Understand how to configure security for Data Archive

These instructions assume that you are using Active Directory for authentication. You can use local Windows security instead, but it is not quite as secure and extra configuration is required. See Use local Windows security.

1. Configure user authentication.

   In most cases this simply means creating a PI identity for each AD group that requires PI access and creating a mapping between them.

   1. Identify user access categories.

      Identify the users who need access to the Data Archive server. Understand their roles, and the types of access they need. For example: who needs permission to create points? Who should be allowed to edit modules? Who will perform Data Archive backups? See Understand how to identify user access categories.

   2. Create PI identities.

      On the Data Archive server, create PI identities for each user category. See Create a PI identity.

   3. Review Active Directory groups.

      In Windows, identify Active Directory groups that represent your Data Archive users. In some cases you might need the help of your domain administrator in order to create new groups, nest existing groups, or adjust group memberships. See Learn how to review Active Directory configuration.

   4. Map AD groups to identities.

      Once you have the necessary AD groups and PI identities, the next step is to set up a mapping between them. See Map AD groups to PI identities.

2. Configure access permissions.

   Give your PI identities access to the necessary Data Archive resources. The access permissions specify what tasks each PI identity is allowed to perform on the Data Archive server. See Understand how to configure access permissions.

3. Configure PI Interface (and PI Client) access to the Data Archive server.

   1. Configure access for PI interfaces.

      Similar to configuring user authentication earlier in Step 1, you need to set up PI mapping between the Windows AD group or users and PI identity on interfaces that will connect to the Data Archive server. This process involves identifying the Windows AD users or group for that PI interface, identifying a PI identity for that interface, and mapping the users or group to the PI identity to grant the required access permissions for that interface. See Configure PI interface connections using PI trusts for instructions on creating PI mappings for interfaces.

   2. Configure access for client applications (optional).

      Client applications typically connect to the Data Archive server using PI SDK. You need SDK 1.3.6 or later to use Windows authentication. You need PI SDK 2016 or later to utilize transport security. Certain PI client applications require a connection to a separate application server in addition to a Data Archive server (for example, PI DataLink for Excel Services (DLES) and PI WebParts). These types of applications require additional configuration steps. See Understand how upgrading affects PI clients and PI interfaces for more information.

There are a number of things you can do to provide extra security for your Data Archive. See Understand how to tighten security for Data Archive for suggestions and instructions.