What about PI users and PI groups?

Previous versions of the Data Archive server relied on individual user accounts that could be included in groups. The new security model discourages user accounts (and groups of users) on the Data Archive server. They are replaced by PI identities, which provide a layer of abstraction that we can use to make a connection between Windows users and Data Archive access permissions.

For backward compatibility, groups and users are still supported and the standard built-in accounts (such as piadmin and pidemo) are still provided. This allows Data Archive servers upgraded to version 3.4.380 to keep their existing security configurations. It also provides an alternate authentication mechanism if Windows authentication is not a viable option for you. However, although the password mechanism performs as designed, weakness exists due to the use of a proprietary cypher developed in the 1990s that has not been modified to keep up with modern cryptographic advances. In short, the explicit login as an authentication method is not secure from malicious actors. In addition, similar to explicit login authentication, PI trust authentication is a weak form of authentication and should be avoided unless technically required for application compatibility. We recommend upgrading security around Data Archive to Windows Integrated Security.

On PI Server 3.4.380 and later, PI groups and PI users are implemented as special types of PI identities. The Users and Groups tool in PI System Management Tools (SMT) is now the Identities, Users, & Groups tool. You can use the PI Users and PI Groups tabs to manage existing users and groups just as you did in earlier versions of the Data Archive server.