6 Replies Latest reply on Oct 17, 2017 2:50 PM by vint.maggs@srs.gov

    PIModules Table ACL

    vint.maggs@srs.gov

      I hate to ask, again, because I know I had this same issue on my other data archive server back in February but I forgot how I fixed this. Today I observed that the piadmins group on my second server does not have RW permissions on this table. I tried adding RW but got this error: Error setting DBSecurity for PIModules on server <hostname>. RPC Invoke failed [-10401]. No Write Access - Secure Object.

       

      I am logged into the data archive server using my domain account which is a member of domain group x which in turn is mapped to the piadmins group as well as the local administrators group. SMT shows piadmins in the lower left corner.

       

      Thanks,

      Vint

        • Re: PIModules Table ACL
          Dan Fishman

          One workaround, if you are actually logged onto the archive server is to change the PI SDK protocol order (PI SDK Utillity>Connections>Options) such that it will connect with a trust.   When you reconnect to PI SMT, you should then come in as PIAdmin.  You can make the change and then reset the default protocol order. I hit the PI Modules security issue quite often as well!

           

          Dan

          1 of 1 people found this helpful
            • Re: PIModules Table ACL
              vint.maggs@srs.gov

              Hey Dan. Does this mean I need to map my individual domain account to the piadmins group or will the existing domain group mapping be sufficient?

               

              Thanks,

              Vint

                • Re: PIModules Table ACL
                  Dan Fishman

                  No, the individual domain account does not apply to the workaround I suggested.  Have you tried to change the protocol order and see if you come in with "piadmin" rights? This won't work if you are using PI SMT remotely.  Anyone on the PI Server should come in through the !Proxy_127! trust. 

                   

                  To me, it sounds like you have read only permission to the the PIDBSEC table (PI SMT>Security>Database Security), which means you can't set security on the other tables.  Does piadmins have read/write to PIDSEC? 

                  • Re: PIModules Table ACL
                    vint.maggs@srs.gov

                    I have corrected the ACL. I had to physically go to the data center and log on to the console as the local administrator. Once in SMT, I was mapped to the piadmin identity which allowed me to fix the ACL.

                     

                    I normally manage my servers via RDP.

                     

                    Thanks,

                    Vint

                • Re: PIModules Table ACL
                  sraposo

                  Hi Vint,

                   

                  In addition to Dan Fishman's comment, I'd double check which PI Identity you are authenticating as (PI SMT, look at the bottom left to see which identity, OR in About-PI SDK > Connections).

                   

                  Also, I would check the modules to make sure piadmins has RW access. Changing the security at the database level does not change the security of existing objects. The change is applied for new objects.

                   

                  Thanks,

                  Seb

                    • Re: PIModules Table ACL
                      vint.maggs@srs.gov

                      Good Morning Sebastien. At the bottom left of SMT, it shows my domain userid and the groups piadmins, PIWorld, and a third domain group I have created for end users.

                       

                      When you say you would "check the modules" do you mean the Modules Database plugin of SMT? From %OSI down, I checked those and they are all still default, piadmin: A(r,w) | piadmins: A(r,w) | PIWorld: A(r,w).

                       

                      Thanks,

                      Vint