Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

PI System Management Tools

TABLE OF CONTENTS

Learn about security synchronization guidelines

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedFeb 12, 2025
  • 2 minute read

To minimize security synchronization problems, follow these guidelines:

  • The Data Archive server and PI AF server must either be in the same domain, in trusted domains, or in a trusted forest.

  • Make sure the access permissions on PIModules in PI Database security are the same as the access permissions on the Data Archive element in PI AF. You can edit the access permissions on PIModules using the Database Security tool in PI SMT (Security > Database Security).

  • Use Windows authentication on the Data Archive server for all PI MDB access. All the PI identities, users, and groups that have access to Modules must have explicit mappings. Furthermore, the Windows accounts from these mappings must be used directly in the PI AF permissions.

    For example, suppose the Windows user Bob belongs to a group BobGroup, and BobGroup is mapped to a PI identity called ModuleAccessIdentity. ModuleAccessIdentity has access to a module on the Data Archive server. When modifying the security of the corresponding element in PI AF, you should use BobGroup – not Bob itself – because BobGroup is the Windows account specified in the mapping.

  • Do not delete mappings that are needed by module security. If you delete a mapping that is needed by a module, then the access permissions for PI AF and PI MDB will no longer be synchronized, and you will not be able to edit the security of the affected module.

  • Make sure that no users rely on PIWorld for PI MDB access. PIWorld cannot be mapped, and access permissions defined for PIWorld are not reflected to PI AF.

  • Make sure that no users rely on piadmin for PI MDB access. The piadmin PI user has unrestricted read and write access to everything on the Data Archive server. Thus, we recommend that you do not map piadmin and do not use it for routine access to the Data Archive server. Reserve piadmin exclusively for the very few and rarely executed administrative tasks that no other PI identity can perform.

  • In PI AF, do not use deny access for any element under the Data Archive element. PI AF allows you to explicitly deny access, but Data Archive does not. If you use deny on an element in PI AF, then everyone except piadmin will lose all access to the corresponding module.

TitleResults for “How to create a CRG?”Also Available in