Buffering and High Availability

Security requirements

Save PDF

TABLE OF CONTENTS

Security requirements

Save PDF

Last UpdatedFeb 12, 2025
4 minute read

PI System

For security, the following accounts (or users) in a PI AF collective require a reduced level of permissions:

SQL Server Database Engine service
SQL Server Agent service
PI AF application service
PI AF collective creator user
AFServers local group

For more information about minimum privilege levels required for replication, see the following Microsoft articles:

Each PI AF collective account has the following access requirements.

SQL Server Database Engine

Component	Action required
Permissions	Run as a low-privileged account. Do not run the SQL Server Database Engine service under an account with local or domain administrative privileges.

SQL Server Agent

Component	Action required
Permissions	Run as a low-privileged account. Do not run as NetworkService.
Primary server	No action required.
Secondary servers	No action required.
Primary SQL database	If it does not already exist, create a login in SQL Server for the account under which the SQL Server Agent service runs. Assign the db_owner database role on the PI AF SQL database to this account. Do not grant the sysadmin server role to this account. Assign write permission to the \repldata folder. Sample path: C:\Program Files\Microsoft SQL Server\MSSQL10_50.TEST\MSSQL\repldata For more information, refer to Configure folder permissions on the primary server.
Secondary SQL databases	If it does not already exist, create a login in SQL Server for the account under which the SQL Agent service runs on the primary. Assign the db_owner database role on the PI AF SQL database to this account. Do not grant the sysadmin server role to this account.

PI AF application service

Beginning with PI AF 2.7, by default the PI AF application service is run under a virtual account, NT SERVICE\AFService. Do not run the service under the Local System account. The best practice is to use a low-privileged domain account, as this account does not require special access to the PI AF SQL database.

The PI AF application service account is added to a local Windows security group, which is assigned the appropriate access in the PI AF SQL database.

Component	Action required
Permissions	Run as a low-privileged account. Do not run as Local System.
Primary server	No action required.
Secondary servers	No action required.
Primary SQL database	In Windows, add the domain account under which the PI AF application service runs to the local AFServers group. Do not create an SQL Server login for the PI AF application service account. Do not assign the db_owner database role on the PI AF SQL database to the PI AF application service account. Do not grant the sysadmin server role to the PI AF application service account.
Secondary SQL databases	In Windows, add the domain account under which the PI AF application service runs to the local AFServers group. Do not create an SQL Server login for the PI AF application service account. Do not assign the db_owner database role on the PI AF SQL database to the PI AF application service account. Do not grant the sysadmin server role to the PI AF application service account.

PI AF collective creator

A domain user, with Windows credentials that are authenticated by PI AF, Windows, and SQL Server, runs the AF Collective Manager client that is used to create the PI AF collective.

Component	Action required
Permissions	The credentials that are used to create the PI AF collective are used only once to create the PI AF collective. After you create the PI AF collective, you can remove the special permissions.
Primary server	Add the credentials used to create the PI AF Collective in AF Collective Manager to the Local Administrators group.
Secondary servers	Add the credentials used to create the PI AF Collective in AF Collective Manager to the Local Administrators group.
Primary SQL database	If it does not already exist, create a login in SQL Server for the PI AF collective creator's domain account. Add the credentials used to create the PI AF Collective in AF Collective Manager to the Local Administrators group. Grant the sysadmin server role to this account.
Secondary SQL databases	If it does not already exist, create a login in SQL Server for the PI AF collective creator's domain account. Grant the sysadmin server role to this account.

AFServers local group

The only account that should exist in the AFServers local Windows group is the account under which the PI AF application service runs.

Note: The AFServers local Windows group is typically created during the installation of the PI AF SQL database. If you use SQL scripts to install the PI AF SQL database, however, you need to set up this user group manually.

Component	Action required
Permissions	This group should never be given local or domain administrator privileges.
Primary server	No action required.
Secondary servers	No action required.
Primary SQL database	If it does not already exist, create a login in SQL Server for the AFServers local group. Grant the db_AFServer database role on the PI AF SQL database to this account. Do not assign the db_owner database role on the PI AF SQL database to this account. Do not grant the sysadmin server role to this account.
Secondary SQL databases	If it does not already exist, create a login in SQL Server for the AFServers local group. Grant the db_AFServer database role on the PI AF SQL database to this account. Do not assign the db_owner database role on the PI AF SQL database to this account. Do not grant the sysadmin server role to this account.

Buffering and High Availability