2 Replies Latest reply on Oct 17, 2014 1:13 PM by pisupportduke

    Coresight Security and Access Rights


      We are currently struggling to configure Coresight security in a test Coresight configuration and some questions have arisen.


      1. If Coresight is configured to use a service account that is part of an AD group that is mapped to the piadmin account, does the service then have write access to the PI server?


      2. With multiple AD groups having read access to the PI tags and data, and mutually exclusive access between groups, how many identities should be created? One per group?


      3. Ultimately, what access does an individual within a given AD group have? Does the AD group access, as defined in the tag and data security, pass through the identity?


      As much as I enjoy the product, the documentation is not always clear.

        • Re: Coresight Security and Access Rights
          Roger Palmen

          Hi Alex,


          1) Yes, then the service has write access to the PI Server but the service does not write data to PI. However, using the piadmin useraccount in PI Server is not recommended.


          2) Any AD group that requires access to the PI tags and data should have a mapping to a PI identity/user/group that allows to access the PI tags. If you only need read access for a number of PI groups, you can create a single identity that has access to the PI data and create a mapping for each AD group to that identity


          3) The individual receives the access that is granted through the AD group to the mapping to the PI identity to the PI Point authorisations.Assuming kerberos in place, it's always the individual user being passed to the PI server. The PI server then checks the group memberships, mappings and authorisations.


          It's a fine-grained model, so yes, design of security requires a mix of knowledge of both windows and PI security principles.


          Hope this helps!