Security for data replication

Connections from a lower-tier Historian to a next-tier Historian must be authenticated before any replication task can be performed on the next-tier Historian.

A local Windows user group called aaReplicationUsers is created on the next-tier Historian during the next-tier Historian installation. The Network Account (previously called the ArchestrA User) is automatically added to this group. Only members of the aaReplicationUsers group are allowed to perform replication tasks. These include adding, modifying, and sending values for replication tags. This group is not allowed to perform other non-replication tasks, such as adding or modifying a tier-1 tag.

When you configure a replication server on one Historian, you must specify a valid Windows user account on the next-tier Historian for the replication service to use.

For example, suppose you are configuring a replication server on a tier-1 Historian. The tier-2 security account does not have to be a valid account on the tier-1 Historian or even be in the same security domain as the tier-1 Historian. If no replication user credentials are configured in at the tier-1 Historian, the Network Account credential is passed to the tier-2 Historian for authentication.