About PI identities, PI users, and PI groups

PI identities, PI users, and PI groups are used for Data Archive security. Computer security includes:

• Authentication

  Who is the user, and how do we confirm that users are really who they say they are?

• Authorization

  Once we know who the user is, what is that user allowed to do? Authorization is synonymous with Data Archive access permissions.

Data Archive access permissions (authorization) can be defined for PI identities, PI users, and PI groups. The differences arise in the authentication configuration.

You can use these authentication methods for Data Archive:

• Windows authentication

• PI trusts (only with PI API 1.6.8 or earlier)

• PI user account logins (only with PI API 1.6.8 or earlier)

  The following table shows which components you can use for which types of authentication. See also Data Archive authentication methods.

  Component	Windows authentication?	Trusts?	Explicit user logins on Data Archive? (insecure authentication method)
  PI identities	Yes	No, if using PI API 2016 for Windows Integrated Security. Yes, if using PI API 1.6.8 or earlier.	No
  PI users	Yes	Yes	Yes
  PI groups	Yes	Yes	No

When configuring Data Archive authentication, we recommend that you use PI identities and authenticate through Windows security. PI identities do not imply individual user accounts or groups on the Data Archive server.

PI users and PI groups are legacy components. When you use them for Windows authentication, you might create some confusion about the role of the PI user or the PI group on the Data Archive server. Are these components being used to manage actual PI user accounts, are they used only for trusts and mappings, or are they used for both?

If you are creating a new component to use in a mapping or a trust, use a PI identity to avoid confusion. If Windows authentication is not possible and you need to authenticate your users directly on the Data Archive server, then you must use PI users and PI groups.