OMF endpoint security model
- Last UpdatedMar 20, 2026
- 3 minute read
The OMF endpoint in PI Web API follows the same authentication and authorization model as other PI Web API endpoints. Requests are authenticated using one of the supported authentication methods, and PI Web API then accesses PI System resources on behalf of either the authenticated user or its service account.
As a result, the permissions required to send OMF data depend on both the authentication method used and the PI Data Archive and Asset Framework resources being accessed.
-
If using Kerberos (given that Kerberos delegation is properly setup) or Basic authentication, PI Web API impersonates the authenticated Windows user on the PI resource servers, such as Data Archive (DA) or Asset Framework (AF).
-
If using Bearer authentication, PI Web API uses the provided access token when accessing the PI System. The user making the requests must have proper permissions on the DA or AF Server.
-
If using Anonymous authentication, PI Web API uses its service account to access PI DA or AF.
Required Permissions by PI Component
The following tables summarize the minimum permissions required on the PI Data Archive and Asset Framework to successfully send OMF data through the PI Web API endpoint. With the exception of the PI Buffer Subsystem, the requesting user must have the permissions specified for each task.
Note: When operating in Anonymous mode, the PI Web API service account requires the designated permissions instead of the user making the request.
PI Data Archive
The following table lists the minimum PI Data Archive database-level permissions required to create OMF resources, such as PI Points and digital states.
|
Administration Task |
Required Permissions |
Description |
|---|---|---|
|
Create PI Point |
PIPoint (read,write) |
Controls top-level access to Points, Point Classes, and Attribute Sets. Those assets are used for OMF Containers (PI Points). |
|
Create Digital States associated with Points |
PIDS (read,write) |
Controls access to Digital States and Digital Sets. Those assets are used for OMF Enums (Digital States). |
Point Security
The following table describes the point-level security permissions required to write OMF data to existing PI Points through PI Web API:
|
Administration Task |
Required Permissions |
Description |
|---|---|---|
|
Edit PI Points |
PtSecurity (read,write) |
Non-OMF PI Point configuration will be overwritten. These changes are irreversible. The PointSource changes to PIWebAPI_OMF and the Extended descriptor (ExDesc) is overwritten with the required contents. |
|
Write Data |
DataSecurity (write) |
Access to the time series (Snapshot and Archive) data values to each PI Point. Note: The PI Buffer Subsystem requires this permission, along with the end user account. |
Asset Framework
The following table lists the minimum Asset Framework permissions required to create and manage OMF-related assets, such as element templates, elements, and enumeration sets.
|
Administration Task |
Required Permissions |
Description |
|---|---|---|
|
Server |
Read |
Controls access to the PI AF Server. |
|
Server - OMF Database |
Read |
Controls access to the OMF Database. |
|
Server - Unit-of-Measure Database |
Read |
Controls access to Unit-of-Measure Database. Note: OMF does not support creating a new UOM in the AF Server. |
|
Server - OMF Database -Element Templates |
Read, Write, Delete |
Controls access to AF Element Templates. Those assets are used for OMF Types. |
|
Server - OMF Database - Elements |
Read, Write, Delete |
Controls access to AF Elements. Those assets are used for OMF Static Data. |
|
Server - OMF Database - Enumeration Sets |
Read, Write, Delete |
Controls access to AF Enumeration Sets. Those assets are used for OMF Enums. |