Learn how to configure security for PI APS

In order to run PIAPS, you must configure the PIServer to allow connections from the PIAPS Configuration Utility, PIAPS Synchronization Engine, and PIAPS Synchronization Trigger service. This section discusses the information that you need to configure:

• Connection methods for the PIAPS programs, and

• PIServer security to grant the required access rights to these connections.

  Note: A copy of PIAPS on the PIServer node does not require any security configuration in the PIServer, however we discourage using PIAPS on the PIServer node.

The PIAPS Synchronization Engine and PI APS Synchronization Trigger service are both Windows services. You need to set up either a PI trust or a PI mapping to connect each of them to the Data Archive server. The PIAPS Configuration Utility is an interactive application, so you can use a PI mapping or PI trust to a Data Archive server User account. PI mappings are the most secure option; PI trusts are the least secure. Use PI mappings where possible (PI mappings require Data Archive version 3.4.380 and PI SDK 1.3.6 or later).

Note: PI API 2016 for Windows Integrated Security does not support PI trusts, requiring that you use PI mappings to connect with the Data Archive server.

PI mappings for Windows services

By default, PI APS services log on as the Local System account, which cannot be used for PI mappings on a remote Data Archive server. In order to create a PI mapping, you must first change the PI APS services to log on as Windows accounts (e.g. domain accounts) that are configured with sufficient privileges to access the local Windows registry and files.

Module Database permissions

The PIAPS Configuration Utility creates the module AutoPointSync under the %OSI module. PIAPS configuration settings are stored in a hierarchy of modules under this module. Other information also is stored in the modules used by PIAPS. For example, the last synchronization time (stored by the PIAPS Synchronization Engine) and the SyncImmediately flag (set by the PIAPS Synchronization Trigger service or PIAPS Configuration Utility) are stored in the AutoPointSync hierarchy.

The PIAPS Configuration Utility requires:

• Write access for the PIModules table (Database Security) in order to create modules

• Write access for the %OSI module in order to create the AutoPointSync module

• Write access for the AutoPointSync hierarchy to register interface instances with PIAPS, to change configuration settings, or to manually initiate a synchronization scan. Read access is sufficient to view configuration settings.

The PIAPS Synchronization Engine and PIAPS Synchronization Trigger service require write access for modules in the AutoPointSync hierarchy for normal operation.

Point Database permissions

To create or delete points, the PIAPS Synchronization Engine or PIAPS Configuration Utility requires write access for the PIServer PIPOINT table. To edit points, the PIAPS Synchronization Engine or PIAPS Configuration Utility requires write access for individual points.

The PIAPS Synchronization Trigger service does not access the PIServer point database.

PI points have two sets of security attributes: one set controls access to the point attributes and the other set controls access to the point data. PIAPS needs write access for point attributes of the points that are associated with interface instances registered for synchronization.

PIAPS does not access point data.

Digital State Table permissions

To create digital sets, the PIAPS Synchronization Engine or PIAPS Configuration Utility requires write access for the PIServer digital state table (PIDS in Database Security). The PIAPS Synchronization Trigger service does not access the PIServer digital state table.