What are PI identities and mappings?

PI identities and PI mappings are the central components of the security model for Data Archive. They determine which Windows users are authenticated on the Data Archive server and what access permissions they have there (for example, is the user allowed to create a point? Run a backup?).

Each PI identity represents a set of access permissions on the Data Archive server. Each PI mapping points from a Windows user or group to a PI identity (or a PI user or PI group). You cannot directly grant a Windows user or group access to a Data Archive resource (such as a point or a module). Instead, you create a PI identity that has that access and then you create a PI mapping between the Windows user or group and that PI identity.

OIDC roles and client IDs can be mapped to a PI identity. PI SMT is the recommended way to create mappings for these users. See Map a role to a PI identity using OIDC.

Members of the Windows groups that are mapped to a PI identity are automatically granted the access permissions for that PI identity. For example, in the following illustration, the PI identity called PIEngineers has read/write access to the data for the TestTag point. Because the Active Directory (AD) group EngineeringTeam is mapped to PIEngineers, all the members in that AD group get read/write permission for the point data.

Each Data Archive resource (such as the TestTag in the illustration above) can have defined access permissions for any number of PI identities. Although the Windows user gets access permissions through one or more PI identities, the Data Archive server keeps track of the specific Windows user ID both in the audit trail and in the last change information.

Note: Although the Data Archive server can use Windows security for authentication, you still need to define access permissions explicitly on the Data Archive server. See Understand how to configure access permissions.