Understand how to identify user access categories
- Last UpdatedFeb 12, 2025
- 2 minute read
- PI System
- PI Server 2024 R2
- PI Server
The first step in the security configuration is to determine:
-
Who needs to use the Data Archive server?
-
What Data Archive resources do they need to access?
-
What level of access do they need for each resource? (Read access? Read/write access?)
Define categories of users that need the same set of access permissions. These will be your PI identities. You can have as many categories as you want. Typical PI installations start from one of the following basic models:
-
Two-category model: operators/admins
Data Archive users are divided into two categories, which we refer to here as operators and administrators. The operator category gets read-only access to all Data Archive resources. The administrator category gets read/write access to all Data Archive resources.
-
Three-category model: operators/admins/ITadmins
This model adds a third category, which we will refer to as IT administrators. The IT administrator category has read-write access to only a subset of Data Archive resources. This model allows you to give separate access permissions to IT administrators for some tasks such as backups.
-
Four-category model: operators/admins/ITadmins/engineers
In this model, we add an engineers category. The engineers category gets read/write access to the point database and the module database, allowing them to create and delete modules and points. However, the engineers category does not get permissions for administrative tasks, such as managing identities, users, and groups.
These category models are presented as examples. You can adjust them to suit your needs or you can use your own strategy entirely. In some cases you might need a higher level of granularity in the access permissions. For example, different categories of users might need to be able to read from, write to, or configure different points.