So, I am moving away from Trusts into mappings for our API machines. I am looking to use the PI API2016 utility, and am wondering what permissions do I need to give the OPCint service account in the PI system?
Point 5 of this KB highlight minimum permissions for interfaces on the PI server
In short, the service account needs at least read to the points you want to update from the interface. In most configurations, it is the buffer that writes to tags and therefore the account running the buffer service will need write to the tags. If you are not using the buffer, then the interface service account will require read/write to the PIPOINT database as well as the tags that are configured for the interface.
So, trying to parse through this. I am going to set it up for buffering, with output (you never know). I need a separate AD account for PI buffering and PI OPCint services. I need to create 2 identities PIBuffer and PIInterface (for lack of any originality). Then these identities need to be added to the PIPoint in the Database Security with (r) access for both new identities. I also will need to add these identities to every PI tag in the system, something like this?
Am I seeing this correctly?
Interface needs: Read to DBSecurity, DataSecurity, and PtSecurity
Buffer needs: Read to DBSecurity, DataSecurity, and PtSecurity AND Write to DataSecurity
It looks like you have pt and data security flopped for the buffer identity.
So, theoretically, if I had multiple API's writing to a DA, then I should have separate PI Identities for each API, and only apply the identity to the points that are actually coming from that API, correct?
Ok, just documenting this portion for myself for use later.
That is correct, a truely minimum permissions architecture would have each interface running as its own service account and authenticating via WIS as its own PI identity with access to only its tags. The one exception to this would probably be the case where you have interfaces running in failover, in which case it would make sense to have them connecting with the same PI identity.
It should be noted that whilst this is the most secure configuration, managing lots of PI identities with access to certain tags only will add an additional administrative burden. This can be handled with proper documentation (which it looks like you're doing) and procedures for adding new/managing existing interfaces.
Retrieving data ...