3 Replies Latest reply on May 18, 2017 10:12 PM by messingerj

    How do I map a remote PI-SMT session to the PIadmin account so I have full admin priviledges

    caffreys_col

      I want to follow the OSI guidelines for security and do away with using the piadmin account as a login (although keep the user account). How do I setup a user/indentity to allow me full admin rights from a remote session? And how do I get full admin rights on a local session? Is that just granted through the default trusts on the PI server itself?

       

      I've created a trust based on the PI-SMT application (not sure I have got the correct name in the trust setup for the application though; is it SMTHost or SMTHost.exe??), but how do I know that it is working correctly?? And I don't want to accidently lock myself out!

       

      Thanks

       

      Colin

        • Re: How do I map a remote PI-SMT session to the PIadmin account so I have full admin priviledges
          messingerj

          Hi Colin,

           

          Admin rights on a local session are granted via the default PI Trust as you surmised. To get admin rights from a remote session without PI Trusts, you will need to create a PI Mapping. This should map your Windows credentials (either your individual domain account, or better yet, a security group that you belong to) to a PI Identity that has the required admin access. This could be either the legacy piadmins group, or a custom PI Identity that you have created and granted the necessary permissions to:

           

           

          Granting required permissions to this identity is done through the Database Security plugin in PI System Management Tools:

           

          You would add this identity to all the databases in this listing. Note that for the PIPOINT database, these permissions will not automatically flow down to existing PI tags, so you would also need to bulk update the security attributes on all your PI tags.

           

          From a practical perspective, mapping your Windows credentials to the piadmins group is easiest, as this group already has permissions to all objects, but it is a legacy security identity. Using the newer PI Identity objects follows the newer preferred security model (as these represent access roles), but require some additional setup and configuration, especially in an existing brownfield PI server.

           

          Have a look at some of the instructional videos in the Configure PI Server Security playlist on OSIsoft's YouTube channel.

           

          Regards,

          John