Security & Access Control

PI Security Architecture

PI System security is built on a layered model that controls access at multiple levels: server connection, data point access, and application-level permissions.

Security Layers

User / Application
      │
      ▼
PI Identity (Who are you?)
      │
      ▼
PI Mapping (Map Windows user → PI Identity)
      │
      ▼
PI Point Security (What data can you access?)
      │
      ▼
PI Data Archive (Enforce access control)

PI Identities

PI Identities are named security principals within the PI System:

PI Mappings

Mappings link Windows users/groups to PI Identities:

Active Directory Group: DOMAIN\PI_Operators
         ↓ Mapped to
PI Identity: PIOperators
         ↓ Has permissions
PI Point Security: Read access to all process tags

Creating a PI Mapping (SMT)

1. Open PI System Management Tools (SMT)

2. Navigate to Security > Mappings & Trusts > Mappings

3. Click Add → Select Windows group

4. Assign PI Identity

5. Set expiration (optional)

6. Click OK and verify

PI Point Security

Each PI point has individual security settings:

PI Point: REACTOR_TEMP_001
├── Read: PIWorld (all users can read)
├── Write: PIInterfaces (only interface can write)
├── Change Security: PIAdmins (only admins can modify)
└── Delete: PIAdmins

Active Directory Best Practices

1. Use AD Groups, not individual users — easier to manage

2. Principle of least privilege — grant minimum required access

3. Separate service accounts — dedicated accounts for interfaces

4. Regular access reviews — audit quarterly

5. Disable PI Trusts — use Mappings instead (more secure)

PI Vision Security

PI Vision inherits PI System security but adds display-level controls:

• Display permissions: Control who can view/edit displays
• Server-side rendering: Data never exposed to unauthorized users
• HTTPS required: Always use SSL/TLS in production
• Kerberos authentication: Single sign-on with AD