Interface authentication management with PI trusts

Before Data Archive 2016 R2, trusts were typically used to authenticate PI interfaces, while mappings were used for single sign-on for Windows users on Data Archive servers. With PI API 2016 for Windows Integrated Security, Windows authentication extends to PI interfaces.

We do not recommend using PI trusts or explicit logins for authentication. For a more secure environment, we recommend using Windows Integrated Security.

Note: PI API 2016 for Windows Integrated Security extends Windows authentication to API-based client applications. If you choose to install PI API 2016 for Windows Integrated Security, you can use only Windows Integrated Security for authentication. Both trusts and explicit logins will fail.

PI trusts compare the connection credentials of a connecting application to records in the trust database. The connection credentials might include:

• Name of the connecting application

• IP address and netmask of the interface node

• Fully qualified host name of the interface node (such as apollo.aveva.com)

• Short host name of the interface node (such as apollo)

Update PI trusts when the interface node changes host name or IP address. Use the PI SMT Mappings & Trusts tool to view and manage your PI trusts.

Each PI trust is defined against a single PI identity, PI group, or PI user. When an interface successfully authenticates through a trust, it gets the access permissions defined for the associated identity, group, or user.

For details on creating tighter security, see Understand Data Archive security.