Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ PI Server Installation and Configuration (PI Server 2024 R2)

User roles and permissions: Cloud database platforms

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
TABLE OF CONTENTS

User roles and permissions: Cloud database platforms

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedNov 13, 2025
  • 2 minute read

The correct user roles and permissions must be configured before an AF Server deployment for cloud database platforms. Review the following table to ensure the correct permissions are set on the account used to install AF Server.

Question

Answer

Does PI AF server require the sysadmin role?

No. We recommend always granting the least security privileges, which means you should not grant sysadmin privileges to PI AF server.

Does PI AF server require a login through the sa account?

No.

Does PI AF server require db_owner role?

No.

How many logins are required?

1 or 2.

Low privileged login for account that runs the PI AF server requires the db_AFServer role. This login should not be granted higher privilege than that. Never allow the PI AF server to connect to your SQL Server with sysadmin privileges.

What roles / permissions does the PI AF server need during runtime?

The account that runs the PI AF Application Service must be assigned the db_AFServer database role membership for the PI AF SQL Server database. Use SQL Server Management Studio to edit the SQL Server login for the account.

See Create and configure SQL Server login.

Do end users need to connect to the cloud-managed database service?

No. We recommend that end users not be granted privileges to Azure or Amazon RDS.

Must end users be granted access to the cloud-managed database service?

No.

Does PI AF server control user access to data stored in the cloud?

Yes. Users do not connect to the SQL database on the Azure portal or AWS portal. Depending on which cloud-managed database service is used, AF Server uses either Microsoft Entra or Windows authentication to identify users. It also performs an access check on Windows security descriptors, which are stored in cloud database tables and control user access to application data.

Does each user require a login to the cloud-managed database service?

No. Users do not connect to the cloud service.

Does the admin have to manage user permissions to cloud objects?

No. Users do not connect to the cloud service.

Does the remote application require any permissions on the Azure or Amazon Web Services (AWS) portal?

No. PI AF SDK does not connect to the cloud portal and the user does not require permissions on the cloud portal.

For PI AF High Availability management, the user running PI AF SDK must have the sysadmin role on the cloud instance, but no Windows operating system level privileges are required.

TitleResults for “How to create a CRG?”Also Available in