Configuration as Code for PI System Security: Introducing PI Security DSC

Blog Post created by hpaul Employee on Aug 8, 2018

As a PI System administrator, do you want to:

  • use the same mechanism to secure both the OS and the applications running on it?
  • maintain a baseline across numerous nodes and sites?
  • have functional documentation that allows you to both apply and verify your configurations?


The Customer Success Cyber Security Champions have created the PI Security DSC module in the osisoft/PI-Security-DSC repository on GitHub to help address those needs.  The module enables PI System administrators to embrace the Configuration as Code paradigm to manipulate the security configuration of their PI Systems by leveraging Microsoft's Desired State Configuration (DSC) feature of PowerShell.  The Microsoft documentation has an excellent overview of the benefits of DSC in the Windows PowerShell Desired State Configuration Overview, but the bottom-line is that DSC simplifies automation by allowing you to separate what you want to do, from how it gets done.  You can create a human-readable configuration file that describes how you want the system configured, and DSC resource modules provide the machinery for DSC to test and apply that configuration to resources on the system.  PI Security DSC contains DSC resource modules that extend this capability to PI System security objects.


For hardcore PI Geeks, this may sound familiar.  At PI World 2018, an early version of PI Security DSC was used during Extreme PI System Hardening in the developer track and in the PI System Anti-Hackathon lab for PI System administrators.  A lot of progress has been made since then.  The repository has:

  • The latest version with newly added resources to manage the ACLs on PI Data Archive and AF Server objects.
  • Getting Started guide with detailed setup instructions
  • Resource Reference with descriptions of every PI System object you can manipulate.
  • Multiple example configurations, including:
    • Windows Integrated Security configuration consistent with the PI Data Archive FSTS (KB01702)
    • Non-trivial example of Role Based Access Control in the PI Data Archive


Hopefully this post piqued your interest!  Future posts will dive into use cases and examples, but don't hesitate to reply with any questions in the meantime.