The security implementation is considerably different between Windows NT and UNIX (PI3) servers and PI on OpenVMS (PI2) servers. The following sections describe PI3 security with respect to the PI-SDK. Following that is a section describing how security is handled between the PI-SDK and a PI2 system.
Security of the PI server data is implemented by two
distinct mechanisms. Authentication identifies and establishes the user’s
credentials with the server. Authorization controls the user’s access to
specific data items within the system. Various methods of authentication are
supported and described below. Authentication requires participation of the
client software (application and the PI-SDK), the PI server, and often the
network and operating systems on the client and the server. Once a user’s
credentials are established, authorization is handled by the PI server.
The PI server maintains a proprietary database of users called PIUsers and groups of these users called PIGroups. For server versions up through 3.4.375, these users and groups were the only security principals within PI. The authentication process resulted in a connected user being represented as a PIUser who could optionally belong to different PIGroups. Data in the PI system was authenticated against these PIUsers and PIGroups.
With PI Server version 3.4.380, the fundamental PI principal has changed to what is called a PI Identity. This change was made to support a broader set of authentication methods, to integrate more tightly with operating system authentication and grouping, and to allow more flexibility in specifying authorization configuration. While PIUsers and PIGroups continue to be supported, they are now implemented on top of PIIdentities. Whatever method is used, the end result of a successful authentication, starting with version 3.4.380, is a set of one or more PIIdentities. Access to data in the PI Server is based on these identities.
With PI Server version 3.4.380, more authentication options are available and with version 1.3.6 of the PI-SDK, the user has more control over the methods attempted and the order in which they are tried. Because of this change, the discussion that follows describes both the methods and how they apply to these different systems.
Explicit Connections - Login