3 Replies Latest reply on Aug 15, 2018 8:01 PM by usjocxd

    Archive editing

    usjocxd

      From time to time our process engineers must edit some erroneous data points in the PI archive in order for reports to supply accurate data.  Currently those engineers are assigned administrator privileges so they can use SMT and edit the archive.  I have some concern that this puts us at risk of causing problems with our PI system since SMT allows access to many parameters (e.g. accidentally deleting tags).  Is there another method to allow users to edit archive entries without making a significant population of the plant PI administrators?

        • Re: Archive editing
          TimCarmichael

          This a relatively common issue.

          Rather than give people administrative rights, change the data security setting on the tags that need to be edited and give them write access to those tags only. If necessary, create a identity in SMT and add the appropriate people to that identity.

           

          Additionally, consider creating 'manual adjustment' tags for the items in question and give access to only those tags to the engineers.

          The adjustment will be the difference between the current value in the production tag and the desired value.

          Then, in the report, the final value is the sum of the production tag and the adjustment.

           

          If at all possible, I try to avoid changing source data.

          2 of 2 people found this helpful
          • Re: Archive editing
            gachen

            Hi Christopher,

             

            Great to see that you are very cognizant of the need for good security policies and practices. It definitely is advisable to keep the membership of the piadmin role as small as possible, and unfortunately we still see many PI installations use piadmin for every connection, simply because PI security is complex and hard to implement.

             

            Specific to your question, if your engineers only need to change archive data, then they should only need read permissions on the PIPOINT database level, and then read permission on each point's PtSecurity attribute and read/write permissions on the DataSecurity attribute for each individual point that they would be expected to modify data for.

             

            A suggested implementation of this would be to create a new PI Identity for your engineers (e.g. "Engineers - Data Modification"), then grant this identity the above permissions. For modifying the point attributes, it may be most convenient to use a tool like PI Builder to make bulk modifications to the points. Ideally, you are already taking advantage of using Windows authentication with PI Mappings, in which case if your engineers all belong to the same Windows AD group, you could configure the PI Mapping between that AD group and the new PI Identity.

             

            Let us know if you encounter any difficulties or questions. For reference, you may also find this page from our Live Library helpful:Permissions required for tasks

            2 of 2 people found this helpful