Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

PI Universal Interface UniInt Framework

TABLE OF CONTENTS

PI Data Archive security

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedJul 10, 2024
  • 2 minute read

Interfaces use security processes and components to connect to Data Archive.

Data Archive security processes

In order for the interface to connect to Data Archive, the interface service account must be authenticated and authorized for communications. Interfaces use the following security processes:

  • Authentication

    The process of confirming the identity of a user from credentials or other evidence provided by the user, such as a password.

  • Authorization

    The process of determining whether the user has permission to perform certain operations.

    Data Archive provides the following three authentication methods:

    • PI trust authentication. This method is required for interface service authentication.

    • Password authentication. This method does not support unattended Windows services.

    • Windows integrated security: This method is not supported by PI API.

After authentication validates the identity claim, authorization determines what actions the user can perform in the PI Data Archive. For more information about Data Archive security, see the manual Configuring PI Server Security.

When an interface successfully authenticates through a trust, the interface is granted the access rights for the associated identity, user, or group.

Data Archive security components

A PI trust is associated with one PI identity. The trust connects a client to the Data Archive object permissions using matching authentication credentials.

Interfaces use the following security components:

  • PI identity

    PI identities are the link between Windows authentication and Data Archive authorization. Each PI identity represents a set of access permissions to Data Archive.

  • PI users and PI groups

    Special types of PI identities that can be associated with the PI trust.

    Caution: Avoid using the piadmin super-user or the piadmins group. These built-in users and groups have high-level privileges that can pose security risks.

    The piadmin super-user permissions cannot be restricted. The piadmins group is enabled by default with permissions necessary for administrator-level tasks and should not be restricted. Additional built-in PI identities have either no default write permissions or no default permissions at all.

  • PI trust

    A set of credentials that maps a machine, application, or a Windows domain or local account to a specific identity on Data Archive.

    PI trusts for interface and buffering services are contained in a database. Use PI System Management Tools (PI SMT) or the piconfig command-line utility to view, create new trusts, and modify existing trusts. Optionally, use Buffering Manager to set up and manage trusts for buffering.

    Note: OSIsoft recommends the use of PI Identities rather than PI Trusts wherever possible.

  • PI point security

    Permissions for the identity to access PI points can be restricted using the data access (dataaccess) and point access (ptaccess) attributes for each point. Multiple points can be configured at once using the PI Tag Configurator plug-in for Excel, available with PI SMT.

In This Topic
TitleResults for “How to create a CRG?”Also Available in