PI Buffer Subsystem security considerations

PI Buffer Subsystem sends data to the Data Archive server using its PI identity, PI user, or PI group, as it has in previous versions that supported only API buffering. API buffering usually buffers data from one type of interface per interface node, meaning one PI identity, PI user, or PI group sends one type of data. However, a single client node using buffering PI SDK data may handle multiple client applications and possibly multiple users concurrently (including, for example, web services and application servers).

Note: The various applications and users on a client node using buffering will all send data to Data Archive using the PI identity, PI user, or PI group associated with PI Buffer Subsystem.

By default, the PI Buffer Subsystem service logs runs as a Virtual Service account; it is not shared with any process or service. Data written with a Virtual Service account cannot be distinguished from data written by other applications running as Local System or another Virtual Service account. Services that run as Virtual Service accounts access network resources by using the credentials of the computer account in the format <domain_name>\<computer_name>$. Hence, there is still reason to run as a domain user.

Note: At the time of installation, if a user's account is still running as Local System, then the account that PIbufss will run under by default will change to NT Service\pibufss.

For information about configuration requirements and Virtual Service Accounts, see PI Buffer Subsystem and service logon accounts.