1. Authentication


The security implementation is considerably different between Windows NT and UNIX (PI3) servers and PI on OpenVMS (PI2) servers.  The following sections describe PI3 security with respect to the PI-SDK.  Following that is a section describing how security is handled between the PI-SDK and a PI2 system.

 

Security of the PI server data is implemented by two distinct mechanisms.  Authentication identifies and establishes the user’s credentials with the server. Authorization controls the user’s access to specific data items within the system.  Various methods of authentication are supported and described below. Authentication requires participation of the client software (application and the PI-SDK), the PI server, and often the network and operating systems on the client and the server.  Once a user’s credentials are established, authorization is handled by the PI server. 
 

PI Principals

The PI server maintains a proprietary database of users called PIUsers and groups of these users called PIGroups.  For server versions up through 3.4.375, these users and groups were the only security principals within PI.  The authentication process resulted in a connected user being represented as a PIUser who could optionally belong to different PIGroups. Data in the PI system was authenticated against these PIUsers and PIGroups. 

 

With PI Server version 3.4.380, the fundamental PI principal has changed to what is called a PI Identity.  This change was made to support a broader set of authentication methods, to integrate more tightly with operating system authentication and grouping, and to allow more flexibility in specifying authorization configuration.   While PIUsers and PIGroups continue to be supported, they are now implemented on top of PIIdentities.  Whatever method is used, the end result of a successful authentication, starting with version 3.4.380, is a set of one or more PIIdentities.  Access to data in the PI Server is based on these identities.

 

Authentication Methods

With PI Server version 3.4.380, more authentication options are available and with version 1.3.6 of the PI-SDK, the user has more control over the methods attempted and the order in which they are tried.  Because of this change, the discussion that follows describes both the methods and how they apply to these different systems.

 

Explicit Connections - Login

 

Implicit Connections

 

 

Enabling Operational Intelligence