Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ PI Server Installation and Configuration (PI Server 2018)

TABLE OF CONTENTS

Quick-start security migration

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedJan 13, 2023
  • 2 minute read

Many Data Archive servers use only the piadmin account and the pidemo account for authentication. In a few simple steps, you can convert this piadmin/pidemo configuration to use Windows authentication. This greatly improves your Data Archive security.

Although these instructions assume you are using the piadmin and pidemo accounts, note that you can apply the same method to any Data Archive server that relies on a very small number of PI users or PI groups for security.

Note: These instructions assume you are using Windows Active Directory (AD) because AD provides the most secure authentication. If you use local Windows groups instead of AD groups, then you need to do some additional configuration on client computers. See Use local Windows security for more information.

  1. Configure authentication for piadmin.

    Map a Windows group to the piadmin account. All the Windows users that are a member of this Windows group will then get piadmin access permissions simply by logging on to Windows.

    1. In Windows AD, identify the Windows group that will get administrative privileges on the Data Archive server.

      If the appropriate group does not exist, ask your domain administrator to set one up for you. If your domain administrator will not help, try the workaround described in Understand local Windows security with AD.

    2. Create a mapping between that AD group and the piadmin account.

    Now all users in that AD group have the same privileges as piadmin.

  2. Configure authentication for pidemo.

    1. In Windows AD, identify the Windows group that will get the pidemo access permissions on the Data Archive server.

    2. Create a mapping between that AD group and the pidemo account.

    Now all users in that AD group have the same privileges as pidemo.

This completes the basic configuration on the Data Archive server. As soon as possible, consider these additional steps for further securing your Data Archive server:

  • The biggest security hole in this quick-start plan is that pidemo and piadmin are still accessible through PI user passwords. PI user passwords are not especially secure. To fix, disable explicit logins (typing in a PI user name and password) for the pidemo and piadmin accounts. Then the Data Archive server disallows user-name and password access for those accounts and only provides access through the mappings you created or through PI trusts. See Disable explicit logins for individual user accounts for instructions.

  • Review the follow-up steps, which include upgrading the SDK on client workstations, upgrading administrative applications, and so on. You can choose if and when to complete each step. See Follow-up steps.

TitleResults for “How to create a CRG?”Also Available in