Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ PI Server Installation and Configuration (PI Server 2018)

Security configuration for PI MDB to AF Link feature

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
TABLE OF CONTENTS

Security configuration for PI MDB to AF Link feature

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedOct 02, 2024
  • 2 minute read

Because PI AF 2.7 uses integrated Windows security for authentication and provides its own authorization to PI AF objects using PI AF identities and mappings, access permissions for the PI AF Link subsystem need to be modified.

On the PI AF server (machine hosting PI AF Application Service), we recommend that instead of running PI MDB to AF Link under the default NetworkService account, you create and configure a domain group, and then map a domain account to it that is specifically created to support PI MDB to AF Link. You also need to map the domain group to the PI AF server that is the migration target.

For information on mapping identities, see Manage mappings in PI AF. For information on the new security model for PI AF server objects, see the PI System Explorer topic Configure security for a PI AF server.

PI MDB to AF Link domain group

You should create and configure a domain group to support PI MDB to AF Link.

If you are configuring PI MDB migration to the target PI AF server for the first time, run the PI MDB to AF Migration Wizard, and specify the domain group on the wizard's AF Information page. The wizard should set the correct permissions for the domain group on the PI AF server.

If the Wizard does not create the domain group, the following manual steps are required. The domain group must have:

  • Read and admin access to the PI AF server.

  • Read, read data, write, write data, delete and admin access to the target PI AF database and the PI AF element to which the MDB is migrated.

  • Read, write, delete and admin access to the Categories collection on the target PI AF database.

  • Edit the AFGroupSID property under MDB - >%OSI - >MDBAFMigrationData to point to the SID of the newly created domain group. Use the Mappings & Trusts tool in PI SMT to find this SID.

PI MDB to AF Link domain account

We recommend that the PI AF Link Subsystem be run under a domain account. This domain account must be added to the domain group that is created to support PI MDB to AF Link. We also recommend that you set the password on this domain account to not expire.

This domain account must have:

  • Read and write permissions on pi\dat and pi\log folders.

  • Read and execute on pi\bin and pi\bin\piaflink.exe.

In This Topic
Related Links
TitleResults for “How to create a CRG?”Also Available in