Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

PI Interface for OPC DA

TABLE OF CONTENTS

Best practices

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedMay 21, 2025
  • 2 minute read

For more information about security for OPC, see DCOM Security and Configuration.

For more information about configuring security for Data Archive, see PI Server Configuring PI Server Security.

Interface installation requires an administrator account for the following tasks:

  • Installing the interface software

  • Creating the interface service account

  • Creating, editing, and removing the interface service

  • Adding, updating, and removing performance counters

Security considerations service accounts for PI Interfaces based on the UniInt framework are discussed in the PI Universal Interface (UniInt) User Guide.

Note: In order to assure that PI buffering functions properly, the user specified in the "Log on as" portion of the Service tab must be a member of the "PI Buffering Administrators", or the "PI Buffer Writers" user groups. A virtual service account can be added to those local groups, just like with any local/domain account. Failure to add a user to at least one of these user groups could result in a failure to buffer data. For more details, see the PI Buffer Subsystem user guide.

For more information about managing Data Archive security and trusts, see the PI Server System Management Guide.

Authentication and authorization

In order for the interface to connect to Data Archive, the interface service account must be authenticated and authorized for communications. This requires configuring security for the applications that connect to Data Archive. For more information about authentication and authorization for interfaces, see the PI Universal Interface (UniInt) User Guide.

Note: When configuring PI users and PI groups for the interface, avoid using the piadmin super-user or the piadmins group. These built-in users and groups have high-level privileges that can pose security risks.

PI point security and allowlist files

PI point security can be configured for user access to the point attributes using the ptsecurity attribute, and user access to the point data using the datasecurity attribute.

For output points, the zero and span attributes can be used to specify the minimum and maximum values allowed by the output point.

For all interfaces that can write to the data source, AVEVA recommends configuring a file of allowed output points from Data Archive to the data source. Create a allowlist of output points to specify authorized point updates to the data source. When using an allowlist, the interface verifies an output point against the list before updating the data source. The allowlist file is a comma-separated values (.csv) file that contains a list of valid output points and any attributes necessary to specify the output points and their intended location within the data source. Use an empty allowlist file if you do not need outputs to the data source. Enable use of the allowlist using the /whitelist=path/filename startup parameter.

For more information about configuring the allowlist file and the startup file parameter to enable the allowlist file, see Learn about allowlist file configurations or the PI Universal Interface (UniInt) User Guide.

DCOM security

OPC server and client applications are based on Microsoft's COM/DCOM communication model. For an overview, see DCOM configuration.

For more information about DCOM security for PI OPC products, see the DCOM Security and Configuration Guide.

In This Topic
TitleResults for “How to create a CRG?”Also Available in