Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

PI System Management Tools

TABLE OF CONTENTS

Understanding the security levels

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedOct 04, 2024
  • 2 minute read

The available security levels are based on the relative security of different methods of authentication on the Data Archive server. We recommend that you use Windows authentication, wherever possible.

The security levels are:

  • Blank passwords not allowed

    Data Archive user passwords provide a minimal level of security for the Data Archive server. If you are going to use individual PI user accounts to manage the Data Archive server, at least require that the user accounts be protected by passwords. When this option is selected, PI user accounts that do not have passwords cannot authenticate on the Data Archive server.

Before you enable this security setting, create temporary passwords for all your user accounts. Ask users to change the passwords immediately.

  • Explicit login for piadmin disabled

    piadmin is the Data Archive super-user account. A person authenticated as piadmin can perform any task on the Data Archive server. Since explicit logins (PI user accounts and passwords) are the least secure authentication method, we recommend disabling this access for piadmin.

    Note: The piadmin account can be still be accessed locally in PI SMT and other client applications through a default trust. You can create a mapping or a trust to access the piadmin account to allow remote access.

  • Explicit login disabled

    This is the recommended security level for Data Archive servers configured for Windows authentication. Before you disable explicit logins altogether, make sure that you have adequate access through mappings and trusts. Note also that you need SDK 1.3.6 or later for Windows authentication.

On new Data Archive installations, explicit logins are disabled by default. During upgrades, you have the option to disable them.

  • SDK trusts disabled

    PI SDK 1.3.6 and later supports Windows authentication. You can replace SDK trusts with Windows authentication.

  • API trusts disabled

    When API trusts are disabled, you can only access the Data Archive server through piconfig or through Windows authentication. The API does not support Windows authentication, so all applications that connect through the API are locked out. This can include PI interfaces. This is not a recommended security configuration for many Data Archive servers.

TitleResults for “How to create a CRG?”Also Available in