mappings between AD groups and PI groups and identities. See Create mappings in
SMT.
7. Verify initial configuration.
Check your new security configuration to make sure that everyone is getting the correct
level of access. See Verify initial configuration.
When you export the existing data access permissions, each object will have an associated
access control list (ACL). This is different from the old owner/group model. For example, in
earlier versions of the PI Data Archive server, the access permissions for the sinusoid point
might look like this:
Tag dataaccess datagroup dataowner
sinusoid o:rw g:rw w:r pi_users bob
When you upgrade the PI Data Archive server, those access permissions are converted to the
new model and would look like this:
Tag datasecurity
sinusoid pi_users:A(r,w) | bob:A(r,w) | PIWorld:A(r)
See About access permissions on the PI Data Archive server for more information on the ACL.
• Modules
Use Module Database Builder to export all module security information into a spreadsheet.
• Database Security
Open the Database Security tool in PI SMT. Click the Export To File button to export the list
into a .csv file. Open that file in Excel.
The following table shows what the same access permissions look like after upgrading to PI
Server 3.4.380.
point datasecurity
tag1 bob: A(r,w) | pi_ops: A(r) | PIWorld: A(r)
tag2 bob: A(r,w) | pi_ops: A(r) | PIWorld: A(r)
tag3 bob: A(r,w) | pi_ops: A(r) | PIWorld: A(r)
point datasecurity
tag4 nancy: A(r,w) | pi_eng: A(r,w) | PIWorld: A(r)
tag5 bob: A(r,w) | pi_ops: A(r) | PIWorld: A(r)
What we want to do is collapse these access permissions into a set of unique access strings. It
does not matter whether we use the owner/group/word notation or the ACL strings. We will
use ACLs for the rest of this example.
In this manner, reduce all your access permissions to a set of unique access strings. The next
step is to determine what PI groups you need, based on this list.
We need to distill our list down into the smallest number of access permission sets and we
need to keep track of who currently has that level of access. Another way to look at our current
access permissions is as follows:
• If we are not going to disable PIWorld, then the pi_ops access permissions are not needed.
For the purposes of this example, assume we will continue to rely on PIWorld.
• The PI user nancy and the PI group pi_eng have identical access permissions. Since these
access permissions are already defined for pi_eng, we will leave this PI group in place. We
need to create a mapping between pi_eng and a Windows group that contains the following
users:
◦ Windows users represented by the PI user members of pi_eng
◦ Windows user represented by the PI user nancy
We can retire the PI user called nancy.
• The PI user bob has unique access permissions. We have two choices:
◦ We can keep the PI user bob and create a mapping between the corresponding Windows
user and PI user bob. This gives us Windows authentication, which is much more secure
than PI user accounts. We can continue to use the access permissions defined for bob.
◦ Another solution would be to create a new PI identity, grant it the same access
permissions as bob then map a Windows group containing the corresponding Windows
user to this new PI identity.
We choose to continue using bob for now, but we plan to create a new PI identity and retire
the PI user bob in the future.
The next step is to create the required mappings and then disable the PI group pi_ops and the
PI user nancy.
Review AD groups
Ideally, you want one AD group for each PI group and PI identity on your PI Data Archive
server. When you determined the needed sets of access permissions, you also compiled a list of
PI users and PI groups that required those access permissions.
Hopefully, your AD configuration includes groups that somewhat match these required sets of
access permissions. If not, work with your domain administrator to create or reconfigure AD
groups for the PI Data Archive server. You need an AD group for each set of access permissions.
Each set of access permissions are associated with a PI identity, PI group, or PI user on the
server. The ideal configuration is a one-to-one mapping between an AD group and a PI identity
or a PI group.
The goal is for all of your users to get the same access permissions that they had before the
upgrade. In most cases this should not be difficult. However, if you have a large number of
users with different access permissions, then you are probably going to have some gaps on
your first pass.
During this configuration period, you can rely on the access permissions for piadmin and the
built-in PIWorld identity. You can create a mapping between an AD group representing your
administrators and the PI user piadmin. All authenticated users get the access permissions
defined for PIWorld. By default, PIWorld has read-only access to most PI Data Archive
resources.
Note:
If your domain administrator is unwilling to reconfigure AD, you can nest existing AD
groups inside local Windows groups. See Use local Windows security with AD.
Procedure
1. Under Collectives and Servers, select the server.
2. Under System Management Tools, select Security > Mappings and Trusts.
◦ Type in the account name. If you choose to type in the account name, click the resolve SID
button to verify that this is a valid account. If the account is valid, an SID appears in
the field. Otherwise, a dialog box with an error message opens.
6. See Specifying AD users and groups for more information.
Follow-up steps
After you have an initial PI Data Archive server configuration, you can continue to transition to
the new model over time. This section discusses some measures that you should take.
Procedure
1. Click Start > All Programs > PI System > PI System Management Tools.
2. Under Collectives and Servers, select the PI Data Archive server where you want to enable
the tuning parameter.
3. Under System Management Tools, select Operation > Tuning Parameters.
4. Click the New Parameter button.
5. In Parameter name, type:
Base_AllowSIDLookupFailureForMapping
6. In Value, type:
1
7. Click OK.
8. Restart the server’s PI Base Subsystem.
Upgrade PI API
Starting with the release of PI API 2016 for Windows Integrated Security, Windows
authentication and transport security extends to all client API-based applications, such as PI
interfaces. As a result, OSIsoft recommends upgrading your authentication model to Windows
authentication for all applications using PI API to connect to PI Data Archive. Before upgrading
your PI API to PI API 2016 for Windows Integrated Security, you must replace any existing PI
trusts with PI mappings.
Caution:
PI API 2016 does not support PI trusts and explicit logins. Before upgrading your PI API
to PI API 2016 for Windows Integrated Security, you must first configure PI mappings to
replace any existing PI trusts or explicit logins on PI API. In order to configure a PI
mapping, you will need a Windows logon or service account for the PI API application.
For detailed information on how to upgrade to PI API 2016 for Windows Integrated Security,
see Installing and upgrading PI API 2016 for Windows Integrated Security.
Retire PI trusts
After replacing any existing PI trusts with PI mappings, retire all PI trusts as an authentication
model.
Prior to the availability for Windows authentication on PI API enabled by the release of PI API
2016 for Windows Integrated Security, PI trusts were typically used to authenticate API-based
client applications that ran unattended, such as PI interfaces. Trust authentication works by
comparing the connection credentials of the connecting application to the trust records in the
trust database. Human intervention is not required at the time of connection. PI trust
authentication is a weak form of authentication compared to Windows authentication, and is
not recommended.
For information about retiring PI trusts, see Task 6: Retire PI trusts.
• Disable explicit logins for the piadmin account (Disable explicit logins for piadmin). Explicit
logins (also called password authentication) on the PI Data Archive server are not nearly as
secure as Windows authentication or PI trusts. Although the password mechanism
performs as designed, weakness exists due to the use of a proprietary cypher developed in
the 1990s that has not been modified to keep up with modern cryptographic advances. In
short, the explicit login as an authentication method is not secure from malicious actors.
Instead, control access to this account through Windows authentication.
• If you cannot disable explicit logins for the piadmin account, then at least make sure that the
piadmin account does not have a blank password. New PI Data Archive installations require
a password for piadmin. While this is not mandatory for upgrades, it is strongly
recommended.
• Restrict piadmin access to a small group of trusted administrators.
Note:
Do not use piadmin for normal administrative tasks. See The piadmin user for more
information.
Procedure
1. In PI SMT, open the Identities, Users, & Groups tool (under System Management Tools,
select Security > Identities, Users, & Groups).
2. Click the PI Users tab.
3. Double-click the piadmin entry.
The Properties dialog box opens.
4. On the General tab, select the User cannot be used for an explicit login check box.
5. Click OK.
• Disable All Explicit Logins. This is the most secure option, but if your current configuration
requires users to log into PI user accounts, then you are not ready for this move.
• Disable Explicit Logins with Blank Passwords. If it is not possible for you to disable explicit
logins, then you should disable explicit logins for all PI users with a blank password. Before
doing so, give your users an opportunity to create passwords for their PI user accounts.
• Disable Explicit Logins for Individual User Accounts. As you begin to configure Windows
authentication for your users, you can disable explicit logins for these accounts.
Procedure
1. Under System Management Tools, select Security > Security Settings. The Security Settings
tool opens.
2. Under Collectives and Servers, select the server.
You can change settings for only one PI Server server at a time and only for PI Server servers
running version 3.4.380 or later.
3. Move the slider to the Explicit login disabled option.
4. Click Save.
5. Stop and restart PI Base Subsystem:
a. Under System Management Tools, select Operation > PI Services.
b. Right-click the PI Base Subsystem entry and choose Stop Service.
c. After the subsystem stops, right-click on the PI Base Subsystem entry again and choose
Start Service.
Procedure
1. Under System Management Tools, select Security > Security Settings. The Security Settings
tool opens.
2. Under Collectives and Servers, select the server. You can change settings for only one PI
Data Archive server at a time and only for PI Server servers running version 3.4.380 or later.
3. Move the slider to the Blank password not allowed option.
4. Click Save.
5. Stop and restart PI Base Subsystem:
a. Under System Management Tools, select Operation > PI Services.
b. Right-click the PI Base Subsystem entry and choose Stop Service.
c. After the subsystem stops, right-click the PI Base Subsystem entry again and choose
Start Service.
• Though more secure than explicit logins, PI trusts are not as secure as Windows
authentication.
• If you create a trust, application users might still be authenticated through Windows and
not the trust (Windows authentication versus SDK trusts). This means that their access
permissions will be dictated through Windows, rather than the trust.
After you replace your SDK trusts by Windows authentication, you can further secure the PI
Data Archive server by disabling SDK trusts altogether.
If a valid PI mapping exists for the Windows user (or for any group to which the user
belongs) then the user is authenticated as the PI identity, PI user, or PI group defined for
that mapping.
• PI Trust.
If the connection request matches an existing PI trust, then the user is authenticated as the
PI identity, PI user, or PI group defined for that trust.
• A default PI user account. OSIsoft does not recommend this method.
The first method that succeeds defines the access permissions granted to the connecting
application. After an authentication method succeeds, no other methods are tried. By default
the SDK (1.3.6 and later) tries to authenticate first through Windows.
You can use PI SMT to configure the methods the SDK tries first:
Procedure
1. Select File > Connections to open PI Connection Manager.
2. Select Tools > Options to open the Connection Option dialog box.
3. Under Specify Authentication Procedure, specify which protocols to allow and in which
order to try them in Protocol order.
Note:
You can also access PI Connection Manager from the About PI-SDK application. Select
File > Connections.
Procedure
1. Under System Management Tools, select Security > Security Settings.
The Security Settings tool opens.
2. Under Collectives and Servers, select the server.
You can change settings for only one PI Data Archive server at a time and only for PI Server
servers running version 3.4.380 or later.
3. Move the slider to the SDK trusts are disabled option.
4. Click Save.
5. Stop and restart PI Base Subsystem:
a. Under System Management Tools, select Operation > PI Services.
b. Right-click the PI Base Subsystem entry and choose Stop Service.
c. After the subsystem stops, right-click the PI Base Subsystem entry again and choose
Start Service.
Configure PI Firewall
For all incoming connections, the PI Data Archive server first checks the PIFIREWALL table for
partial or complete IP host names or addresses. If there is no entry in the table that allows the
incoming connection, the PI Data Archive server terminates the connection immediately.
By default, the PIFIREWALL table allows all connections. Edit the table to allow connections
only from the subnets defined for your community of users. You can change settings for the
table with the PI SMT Firewall tool, which you can access by choosing Security > Firewall. PI
Data Archive collectives do not replicate the PIFIREWALL table.
Note:
PIFIREWALL does not filter IPv6 traffic.
In order to change settings in the PIFIREWALL table, you need read/write access to the
PITUNING entry in the Database Security tool. To access the Database Security tool, open PI
SMT, choose Security > Database Security.
Tip:
Use Windows firewall or install a hardware firewall for additional security. PIFIREWALL
is installed by default with PI Data Archive, and blocks connections to the PI System only.
A Windows firewall or a hardware firewall offer more robust firewall filtering, such as
IPv6 filtering. Using a Windows firewall or hardware firewall in addition to the
PIFIREWALL is recommended.
Disable PIWorld
You can disable the PIWorld identity. This improves your control over access to the PI Data
Archive server. All users get only the access that is explicitly configured for them and no more.
The decision to disable PIWorld should not be taken lightly.
• For PI Data Archive server upgrades, or for new installations that are part of an existing
configuration of PI interfaces and client applications, disabling PIWorld is a dangerous
measure that could unintentionally lock down areas of access. It is very difficult to
determine in advance which users or applications are relying on PIWorld access. If you need
to disable PIWorld in these situations, contact the OSIsoft Customer Portal (https://
my.osisoft.com/) to help you form a plan.
• OSIsoft recommends disabling the PIWorld identity for all new installations.
• Upgrade the PI SDK to PI SDK 2016 or later. Nearly all functionality for the new Windows
security and transport security on the client side resides within the PI SDK.
• Upgrade Administrative client applications (applications that can set access permissions)
Note:
Starting with the release of PI API 2016 for Windows Integrated Security, PI API supports
Windows authentication. Earlier versions of PI API do not support Windows
authentication. In those cases, PI API-based applications can authenticate only through a
PI trust or explicit login. Most interfaces are PI API-based.
If you have trusts defined against the piadmin super-user account, it is a good security practice
to migrate these to a different PI identity, PI user, or PI group. See Protect piadmin in PI SMT.
You will need to configure appropriate access permissions. Typically, for all relevant points, a PI
interface needs:
If you are implementing a new PI System using PI Server 3.4.380, we recommend that you
follow the instructions in Configure PI interface connections using PI trusts.
• Message ID = 7054, which contains text "No trust established for: <identifyingString>.
Explicit login is required for access "
• Message ID = 7140, which contains text "Timeout expired for unauthenticated PI API
Connection"
You can filter these unique message IDs in the PI SMT Message Logs tool.
Note:
If you do not reconfigure security and connection settings to use the new security
features, you see no change in your application servers. Upgrading to PI Server 3.4.380
does not require that you use its new security features.
• PI SMT version 3.3.1.3 or later (includes Point Builder, Module Database tool, and Database
Security tool)
• PI Builder
• Module Database Builder version 1.2.1.3 or later
• PI ICU 1.4.7 or later
• PI APS 1.2.5.0 or later
• What are the requirements to upgrade to PI API 2016 for Windows Integrated
Security?
The account that is running the API must be able to generate a Windows login context that
can authenticate with the PI Data Archive computer. Note the computer running the API
application does not need to be a member of a domain. Separate credentials can be stored in
Windows Credential manager to authenticate with the PI Data Archivecomputer when the
API is running on a workgroup computer.
1
module (r) / PIUnit (r) also assumes read permission for all modules in the hierarchy path above it
2
PIDS (r) is implicitly granted by PIPOINT (r)
3
PIHeadingSets (r) is implicitly granted by PIModules (r)
AF 2.x Client
Database Security Permission Notes
PIDS r
PIPOINT r,w
AF 1.3 Server
Database Security Permission Notes
PIDS r
PIModules r,w
PIPOINT r,w not required for SQL backend
1
Generic client application permissions that can operate on any module
AF 1.3 Client
Database Security Permission Notes
PIDS r
PIModules r
PIPOINT r,w w: only necessary for autocreate
option of PI PointData Reference
1
Generic client application permissions that can operate on any module
DataSheet Control
Database Security Permission Notes
PIUSER r
PIBatch r,w w: to create PIBatches, and to
insert PIUnitBatches into
PIBatches
PIModules r
PIPoint r
1
Generic client application permissions that can operate on any module
functionality to a different PI group. Users who do not belong to the specified regulatory user
groups within the DataSheet Control receive an error that indicates they do not have the
required permissions to commit or confirm data. See the DataSheet Control User Guide for more
information.
PI Server 3.4.380 continues to support PI groups for backwards compatibility. See What about
PI users and PI groups? for more information.
PI ACE
Database Security Permission Notes
PIModules r1,w2,3,4
PIPoint r1,w
PIDS r
PIMSGSS r1,w2
PIDBSec r2,3,4,5
1
In order for PI ACE Manager to look at ACE configuration, read permission is required for PIPoint and PIModules, as well as
on the Module Database.
2
PI ACE schedulers/hosts have two types of connection to the PI Data Archive server: PI SDK and PI API. The PI SDK
connections need read/write permission to the PIModules containing the ACE configuration. PI SDK connections also need
read permission for all data source points and digital states. The PI API connection needs read/write permission for all output
points for the PI ACE modules. Typically, a PI trust has to be setup for the PI API connection while the PI SDK connection can be
mapped to a Windows user. If PI ACE scheduler/host is running on a PI Data Archive server, it needs read/write permission to
the PIMSGSS to log messages.
3
Users of PI ACE Manager who configure and manage PI ACE calculations need read/write permission to PIModules. Most of
the tasks in PI ACE Manager only require read permission to the PIPoint table. Item 5 below describes the exception.
4
Users developing PI ACE calculations using the PI ACE wizard in a MS Visual Studio environment need read/write permission
to PIModules, and read permission to the data source tags, including the PIDS table.
5
PI ACE wizard includes the option to configure/create tags. To use this option, you need read/write permission to the PIPoint
table and read permission to PIDBSec.
6
Generic client application permissions that can operate on any module
PI BatchView
Database Security Permission Notes
PIBatch r r: to execute PIBatch queries,
retrieve anchored PIBatch
records, and detect updates to
PIBatch records
PIDS r r: to display tag data in the batch
trend
PIModules r r: required for all of the
following:
+ to access the unit properties
associated with the PIUnitBatch.
Both the Gantt and Results
require read access to show unit
name and heading properties.
+ to resolve aliases to a tag (for
the trend).
+ to execute queries for
PIUnitBatch records on a
particular unit
+ to detect updates to
PIUnitBatch and PISubBatch
records (to reflect on the results,
Gantt and Trend)
1
Generic client application permissions that can operate on any module
Without read access to an alias in the PIUnit, a warning will appear on the trend indicating that
the alias could not be resolved. Access to a tag's time series data (including its annotations)
and point attributes (such as description) are all controlled by the tag's DataSecurity and
PtSecurity, respectively.
PIUnitBatch records are stored in a special tag corresponding to the PIUnit. The name of this
tag is the same as the Unique ID of the PIUnit's module. Without read access to the
DataSecurity for this tag, PIUnitBatch records cannot be retrieved (by either a batch query or
anchored) and updates will not be detected, which may be indicated by an error for the batch
group symbol (if a specific unit path is used).
Caution:
The PI Data Archive will automatically edit the security of the underlying tag based on
changes to the security of the PIUnit's module. Thus, the tag's security attributes should
never be modified directly to ensure they do not get out of sync with the PIUnit's module.
Only the security of the PIUnit's module should be edited.
PI DataLink
Database Security Permission Notes
PIModules r
PIPOINT r
1
Generic client application permissions that can operate on any module
1
Generic client application permissions that can operate on any module
For more details, see "Kerberos authentication for PI DataLink Server" in Live Library (https://
livelibrary.osisoft.com).
PI Manual Logger
Database Security Permission Notes
PIModules r In version 2.x or greater
PIHeadingSets r In version 2.x or greater
PIPOINT r
PIUSER r
1
Generic client application permissions that can operate on any module
In PI-ML 2.3, the security checks within PI-ML itself have been removed, and PI-ML now relies
solely on the PI Data Archive server for its security. Thus, PI-ML 2.3 can fully leverage all the
new security features of thePI Server 3.4.380 server.
PI Notifications
Note:
This topic pertains to the legacy product. Prior to PI AF 2016 R2, PI Notifications was the
system component that built and maintained notifications. PI AF 2016 R2 and later
versions include notifications as a feature; it is no longer installed as a separate
component. The last version of PI Notifications was PI Notifications 2012. For more
information on current version of notifications, see the PI Server topic " Notifications" in
Live Library (https://livelibrary.osisoft.com).
1
Read permission for PI Notification client (e.g. PI System Explorer) is required to the PIDS and PIPoint tables as well as to the
data source tags and notification history tags.
2
PI Notification schedulers/processors have two types of connection to the PI Data Archive server: PI SDK and PI API.
The PI API connection needs read/write permission for notification history tags so that the
processor can create and edit these tags. Typically, you need a PI trust for the PI API connection
while the PI SDK connection can be mapped to a Windows user. If the PI Notification scheduler
and processors are running on a PI Data Archive server, then they also need read/write
permission to PIMSGSS for error message logging.
Developer Technologies
PI OLEDB Provider
Database Security Permission Notes
PIBatch r,w r,w: to query pibatch..pibatch or
pibatch..pibatchproperty tables
PICampaign r,w r,w: to query pibatch..picampaign
or pibatch..picampaignproperty
tables
PIDS r,w
PIHeadingSets r,w
PIModules r,w
PIPOINT r,w r,w: to connect to PI OLEDB
PITransferRecords r,w r,w: to query pibatch..pitransfer
or pibatch..pitransferproperty
tables
PIUSER r,w r,w: to query any table in the
piuser catalog
1
Generic client application permissions that can operate on any module
Determining which Windows identity to map depends upon how PI OPC DA Server is launched,
as follows:
• [Recommended] Connect to the PI Data Archive server via Windows Security with a PI
identity. The requirement for this option is to either use PI SDK or update PI API to PI API
2016 for Windows Integrated Security, as well as replacing any PI trusts with PI mappings
to your PI Identities. This option provides the best security measures between the PI Data
Archive server and the PI OPC DA Server.
• Connect to PI Data Archive server using both a PI trust and Windows Security. Set up a trust
for either the PI API connection or PI SDK connection, and use Windows Security for the PI
SDK connection or PI API 2016 for Windows Integrated Security connection. This option is
only recommended if Windows authentication is not feasible for your deployment. It is
slightly more secure than using PI trusts exclusively.
• Connect to the PI Data Archive server via a PI trust set up with a PI identity. This option is
only recommended if Windows authentication is not feasible for your deployment. It is least
secure option available between the PI Data Archive server and the PI OPC DA Server.
• [Recommended] Connect to the PI Data Archive server via Windows Security with a PI
identity. The requirement for this option is to update PI API to PI API 2016 for Windows
Integrated Security, as well as replacing any PI trusts with PI mappings to your PI Identities.
This option provides the best security measures between the PI Data Archive server and the
PI OPC HDA Server.
• Connect to PI Data Archive server using both a PI trust and Windows Security. Set up a trust
for the PI API connection and use Windows Security for the PI SDK connection. This option
is only recommended if Windows authentication is not feasible for your deployment. It is
slightly more secure than using PI trusts only.
• Connect to the PI Data Archive server via a PI trust set up with a PI identity. This option is
only recommended if Windows authentication is not feasible for your deployment. It is least
secure option available between the PI Data Archive server and the PI OPC HDA Server.
PI ProcessBook
Database Security Permission Notes
PIBatch r
PICampaign r
PIDBSEC r
PIDS r
PIHeadingSets r
PIModules r
PIPOINT r,w1 r,w: to use the annotation feature
of the PI ProcessBook Details
add-in
PITransferRecords r
PIUSER r
1
Write access not required if you have PI SDK 1.4 or later installed
2
Generic client application permissions that can operate on any module
Note:
PI ProcessBook displays that contain custom VBA code might require additional security
configuration depending on what PI SDK calls are invoked.
RtAlerts
Database Security Permission Notes
PIDS r
PIModules r,w
PIPOINT r
1
Generic client application permissions that can operate on any module
1
Generic client application permissions that can operate on any module
1
Generic client application permissions that can operate on any module
PIPOINT r
PIUSER r
1
Generic client application permissions that can operate on any module
• UserID, or user mapping, used when connecting the client machine to the Web server to
ensure that queries for PI System data use the identity of the end user who makes the
request.
• ProcessID, or process mapping, used in the Web server connection to the PI Data Archive
server to allow the Web server to process all updates to data and configuration on behalf of
all end users.
To identify the UserID and ProcessID used in a given session:
• In PI WebParts, open the PI Data Services Administration page and click the PI Data Services
link in the Version Information section to review the user mapping and the process mapping
found in the Server Machine Information section.
• If you are using PI Web Services, open IIS Manager and select the Application Pools node to
view the Windows identity that is used. Then, use PI SMT to inspect the PI identity to which
the Windows identity is mapped.
To take advantage of Windows Integrated Security:
• Both the UserID and the ProcessID need to be valid Active Directory users with at least one
mapping between a PI identity and a Windows identity. OSIsoft recommends that you map
the UserID and the ProcessID to two different PI identities, but this is not mandatory.
• Kerberos delegation must be configured between the Web server and PI Data Archive if you
are using PI Web Services, or between the SharePoint Server and PI Data Archive if you are
using PI WebParts.
• The client machine must belong to the same Active Directory forest.
For instructions on setting up the Kerberos environment, see the PI WebParts topic
"Configuration of Kerberos delegation" in Live Library (https://livelibrary.osisoft.com).
Note:
If membership in an AD group used in a PI mapping is modified, or if a relevant PI
mapping itself is modified, you might need to restart IIS.
Interfaces
This section provides access permissions required for PI interfaces.
1
Interfaces with separate utilities that create points (for example, PI-Perfmon, PI-Ping, SNMP, etc.) and run from PI SMT only
require that you have read access for PIPOINT.
PI to PI TCP/IP Interface
Database Security Source PI Data Archive Receiving PI Data Notes
Server Archive Server
PIPOINT r r
PI APS
Database Security PI APS Sync Engine Sync Trigger PItoPI_APS
Configuration
Utility
PIDS None for read-only r,w: for automatic r
mode; r,w: to set/state creation
interactively create and edits (for
or edit digital sets/ digital points);r:
states(for digital for non-automatic
points) modes
PIModules r: to review APS r,w r,w
configuration; r,w:
to change APS
configuration
PIPOINT None for read-only r,w: for automatic r
mode; r,w: to point creation;r:
interactively create for non-automatic
or delete points modes
1
The Synchronization Engine runs as a service and therefore requires some form of automatic log on (either a PI trust or new
PI mapping).
2
Synchronization Trigger is also a service and therefore requires some form of automatic log on. Without write permission for
the Module Database, Synchronization Trigger is non-functional. Synchronization Trigger only uses the Module Database (no
point access).
3
The PItoPI_APS Connector requires read permission to points on the source PI Data Archive server. Since PIAPS Connectors
run inside the Synchronization Engine process, which is a service, some form of automatic log on to the source PI Data Archive
server is required. That is, the Synchronization Engine that is running the PItoPI_APS Connector requires automatic log on to
two PI Data Archive servers: the target PI Data Archive server and the source PI Data Archive server. The method of connection
and the access rights granted do not need to be the same for both PI Data Archive servers. The Synchronization Engine only
needs read access to the PIPOINT and PIDS tables on the source PI Data Archive server for the PItoPI_APS Connector to
function. However, the Synchronization Engine requires read and write access to the PIPOINT and PIDS tables for automatic
point creation on the target PI Data Archive server. For non-automatic modes, only read access is needed (on the target PI Data
Archive server).
4
Generic client application permissions that can operate on any module
The PIAPS Synchronization Engine and PI APS Synchronization Trigger service are both
Windows services. You need to set up either a PI trust or a PI mapping to connect each of them
to the PI Data Archive server. The PIAPS Configuration Utility is an interactive application, so
you can use a PI mapping or PI trust to a PI Data Archive server User account. PI mappings are
the most secure option; PI trusts are the least secure. Use PI mappings where possible (PI
mappings require PI Data Archive version 3.4.380 and PI SDK 1.3.6 or later).
Note:
PI API 2016 for Windows Integrated Security does not support PI trusts, requiring that
you use PI mappings to connect with the PI Data Archive server.
• Write access for the PIModules table (Database Security) in order to create modules
• Write access for the %OSI module in order to create the AutoPointSync module
• Write access for the AutoPointSync hierarchy to register interface instances with PIAPS, to
change configuration settings, or to manually initiate a synchronization scan. Read access is
sufficient to view configuration settings.
The PIAPS Synchronization Engine and PIAPS Synchronization Trigger service require write
access for modules in the AutoPointSync hierarchy for normal operation.
PI ICU
Database Security Permission Notes
PIDS r,w w: to create "InterfaceStatus"
digital set if it does not exist
PIModules r,w
PIPOINT r,w w: to create or delete Perfmon
Performance Counter Points,
UniInt Performance Points, or
UniInt Health Points
1
Generic client application permissions that can operate on any module
Configuring PI ICU
When PI ICU is installed on an interface node, the PI ICU obtains permissions to access PI Data
Archive objects by logging on with some form of credentials. The PI Data Archive server
authenticates these credentials and establishes a security context for each client program. The
security context is specific to the credentials used to log on. Each securable PI Data Archive
object has access control information. Authorization for a client program to access a securable
PI Data Archive object is determined by comparing information in the security context with the
access control information for the object.
Several methods are available for logging on:
• Explicit login
• PI trust
• PI mapping (requires PI Server version 3.4.380 or later and PI SDK 1.3.6 or later)
The PI ICU is an interactive application and all the methods for logging on to the PI Data
Archive server can be used.
If the PI Server server is version 3.4.380 or later, OSIsoft recommends using Windows security
through PI mappings. Windows security provides the strongest authentication and full
Windows account traceability in the PI Data Archive log and audit trail records.
• Write access for the PIModules table (Database Security) in order to create modules
• Write access for the %OSI module in order to create the interfaces module
• Write access for the interfaces hierarchy to register interface instances with PI ICU and to
change configuration settings
If using local Windows security, determine which (only if using local Windows security) See
local Windows groups are needed and which Configure Windows groups
identities to map them to
If using local Windows security, configure (only if using local Windows security) See Use
matching Windows user accounts and passwords local Windows security or Use local Windows
on PI Data Archive server and client workstations security with AD
Create the mappings for AD: Map AD groups to PI identities
for local Windows security: Create mappings