Security issues

Data Archive collectives support Windows authentication. In a standard configuration, a collective replicates the PI security mappings defined on the primary server across all collective members. In non-homogeneous security environments or environments without Microsoft Active Directory (AD), PI mappings on a specific collective member will reference Windows users or groups that are not valid on other collective members. In this case, the replication process will fail. Therefore, you cannot simply replicate mappings: you must use a custom configuration.

In a standard configuration, where all collective members are in the same security environment and you are using AD, you configure security on the collective’s primary server just as you would configure a single Data Archive server. The collective’s Data Archive replication service copies the configuration to all secondary servers in the collective. This replication process requires that all collective members be on a single domain or part of fully-trusted domains.

You must use a custom security configuration if:

• Collective members are not contained in a homogeneous security environment, such as when members are on different non-trusted domains or on no domain.

• You do not have access to AD and must configure authentication through local Windows security on the primary and secondary servers.

Custom configuration in collective servers can affect PI applications and users when accessing Data Archive information. If the same mappings are not available on all collective members, applications might fail to connect or might receive different permissions on failovers. We recommend avoiding custom configurations whenever possible. Custom configurations are more complex. To set up and maintain a custom configuration, you must consider who needs access to each collective member, and who will need to fail over.