10 Replies Latest reply on Jul 29, 2013 9:01 PM by RJKSolutions

    Time based security

      Wanted to float an unusual requirement that came my way recently, something that can be programatically met but not something that can be done with the PI Server out of the box.

       

      We all apply security to data at the tag level, Identity A can see tags ... Identity B can see tags... However, I now want to apply another dimension of security that overrides the default Data Security with time based security.  In other words, I have a piece of equipment sending data to a set of PI tags.  I have security applied to those PI tags.  I may want to execute experimental or confidential runs of that equipment for which only a subset of users have access to the data for the time period of the run, after which the "normal" security is applicable again.  This is not just a real-time requirement but should be applicable for the life time of the data, if in 1 years time sometime is doing a historical 1 year average and they don't have access to that time period it is excluded from the result.  Data retrieval would just include a similar digital state to "Archive Gap" when there are gaps in the archives.

       

      It would fit nicely to lay Event Frames on top of the data for the time periods where varying levels of confidentiality are applicable.  However, that would only work if all access to the data took that in to account. 
      Or...
      We could use a new set of tags for the confidential periods.

       

      Other ways to achieve this but none tackle the problem at the PI Server level.

       

      Does this type of requirement come up with anyone else? 

       

      Jay, can you fit that in for PI Server 2013?

        • Re: Time based security
          andreas

          Interesting question - have a look here: http://techsupport.osisoft.com/techsupport/nontemplates/Download%20Center/DownloadCenter.aspx?Download_content=User+Manuals&download_product=B2E0CE17-2F46-4286-B5E8-F5738A442782, download the OSI PI COM Connector -- User Manual and search for "Time filtering".

           

          Two PI Systems were involved - one with all data, and one with the COM Connector just retrieving the data , filtering and providing it to the client applications. Today you probably would not use the MDB...

            • Re: Time based security
              andreas

              p.s. Obviously it is not widely used. Would be interesting to see the response of the community to your request.

                • Re: Time based security

                  This requirement came across my eyes again but for a different scenario.

                   

                  Does it come up with anyone else in discussions? Have OSIsoft thought about something like this? Quite a fundamental security change I imagine.

                    • Re: Time based security
                      Roger Palmen

                      Reading this thread again, my mind immediately jumps to the solution i would choose. I would typically use RBAC to control access through AD groups, and thereby the authorisation for an individual is controlled by the group membership. And tools for managing those are much more widespread than the proprietary PI Server security, and some would probably have this functionality already available (actually i know they do). A common scenario: Some manager on leave? Have him/her set a delegate for the period of the leave using a self-service portal.

                       

                      Thus may i be so bold and ask why you're seeking for a solution within PI itself? The point really eludes me as any security is moving more and more outside of PI to AD.

                        • Re: Time based security

                          The authorization on the PI Point data would need to be honored permanently, so not only apply the security during "real time" but apply it permanently over time. Authentication via AD & RBAC is one part of the story, but the authorization on the PI Points is a function of the PI Server. It's the authorization that I am saying needs to be time based, as in PI Identity A (or one step further: PI ACL "xxxxxxx") has default Data Security R,W but during certain time periods that default Authorization is overridden by PI Identity B (or another PI ACL). After the event, if PI Identity A connects they don't see any data during the period that data security was overridden.

                           

                          Unless I am mistaken the Authentication aspect has no concept of time, nor does Authorization currently; the latter I think the PI Server can change, the former I highly doubt MS will change.

                            • Re: Time based security
                              dvacher

                              Rhys, we hear about this requirement from time to time (mostly from you, -jk-), but we are not ready to commit to adding such functionality to the PI Server.  As you mention, there's a huge amount of complexity involved, including performance impact.

                               

                              But since you mention a new scenario, could I dare asking what it is you have in mind?

                                • Re: Time based security
                                  Roger Palmen

                                  Rhys, Thanks for your explanation! If i understand it correctly, in simple terms: If today user X is not authorized to see a specific dataset, then tomorrow he also should not be autorized to see that specific dataset. Indeed, that can only be done in PI server.

                                   

                                  I do wonder however what should happen if user X and user Y both request an average over a time period where the authorisations differ. Two different averages i presume?

                                    • Re: Time based security

                                      Let me talk a simple scenario that has some similarities to some use cases I have (OSIsoft can have the real use cases via the client)...

                                       

                                      Imagine we have nomadic PI Servers with multiple ownership - I've just bought a new vehicle and it comes with a PI System. The PI System collects the car metrics just like we had at the vCampus Live Hackathon (which was awesome, this year better be as good). As a manufacturer of the car you would be able to obtain all the information of the vehicle to ascertain performance, maintenance ... for the lifetime of the vehicles operation, and perform this in real-time (if it was a truly connected vehicle) or during maintenance schedules where the manufacturer would download the entire time period of data required.

                                       

                                      As the owner of the vehicle you would only be able to obtain data for the duration of your ownership of the vehicle; if you've bought the vehicle second hand then by default your data access would be reset upon purchase. Obviously the manufacturer would still retain ownership of the lifetime of the data.

                                       

                                      Now imagine the vehicle in question is a government vehicle that there are time periods when they (the owner) are doing some 'Secret Service' type activities in the car and they really don't want the manufacturer to know where they were, how fast they were going ... you'd want to be able to override the default data access for those periods.

                                       

                                      Roger, yeah I would imagine that the summary calculations would be applicable to however OSIsoft separate out the time periods of differing security. I haven't given it too much thought, but now that you've asked I can't help but think about it.... Event Frames screams out at me but they need much tighter integration with the PI Server, and more importantly the client tools.

                                        • Re: Time based security
                                          mhamel

                                          @Roger, Rhys: In a past life, I have implemented such logic with the PI System for a LIMS. Certain tests were confidential and protected with non-disclosure agreements, so not all searchers and lab technicians could query the database to get these results. At that time, I had implemented business logic with batches to create "boundaries" to results. This is comparable to row security in the relational database world.

                                           

                                          My technique consisted in removing all rights to PI Identities on these PI Points and leaving them for my "service" only to handle the data access. Then, you would need to write your own code on top of the AF SDK to handle these manipulations via batches, but this would be better with event frames. My service was running in three steps, first it was searching for data within the batches between a time t1 and t2 and second, validate the security descriptor and third, performing a data extraction against the PI Points (it would be AF Attributes now).

                                           

                                          Regarding summary calculation, you need to have a paradigm shift here. Time based security is a kind of data partitioning within the same PI Point/AF Attribute for storing the same measurement but for different users.

                                           

                                          I would have enjoyed having Event Frames when I built this project.

                                            • Re: Time based security

                                              Sounds interesting Mathieu. My issue with doing anything outside of the core PI Server is there will always be a way to circumvent the security by going directly to the PI Server. Say you implement the time based security filter using Event Frames within a custom data access layer/application, then assuming credentials are delegated from the custom app to the PI Server means they have access to the PI Points on the PI Server. So if they are restricted in the custom app they could go directly to the PI Points and see the data filtered out in the custom application.

                                               

                                              I suppose a new set of tags for the duration of such time restricted events is the safest approach for now.