Understand recommendations for using PI users and groups

PI identities provide a layer of abstraction that can be used to make a connection between Windows users and Data Archive access permissions.

We strongly encourage you to use PI identities for authorization instead of PI users and PI groups For backward compatibility, groups and users are still supported and the standard built-in accounts (such as piadmin and pidemo) are still provided. This allows Data Archive servers upgraded from older versions to retain their existing security configurations. It also provides an alternate authentication mechanism if Windows authentication is not a viable option.

Explicit login is not recommended as an authentication method due to security concerns. In addition, PI trust authentication also should be avoided unless technically required for application compatibility. We recommend upgrading security around Data Archive Windows Integrated Security.

PI users and PI groups are implemented as special types of PI identities. You can use the PI Users and PI Groups tabs in PI SMT to manage existing users and groups just as you did in earlier versions of the Data Archive server.