Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

PI Interface Configuration Utility ICU

TABLE OF CONTENTS

Required PI Server configuration

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedOct 23, 2023
  • 5 minute read

This section provides the information that you need to configure:

  • Connection and authentication methods for PI ICU.

  • PI Server security to grant the required access rights to these connections.

When PI ICU is installed on an interface node, PI ICU obtains permissions to access PI Server objects by logging on with some form of credentials. The PI Server authenticates these credentials and establishes a security context for each client program. The security context is specific to the credentials used to log on. Each securable PI Server object has access control information. Authorization for a client program to access a securable PI Server object is determined by comparing information in the security context with the access control information for the object.

Several methods are available for logging on:

  • Explicit login

    This is the least secure authentication method available.

  • PI trust

  • PI mapping (requires PI Server version 3.4.380 or later and PI SDK 1.3.6 or later)

PI ICU is an interactive application and all the methods for logging on to the PI Server can be used.

If the PI Server is version 3.4.380 or later, we recommend using Windows security through PI mappings. Windows security provides the strongest authentication and full Windows account traceability in the PI Server log and audit trail records.

Refer to the PI Server documentation for details about how to create PI trusts or PI mappings.

PI Module Database permissions

PI ICU creates the module Interfaces under the %OSI module. PI ICU configuration settings are stored in a hierarchy of modules under the Interfaces module.

PI ICU requires the following:

  • Write access for the PIModules table (Database Security) in order to create modules.

  • Write access for the %OSI module in order to create the Interfaces module.

  • Write access for the Interfaces hierarchy to register interface instances with PI ICU and to change configuration settings.

Digital state table permissions

When PI ICU starts, it checks for the existence of a digital set named InterfaceStatus. If this digital set does not exist, PI ICU requires write access for the PI Server digital state table (PIDS in Database Security) to create the InterfaceStatus digital set.

When UniInt failover is configured for an interface instance, PI ICU checks for the existence of a digital set that is used by special UniInt failover digital points. If this digital set does not exist, PI ICU requires write access for the PI Server digital state table (PIDS).

The PI ICU controls for some interfaces have the ability to create specific digital sets that are needed by the interface. Consult the PI ICU control section in the user guide for each interface that PI ICU will manage. Since PI ICU controls run inside the PI ICU process, PI ICU requires write access for the PI Server digital state table for an ICU Control to create digital sets.

PI point database permissions

PI ICU can create, edit, or delete the following types of points that are common to UniInt-based interfaces:

  • PI Perfmon interface performance counter points

  • UniInt performance points

  • UniInt health points

To create or delete these types of points, PI ICU requires write access for the PI Server PIPoint table (database security).

To edit or delete individual points of these types, PI ICU requires write access for each point. PI points have two sets of security attributes: one set controls access to the point attributes and the other set controls access to the point data. PI ICU needs write access for point attributes of these types of points. PI ICU does not access point data.

The PI ICU controls for some interfaces have the ability to create interface-specific points. Consult the user guide for each interface that PI ICU will manage. Since PI ICU controls run inside the PI ICU process, PI ICU requires write access for the PI Server PIPoint table for an ICU Control to create points.

Access permissions summary

This section summarizes the access permissions that PI ICU requires for PI Server securable objects.

PI Securable object

Access permissions

PIDBSEC table

R

PIModules table

RW

%OSI module

RW

%OSI\Interfaces module and all submodules

RW

PIPoint table

RW

Individual PI points (PtAccess or PtSecurity attribute)

RW

PIDS table

RW

With the access permissions in this table, PI ICU can perform all its functions.

PI mappings and security permissions

For PI Server version 3.4.380 or later, PI mappings can be created that allow PI ICU to log on automatically. For details about PI mappings, see the PI Server documentation.

The Windows accounts that are allowed to run PI ICU must map to a PI identity that has the access permissions in the table in the “Access permissions summary” section above.

PI trust and security permissions

To grant the required security permissions to PI ICU, a PI trust can be created that allows PI ICU from a specific computer, or from any computer, to log on automatically. For details about PI trusts, see the PI Server documentation.

Prior to PI Server version 3.4.380, PI trusts specify a PI user to log on. With PI Server version 3.4.380 and later, the PIUser attribute of a PI trust also can be a PI identity or PI group. In the following PI trust example, replace identity with a PI user, PI group, or PI identity, depending on the PI Server version.

You can change the trust name to any unique name. For example, if multiple interface nodes are used with one PI Server, the trust names for PI ICU on each computer must be different.

PI trusts can specify the trusted interface node by either its network node name or IP address. If a name resolution service, like DNS, is available, OSIsoft recommends using the IPHost attribute as shown in the following example. To specify the interface node by IP address, replace the IPHost attribute with the IPAddr attribute, which must be accompanied by the NetMask attribute.

The following trust allows PI ICU on the computer named in the trust to log on automatically to the PI Server:

Trust = PIICUTrust
AppName = PI-ICU.exe
IPHOST = Host name of the computer where PI ICU is located
PIUser = identity

In this trust the identity must have the access permissions in the table in the “Access permissions summary” section.

Note: With this PI trust, anyone who can log on to the interface node can use PI ICU to change interface configuration settings. To restrict the ability to change interface configuration settings, add the Domain and OSUser attributes to the trust definition and create individual PI trusts for each Windows account that is allowed to change interface settings.

OSIsoft recommends PI mappings over PI trusts to control the Windows accounts that have access to PI ICU.

In This Topic
Related Links
TitleResults for “How to create a CRG?”Also Available in