Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ PI Server Installation and Configuration (PI Server 2018)

TABLE OF CONTENTS

Use local Windows security

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedJan 13, 2023
  • 2 minute read

You can use local Windows security to grant access to the Data Archive server and its resources if AD is not available. Using local Windows security requires significant maintenance. The account names and passwords must be identical on the Data Archive server and all client machines.

Note: Identical user accounts and passwords is a form of credential reuse. Verify identical accounts are consistent with your IT policies.

When a password changes or a user is added or deleted, you must make that change on the Data Archive server and all participating client machines (this is actually a Windows requirement).

Note: If the Data Archive server is part of a Data Archive collective, please refer to Learn about security for Data Archive collectives before using local Windows groups.

Alternatively, use Windows credential manager as the safest way to configure local Windows security.

  1. Identify user access categories.

    Identify the users who need access to the Data Archive server. Understand their roles, and the types of access they need. For example: who needs permission to create points? Who should be allowed to edit modules? Who will perform Data Archive backups? See Understand how to identify user access categories.

  2. Create PI identities.

    On the Data Archive server, create PI identities for people with similar access needs. See Create a PI identity.

  3. Configure local Windows groups.

    In Windows, identify the Windows groups that represent your Data Archive roles. See Configure Windows groups.

  4. Map Windows groups to identities.

    See Create mappings.

  5. Grant PI access permissions.

    Give your PI identities access to the necessary Data Archive resources. The access permissions specify what tasks each PI identity is allowed to do on the Data Archive server. See Understand how to configure access permissions.

  6. Configure access for client applications.

    Client applications typically connect to the Data Archive using PI SDK. You need SDK 1.3.6 or later to use Windows authentication. You need PI SDK 2016 or later to utilize transport security. Certain PI client applications require a connection to a separate application server in addition to a Data Archive server (for example, PI DLES and PI WebParts). These types of applications require additional configuration steps. See How will PI Server 3.4.380 affect my clients and interfaces? for more information.

  7. Configure access for interfaces.

    You need to set up a mapping for the interfaces that will connect to the Data Archive server. Each mapping is based on a PI identity. See Configure PI interface connections using PI trusts.

There are a number of things you can do to provide extra security for your Data Archive server. See Tightening security for suggestions and instructions.

TitleResults for “How to create a CRG?”Also Available in