Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ PI Server Installation and Configuration (PI Server 2024 R2)

TABLE OF CONTENTS

Improve the quick-start configuration

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedJan 13, 2023
  • 2 minute read

If you plan to base your long-term security configuration on the quick-start configuration, then consider these suggested improvements:

  • To make the quick-start security configuration more flexible, you can add PI identities to represent different user categories. For example, you might want to grant IT administrators permission to perform backups. To do that, you create a PI identity and give it the necessary access permissions. Then create a mapping between AD group for the IT administrators and that PI identity.

  • To make the quick-start security configuration more secure, you can explicitly set the access permissions for the piusers group, rather than relying on the PIWorld access permissions. In the quick-start configuration we relied on PIWorld in order to make the configuration process quicker and easier. However, it is a better practice to use explicitly-configured access permissions. If you rely on PIWorld, it becomes difficult over time to determine which users or applications are relying on that access.

The following examples show how to implement each of these suggested improvements.

Example 1. Configure Administrative Access Categories

This example demonstrates how to explicitly configure administrative access to run backups.

  1. First create a PI identity called ITAdmins (Create a PI identity).

  2. Start PI SMT and connect to the Data Archive server as piadmins (for new installations only; for upgrades, connect as piadmin).

  3. Open the Database Security tool (select Security > Database Security).

  4. In the Database Security tool, give the ITAdmins identity read-write access to the PIBACKUP entry.

Example 2. Configure Access Permissions for piusers

Start PI SMT and connect to the Data Archive server as piadmins. Open the Database Security tool (select Security > Database Security).

  1. For every entry in the Database Security tool, set the access permissions for piusers to read-only. See Set permissions using the Database Security tool.

  2. Set permissions for built-in points. The Data Archive installation includes several default points. These are useful for test purposes. To explicitly grant read access to the piusers group, edit the points themselves. You can do this using Point Builder (for a small number of points) or PI Builder (for many points). See Learn how to set permissions on specific points and modules.

  3. Set permissions for existing modules. At a minimum, the Data Archive installation includes the built-in module %OSI. Depending on what client applications you have installed, there might be others. To explicitly grant read access to the piusers group, edit the modules themselves. You can do this using the Module Database tool in PI SMT.

  4. When you create new modules, the piusers group will automatically have read-only access. This is because new modules automatically have the same access permissions as the PIModules entry in the Database Security tool. See Default access for new points and modules for instructions.

    In This Topic
    TitleResults for “How to create a CRG?”Also Available in