3 Replies Latest reply on Apr 23, 2013 6:12 AM by RJKSolutions

    How can I secure PI SMT to allow use of parts of SMT by user roles?

    markshannon

      I have deployed PI SMT to 3 different users who like and use only a couple of features of PI SMT. My dilemna is that I don't want SMT in the hands of users because of its inherent power, however the user who have SMT find the archive data retrieval particularly useful and one of the other users likes the ability to modify tag properties thru SMT's point builder. Does anyone know of a way to deliver archive data retrieval effectively thru anything other than SMT? Does anyone know if a way to allow modifications to tag properties by using something other than SMT?

       

      Thanks

       

       

        • Re: How can I secure PI SMT to allow use of parts of SMT by user roles?
          jlakumb

          There may be multiple ways to accomplish this depending on your needs.  Before I offer suggestions outside of PI SMT, it turns out we have a lesser known feature which is designed for this exact use case.  You may want to review the Silent Installs topic in the PI SMT Release Notes.  Here is an excerpt.  Hopefully this would meet your needs.  If not, can you please clarify why?

           

          Silent Installs

           

          To install SMT silently and limit the plug-ins that are installed, some command line arguments are required. These command line arguments can be specified in the silent.ini in the entry for PISMT3.msi. For example, to silently install SMT without the Alarms or the Batch plug-ins, the following command could be used:

           

          REBOOT=Suppress ALLUSERS=1 /qn INSTALLALARMS=0 INSTALLBATCH=0

           

          The INSTALLALARMS and INSTALLBATCH parameters are case sensitive. Here is a list of all pismt3.msi specific parameters:

            • Re: How can I secure PI SMT to allow use of parts of SMT by user roles?
              bbregenzer

              I was unaware that you could limit which plug-ins get installed with SMT so thanks, Jay, for enlightening me.  I can cover some alternative methods if you decide you want to try something different.

               

              To answer your questions:

               

              “Does anyone know of a way to deliver archive data retrieval effectively thru anything other than SMT?”

               

              PI DataLink is an excellent way to retrieve archive data.  Just use the Compressed Data function to pull archived data into Excel.

               

              Does anyone know if a way to allow modifications to tag properties by using something other than SMT?

               

              Another Excel plug-in, the PI Tag Configurator, is an easy way to import and export tag configurations.  It is especially useful for bulk edits.  It is included in the SMT install  kit.  You can find more information here:

               

              techsupport.osisoft.com/.../PI%20Tag%20Configurator.htm

               

              If you want to restrict users’ abilities to make changes to the PI Server through SMT, then you will need to restrict the access their PI Identity has to the underlying databases on the PI Server.  If you are using mappings for the users then you will need to alter the database rights for the PI Identity, User, or Group that their Windows account is mapped to.  As the administrator, you can control database security in the Security plug-in in SMT.  I would suggest the Configuring PI Server Security manual for more details, especially Appendix A: Task-Based Access Permissions Reference.

               

              Finally, I found there was previously a good discussion on vCampus about security; here is the thread:

               

              vcampus.osisoft.com/.../4026.aspx

                • Re: How can I secure PI SMT to allow use of parts of SMT by user roles?

                  Brent Bregenzer

                  If you want to restrict users’ abilities to make changes to the PI Server through SMT, then you will need to restrict the access their PI Identity has to the underlying databases on the PI Server.  If you are using mappings for the users then you will need to alter the database rights for the PI Identity, User, or Group that their Windows account is mapped to.  As the administrator, you can control database security in the Security plug-in in SMT.  I would suggest the Configuring PI Server Security manual for more details, especially Appendix A: Task-Based Access Permissions Reference.

                   

                  I would recommend this too, and is what we currently do.  There will always be that user out there that installs the full SMT and has access to things they shouldn't.  If they don't need it then remove their Identity read access via Database Security.  You should define levels of administration within your Identities and map appropriately.  Levels would include basic administrative abilities to create/edit tags (PIPoint table), medium abilities to create/edit PI Identities/Mappings/... , and then top level administrators that have access to the Database Security table, Archive Management etc.