Professional Documents
Culture Documents
Contacting Rockwell
Copyright Notice
2013 Rockwell Automation, Inc. All rights reserved. Printed in the USA.
This document and any accompanying Rockwell Software products are copyrighted by Rockwell Automation,
Inc. Any reproduction and/or distribution without prior written consent from Rockwell Automation, Inc. is
strictly prohibited. Please refer to the license agreement for details.
Trademark Notices
FactoryTalk, FactoryTalk Historian Machine Edition (ME), FactoryTalk Historian Site Edition (SE), FactoryTalk
Live Data, FactoryTalk Services Platform, FactoryTalk VantagePoint, FactoryTalk View, FactoryTalk ViewStudio,
Rockwell, Rockwell Automation, Rockwell Software, RSView, RSView Machine Edition, RSView ME Station,
RSView Studio, and RSLinx Enterprise are trademarks of Rockwell Automation, Inc.
Any Rockwell Automation logo, software or hardware not mentioned herein is also a trademark, registered or
otherwise, of Rockwell Automation, Inc.
For a complete list of products and their respective trademarks, go to
http://www.rockwellautomation.com/rockwellautomation/legal-notices/overview.page?%23tab4#/tab4.
Other Trademarks
ActiveX, Microsoft, Microsoft Access, SQL Server, Visual Basic, Visual C++, Visual SourceSafe, Windows,
Windows ME, Windows NT, Windows 2000, Windows Server-, Windows XP, Windows 7, and Vista are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Adobe, Acrobat, and Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in
the United States and/or other countries.
ControlNet is a registered trademark of ControlNet International.
DeviceNet is a trademark of the Open DeviceNet Vendor Association, Inc. (ODVA)
OLE for Process Control (OPC) is a registered trademark of the OPC Foundation.
Oracle, SQL*Net, and SQL*Plus are registered trademarks of Oracle Corporation.
All other trademarks are the property of their respective holders and are hereby acknowledged.
Warranty
This product is warranted in accordance with the product license. The products performance may be affected
by system configuration, the application being performed, operator control, maintenance, and other related
factors. Rockwell Automation is not responsible for these intervening factors. The instructions in this
document do not cover all the details or variations in the equipment, procedure, or process described, nor do
they provide directions for meeting every possible contingency during installation, operation, or
maintenance. This products implementation may vary among users.
This document is current as of the time of release of the product; however, the accompanying software may
have changed since the release. Rockwell Automation, Inc. reserves the right to change any information
contained in this document or the software at any time without prior notice. It is your responsibility to obtain
the most current information available from Rockwell when installing or using this product.
Table of Contents
Introduction to Historian Server Security .................................................................................... 1
A Brief Look at Historian Server Security ........................................................................... 1
How the Security Model Has Changed .................................................................... 1
What are PI Identities and PI Mappings? ................................................................ 4
Why Use Windows Integrated Security? ............................................................................ 9
Configuring Security on a New Historian Server Installation ..................................................11
Quick-Start Configuration ................................................................................................. 11
About the Configuration ......................................................................................... 12
How to Configure ................................................................................................... 12
Improve the Quick-Start Configuration .................................................................. 13
Recommended Configuration .......................................................................................... 14
Configure Authentication ....................................................................................... 15
Configure Access Permissions .............................................................................. 21
Other Security Configurations .......................................................................................... 24
Use Local Windows Security ................................................................................. 25
Use Local Windows Security with AD .................................................................... 28
Use PI Users and Groups ...................................................................................... 28
Configure Historian Interface Connections ...................................................................... 30
About Trusts........................................................................................................... 31
How to Create a Trust ............................................................................................ 31
Configuring Security for Historian Server Upgrades................................................................ 35
What is in the New Security Model? ................................................................................ 35
Why a New Security Model? ............................................................................................ 36
Your Upgrade Options...................................................................................................... 36
Quick-Start Security Migration ............................................................................... 37
Migrate over Time .................................................................................................. 38
Implement a New Configuration ............................................................................ 46
Keep Existing Configuration .................................................................................. 46
Security for Historian Collectives ............................................................................................... 47
Overview of Security in Historian Collectives ................................................................... 47
Custom Security Configurations ....................................................................................... 48
How to Enable the Lookup-Failure Tuning Parameter .....................................................48
Creation of Mappings with a Windows Security ID (SID) .................................................49
Tightening Security ...................................................................................................................... 53
Protect piadmin ................................................................................................................ 53
Configuring FactoryTalk Historian SE Security
iii
Table of Contents
iv
Chapter 1
Note: The Historian Server continues to support previous Historian Server security
mechanisms. If you decide not to use the new security model, then no action is
required on your part. If you do choose to keep your existing security
configuration, you are free to gradually migrate to the new security model at a later
date.
Authentication (page 2)
Authorization (page 4)
Authentication
Before the FactoryTalk Historian 3.0 release, two methods of authentication were available:
Trusts and Historian password authentication (also called explicit logins).
Trusts were typically used for Historian Interfaces, which run unattended. Trust
authentication works by comparing the connection credentials of the connecting
application to the trust records in the trust database. Human intervention is not required at
the time of connection.
Starting with FactoryTalk Historian 3.0, a third method of authentication becomes available:
Windows authentication. With this method of authentication, users log onto their Windows
accounts and are automatically authenticated on the Historian Server. Rather than requiring
individual user accounts on the Historian Server, in the new model you define user
categories, called PI identities, on the Historian Server. You then create mappings from
groups of Windows users to the relevant user categories. PI identities and PI mappings are
new objects in FactoryTalk Historian 3.0.
This authentication model provides single sign-on for PI users, requires less maintenance for
Historian administrators, and significantly increases security over the previous model. Both
Trusts and explicit logins remain as authentication mechanisms on the Historian Server.
Trusts are still the recommended method for authenticating most interfaces. However,
explicit logins are not recommended. They are available to provide backward compatibility.
Authorization
The new security model includes a much more flexible model for access permissions. In
previous versions of the Historian Server you could set permissions only for one owner, one
user group, and for world access (everyone else). With the new security model, each
Historian Server object can have read and/or write permissions defined for any number of PI
identities.
Each Historian Server resource (such as the TestTag in the illustration above) can have
defined access permissions for any number of PI identities. Although the Windows user gets
access permissions through one or more PI identities, the Historian Server keeps track of the
specific Windows user ID both in the audit trail and in the last change information.
Note: Although the Historian Server can use Windows security for authentication, you
still need to define access permissions explicitly on the Historian Server.
Note: The PI Identities tab appears only if you are connected to at least one Historian
Server version 3.0 or later. If not, then only the PI Users and PI Groups tabs
appear.
To see what identities you are currently connected as, look at the connection information at
the bottom left of SMT. It displays your Windows user ID, followed by the list of your
identities (and/or PI users and groups).
If you click the identities, a dialog box tells you how you are connected (for example, through
a mapping, a trust or as a default user).
Note: Your Windows account is always displayed, even if you are not connected to the
Historian Server through a mapping.
To manage PI mappings in SMT, use the Mappings & Trusts tool. Click the Mappings tab
to see all the PI mappings defined for all connected Historian Servers.
Note: The Mappings tab appears only if you are connected to at least one Historian
Server version 3.0 or later. If not, then only the Trusts tab appears.
The following table shows all the built-in PI identities, PI users, and PI groups:
Name
Description
piadmin
A PI user with super privileges. The piadmin user always has complete
read/write access to all Historian Server resources. You cannot modify the
access permissions for piadmin. In most cases, you should not map
piadmin to any AD group or user. At most, you should map it to a very
small group of administrators. Though you cannot delete the piadmin user,
you can disable it to varying degrees.
piadmins
PIOperators,
PIEngineers,
and
PISupervisors
Name
Description
piusers
PIWorld
Note: There is also a hidden user and a hidden group: PIUserIncompatible and
PIGroupIncompatible. Historian Server uses them to display an owner and group
in older administrative tools that do not support Windows authentication. They do
not appear in the list of identities by default. To show them, use the Options
button. These PI identities are included only on Historian Servers 3 and later.
might need to reconfigure the piadmins access permissions in order to use this PI group for
administrative tasks. To do this, add read/write access for piadmins to:
See How to Configure Access Permissions (page 22) for more information. You can then map
piadmins to the Windows users and/or groups that represent your Historian Server system
administrators.
Note: The piadmins PI group was called piadmin on previous versions of the Historian
Server. This meant that Historian Servers had both a PI user called piadmin and
a PI group called piadmin. The PI group name was changed to piadmins (plural)
with the FactoryTalk Historian 3.0 release, in order to prevent conflict with the
piadmin user account.
The PIWorld identity replaces the world access of earlier versions of the Historian Server;
world access was always granted to all authenticated users, but there was no explicit world
user account. On FactoryTalk Historian 3.0 and later, the previously implied world access is
now made explicit with the PIWorld identity.
By default, PIWorld is granted read access to most Historian Server databases and objects.
The PIWorld identity does not have access to the following tables: PIARCADMIN,
PIARCDATA, PIBACKUP, PIMSGSS, PIReplication, PITuning, PIAFLINK, PIAUDIT,
PIMAPPING, and PITRUST. You can change the access permissions granted PIWorld, but
you cannot delete this identity. The PIWorld identity cannot be used in a mapping or a trust.
Less work for Historian Server administrators. You no longer need to create and
manage individual user accounts on the Historian Server. When a user enters, leaves, or
changes roles, you only need to modify the Windows configuration. Historian Server
security automatically reflects these changes. You also get complete traceability of the
specific Windows account in the Historian Server log and audit trail records.
10
Single-sign on for users. Users need only log on to their Windows account. Historian
clients will automatically authenticate through the PI SDK. No additional Historian
Server login is required.
Improved Security:
Secure authentication. Connections are authenticated through Microsoft's Security
Support Provider Interface (SSPI). If you're using AD, then this means the most
secure Kerberos authentication, which greatly improves your Historian Server
security.
Control over server-side authentication policies. With the new security model, you
have control over the authentication protocols that client applications can use to
connect to the Historian Server. You can disable authentication methods that are less
secure and keep only the connection methods that you need.
More control over access permissions. The new security model includes a much more
flexible model for access permissions. In previous versions of the Historian Server you
could set permissions only for one owner, one user group, and for world access (everyone
else). With the new security model, each Historian Server resource can have read and/or
write permissions defined for any number of PI identities.
Chapter 2
Option 1: Quick-Start Configuration (page 11) describes a simple configuration that you
can use while you are working on a more comprehensive security configuration plan.
While very quick to implement, this configuration is not as secure or as flexible as the
recommended configuration. However, options for improving the security and flexibility
of this configuration are included. For simple systems, this might be sufficient for your
needs.
Option 2: Recommended Configuration (page 14) explains how to create and implement
a custom Historian Server security configuration that uses Microsoft Active Directory
(AD) for authentication (but not for Historian access permissions; these are still defined
directly on the Historian Server). This is the recommended configuration path.
The above configuration options assume that you are using AD for authentication and that all
users are on the same domain or on fully-trusted domains. If the Historian Server will be
accessed by client applications across non-trusted domains, then these configurations might
be difficult to implement. You can alternatively use local Windows security alone or in
conjunction with AD. See Other Security Configurations (page 24) to determine your
options.
For instructions on upgrades, see Configuring Security for Historian Server Upgrades (page
35).
Quick-Start Configuration
This configuration provides a quick implementation option that you can use while you are
developing a more complete security plan. For very simple systems, you could use this
configuration long term; in that case, consider making some adjustments to improve security
and increase flexibility.
About the Configuration (page 12) explains the configuration and how it works.
Improve the Quick-Start Configuration (page 13) explains how you could improve the
quick-start configuration to make it more usable for the long term.
11
PIWorld: PIWorld is a built-in PI identity that is preconfigured with read access to most
Historian Server resources. You cannot use PIWorld directly in a mapping. However all
authenticated users on the Historian Server get at least PIWorld access. Map an AD
group to any PI identity (or PI group or PI user). All the Windows users in that AD group
will automatically get the access that is preconfigured for PIWorld. See The PIWorld
Identity (page 9) for more on PIWorld.
Note: This configuration relies on PIWorld access. It does not work if you disable
PIWorld.
How to Configure
In this very simple model, users either get read-only access to everything on the Historian
Server or they get read/write access to everything on the Historian Server. You do not
configure different access levels for different PI resources. In AD, your users should be
grouped according to these two levels of //// access. (For AD configuration, your company's
IT department is probably your best resource.)
Step 1. Configure Authentication:
1. Identify which AD group or groups will have administrator (read/write) privileges on the
Historian Server. Identify which groups will have read-only access.
2. Map the AD group that represents Historian administrators to the built-in PI group called
piadmins. You can map multiple AD groups to piadmins if needed. Because piadmins has
predefined read/write access to all Historian Server configuration and data, all the
Windows users in those AD groups will then get that level of access.
Note: Be sure to use the piadmins group and not the piadmin user.
12
Quick-Start Configuration
3. Map the AD group containing your read-only access users to the built-in PI group
piusers. You can map multiple AD groups to piusers if needed. All the Windows users in
those groups will be authenticated as piusers. Since all authenticated users get read access
through the PIWorld identity, you do not need to explicitly configure access permissions
for piusers.
Step 2. Configure Historian Interfaces. See Configure Historian Interface Connections (page
30).
To make the quick-start security configuration more flexible, you can add PI identities to
represent different user categories. For example, you might want to grant IT
administrators permission to perform backups. To do that, you create a PI identity and
give it the necessary access permissions. Then create a mapping between AD group for
the IT administrators and that PI identity.
To make the quick-start security configuration more secure, you can explicitly set the
access permissions for the piusers group, rather than relying on the PIWorld access
permissions. In the quick-start configuration we relied on PIWorld in order to make the
configuration process quicker and easier. However, it is a better practice to use explicitlyconfigured access permissions. If you rely on PIWorld, it becomes difficult over time to
determine which users or applications are relying on that access.
13
When you create new points, the piusers group will automatically have read-only access.
This is because new points automatically have the same access permissions as the
PIPOINT entry in the Database Security tool. See Set Default Access for New Points and
Modules (page 23) for instructions.
3. Set permissions for existing modules. At a minimum, the Historian Server installation
includes the built-in module %OSI. Depending on what client applications you have
installed, there might be others. To explicitly grant read access to the piusers group, edit
the modules themselves. You can do this using the Module Database tool in SMT.
When you create new modules, the piusers group will automatically have read-only
access. This is because new modules automatically have the same access permissions as
the PIModules entry in the Database Security tool. See Set Default Access for New Points
and Modules (page 23) for instructions.
Recommended Configuration
These instructions assume that you are using Microsoft Active Directory (AD) for
authentication. You can use local Windows security instead, but it is not quite as secure and
extra configuration is required. See Use Local Windows Security (page 25).
To configure Historian Server security with AD authentication (each step is explained in
more detail in the following sections):
1. Configure User Authentication. In most cases this simply means creating a PI identity
for each AD group that requires Historian access and creating a mapping between them.
a. Identify User Access Categories: Identify the users who need access to the
Historian Server. Understand their roles, and the types of access they need. For
example: who needs permission to create points? Who should be allowed to edit
modules? Who will perform Historian Server Backups? See Identify User Access
Categories (page 15).
a. Create PI Identities: On the Historian Server, create PI identities for each user
category. See Create PI Identities (page 17).
b. Review Active Directory Groups: In Windows, identify Active Directory groups
that represent your Historian Server users. In some cases you might need the help of
your domain administrator in order to create new groups, nest existing groups, or
adjust group memberships. See Review AD Configuration (page 17).
c. Map AD Groups to Identities: Once you have the necessary AD groups and PI
identities, the next step is to set up a mapping between them. See Map AD Groups to
PI Identities (page 20).
2. Configure Access Permissions. Give your PI identities access to the necessary Historian
Server resources. The access permissions specify what tasks each PI identity is allowed to
perform on the Historian Server. See Configure Access Permissions (page 21).
3. Configure Historian Interface (and Historian Client) access to the Historian Server.
a. Configure access for Historian Interfaces: You need to set up Trusts for interfaces
that will connect to the Historian Server. Each trust is defined against a PI identity
14
Recommended Configuration
that has the required access permissions for that interface. See Configure Historian
Interface Connections (page 30) for instructions on creating Trusts for interfaces.
b. Configure access for client applications (optional): Client applications typically
connect to the Historian Server using PI SDK. You need SDK 1.3.6 or later to use
Windows authentication. Certain Historian client applications require a connection to
a separate application server in addition to a Historian Server. These types of
applications require additional configuration steps. See How Will FactoryTalk
Historian 3.0 Affect My Clients and Interfaces? (page 61) for more information.
There are a number of things you can do to provide extra security for your Historian Server.
See Tightening Security (page 53) for suggestions and instructions.
Configure Authentication
This section discusses the recommended approach to configuring your Historian Server
authentication.
Note: If you already know which AD group or groups will have Historian Server access,
then you can simply create a PI identity for each of these groups and map each
AD group to the appropriate identity.
What level of access do they need for each resource? (Read access? Read/write access?)
Define categories of users that need the same set of access permissions. These will be your PI
identities. You can have as many categories as you want. Typical Historian installations start
from one of the following basic models:
15
This model adds a third category, which we will refer to as IT administrators. The IT
administrator category has read-write access to only a subset of Historian Server
resources. This model allows you to give separate access permissions to IT administrators
for some tasks such as backups.
These category models are presented as examples. You can adjust them to suit your needs or
you can use your own strategy entirely. In some cases you might need a higher level of
granularity in the access permissions. For example, different categories of users might need to
be able to read from, write to, or configure different points.
Create PI Identities
Once you have identified user categories, you designate a PI identity or group for each
category. You can create your own PI identities, or you can use some of the built-in PI
identities and groups that are included in the Historian Server installation (Built-in Identities,
Users, and Groups (page 7)).
Most of these are sample identities, not configured with access permissions. However the
piadmins group is preconfigured with read/write access to all Historian Server resources.
Using piadmins for your main administrator category can save you some configuration time.
The following example shows you how you might use built-in PI identities for the four user
categories described in Identify User Access Categories (page 15).
Users: Use the built-in PI group called piusers. This group does not have any
preconfigured access permissions, so you will have to set those manually. As a short-cut
you could rely on the PIWorld access permissions, rather than explicitly setting
permissions for piusers. However, this model is less secure. See The PIWorld Identity
(page 9).
Engineers: Use the built-in PI identity called PIEngineers. This identity does not have
any preconfigured access permissions, so you will have to set those manually.
Administrators: Use the built-in PI identity called piadmins. By default, this identity
has read/write access to all Historian Server resources. You can adjust these access
permissions as needed.
IT Administrators: Create a PI identity called ITAdmins. You will need to set the
access permissions manually.
Creating PI identities is just the first step. You also need to:
16
Map each AD group to the appropriate PI identity (Map AD Groups to PI Identities (page
20)).
Configure access permissions for each PI identity (Configure Access Permissions (page
21)).
Recommended Configuration
If you try to create an identity with an invalid name, an error message appears and the
identity is not created. Note that you can change an identity name any time after creation.
6. Select the appropriate server from the drop-down Server list. This list is populated from
the selected servers under Collectives and Servers. Only version 3.0 and later Historian
Servers appear in the list. Earlier versions of the Historian Server do not support PI
identities.
7. Optionally, enter a brief description in Description. There are no restrictions on the
contents of this field.
8. At the bottom of the dialog box, select the Identity cannot be deleted check box. This
prevents the identity from being accidentally deleted. In order to delete this identity, you
must first edit the identity and clear this check box.
9. Click Create. The new PI identity now appears in the PI Identities tab.
Review AD Configuration
In most cases you can rely on existing AD groups and you will not need to do any AD
configuration. Work with your Windows domain administrator to review existing groups and
make any necessary adjustments.
Note: Although the Historian Server can use AD for authentication, it does not use
Windows access permissions to determine Historian Server access levels. You
still have to set access permissions explicitly on the Historian Server.
Make sure you have appropriate AD groups for each type of Historian Server user. For
each PI identity, you should ideally have a single corresponding AD group. Users that
belong to more than one AD group get the cumulative access permissions for all the
associated PI identities.
17
Review your AD group memberships to ensure that all Windows users will get the
appropriate Historian Server permissions (Historian Server Access Permissions and AD
(page 18)).
Establish a naming convention for PI identities and/or AD groups so that it is clear which
group is mapped to which identity. Over time, you will be able to control user access to
the Historian Server simply by editing group memberships in AD or Windows
Once you have a workable set of AD groups, you are ready to map AD groups to PI
identities.
Note: If your current AD groups do not suffice and you cannot get your AD domain
administrator's support, use a simple workaround: Create local Windows groups
on your Historian Server and then place existing AD groups within the local
groups. See Other Security Configurations (page 24) for more information.
Look at the access needs for all your Windows users. Which AD groups does the user belong
to? Which PI identities do those groups map to? Users that belong to more than one AD
group get the cumulative access permissions for all the associated PI identities. For example,
in the following illustration, the Windows user, Bob, belongs to both AD groups. Bob
therefore gets the permissions configured for PI Identity1 and the permissions for PI
18
Recommended Configuration
Identity2.
Similarly, users get the cumulative access permissions for all parent AD groups (for nested
AD groups). For example, in the following illustration, Windows user, Bob, belongs to
ADGroup2. Since ADGroup2 is nested inside ADGroup1, the users in ADGroup2 get all
the access permissions of ADGroup1, as well as those of ADGroup2.
19
Note: Though you can map individual AD users to PI identities, it is not a recommended
practice. Mappings based on AD users will prevent you from managing your
Historian Server security access by manipulating group memberships.
7. In the Properties dialog box, click the Mappings and Trusts tab. The top portion of the
dialog box shows all existing mappings for this PI identity. The bottom portion shows all
existing Trusts for this PI identity.
8. Click the Add button under the mappings portion of the dialog box. (There is also an
Add button under the trusts portion, so be sure to click the right button.) The Add New
Mapping dialog box opens.
Note: The Add button is disabled if the selected PI identity is flagged as disabled or
not usable in a mapping.
9. Enter the Windows account. This can be an AD principal or a local Windows group or
user. To select the account either:
20
Recommended Configuration
SID: S-1-5-21-nnnnnnnnnn--nnnn
Note: For local Windows users or groups, you can use only the fully-qualified account
name (computer_name\principal_name) or SID formats.
To find the security identifier (SID) or to check the validity of a domain principal, you can
use the psgetsid utility. This utility is part of a set of command-line tools called PsTools, that
are available on the Microsoft TechNet Web site. If you run the utility from the Historian
Server, the SID that psgetsid returns is guaranteed to be valid for the mapping.
For example, after installing psgetsid, you could type the following from a command window
on the Historian Server:
psgetsid.exe domain\somegroup
21
The Historian Server stores the settings for each object in an access control list (ACL). Each
secure object on the Historian Server has an ACL that defines access permissions for that
object. (Points have two ACLs: one for the point data and one for the point configuration.)
The ACL contains an entry for each identity (or user or group) for which access permissions
are set on that object. The ACL for the TEST_POINT data in the illustration above would
look like this:
Identity1:A(r,w) | Identity2:A(r,w) | Identity3:A(r) |
IdentityN:A(r,w)
Access permissions for each PI identity are separated by the pipe (|) symbol. Each entry is
called an access control entry (ACE) and consists of the PI identity name, then a colon (:)
followed by the access privileges, which are defined in the format: A(r,w). The A in this
notation stands for Allow and "r,w" indicates the allowed access privileges read and write,
in this example.
The possible types of access privileges are read and write. The possible unique privilege
combinations are "r" for read only, "w" for write only, "r,w" for read and write, and ""
(empty) for none.
Note: Unlike Windows, the Historian Server does not allow you to explicitly deny access
privileges.
The PIWorld identity has read-only access to most PI resources. If the PIWorld identity
is not disabled, then all authenticated users get at least PIWorld access.
For new installations, the piadmins group has read/write access to all Historian Server
resources. On Historian Servers that are upgraded from an earlier version, the piadmins
group has no preconfigured access permissions.
The piadmin user is the super-user account. It has guaranteed read/write access to all
Historian Server resources, regardless of security settings.
The Historian Server also includes the Historian Operators, Historian Engineers, and
Historian Supervisors identities. These sample identities have no preconfigured access
permissions, so they do not really do anything. However, you can use them as a starting
point. These sample PI identities are completely configurable and can be deleted.
How to Configure Access Permissions
The basic steps for setting access permissions on new Historian Server installations are as
follows:
22
Set default access permissions for new points and modules. After you do this, all new
points and modules that you create will automatically have these default settings. See Set
Default Access for New Points and Modules (page 23).
Recommended Configuration
Set top-level access permissions in the SMT Database Security tool. These include
permissions to configure archives, view the audit trail, change tuning parameters, run
backups, and so on. See Set Permissions in the Database Security Tool (page 23).
Configure access permissions for individual points and modules by editing the objects
themselves. The Historian Server installation includes tools for doing this. See Set
Permissions on Specific Points and Modules (page 23).
Default access permissions for all new points (both point data and point configuration)
match the access permissions for the point database (PIPOINT). You can set permissions
for PIPOINT in the Database Security tool.
Similarly, default access permissions for root modules match the access permissions for
the module database (PIModules). You can set permissions for PIModules in the
Database Security tool. New modules below the root level inherit from their parent.
23
To Control
Access on:
Use:
Point
Point Builder (SMT tool), Tag Configurator (access from the SMT Tools
menu)
Module
PIUnit
Administrative
tasks
For information about what access privileges are necessary for specific tasks, see Task-Based
Access Permissions Reference (page 67).
Permissions for Typical Administrative Tasks
The following table lists some basic Historian Server administration tasks and tells you which
tables in the Database Security tool control access to that task.
Administration Task
Managing archives
Managing backups
PIBACKUP
PIUSER
Manage mappings
PIMAPPING
Managing trusts
PITRUST
Managing auditing
PIAUDIT
Creating/deleting points
PIPOINT
Creating/deleting modules
PIModules
PIDBSEC
PITUNING
PIMSGSS
Managing Historian
Collectives
PIReplication, PIBACKUP
For a more complete list, see Task-Based Access Permissions Reference (page 67).
24
Use Local Windows Security: You can use local Windows security for authentication,
rather than AD. There are two disadvantages to this:
Local Windows security uses NTLM for authentication, which is not as secure as
Kerberos (AD uses Kerberos).
Extra configuration is required. The Windows user accounts on the Historian Server
must exactly match the accounts on each client workstation. If you have a lot of
client workstations with a lot of users, then Windows authentication might not be a
good choice for you.
However, authenticating through local Windows security is still far more secure than
authenticating through Trusts or PI user accounts. See Use Local Windows Security (page
25).
Use a Combination of Local Windows Security and AD: If you want to use AD for
authentication but are not able to configure AD groups to meet your needs, then consider
this workaround. You can use local Windows groups to organize AD users. Then map the
local groups to your PI identities. See Use Local Windows Security with AD (page 28).
Use Historian Password Authentication: If you cannot use local Windows security or
AD for authentication, only two authentication methods are available: Historian Server
user accounts/passwords and Trusts. Typically you configure user authentication through
PI user accounts. Use PI groups to group the users so that you do not need to define
access permissions for each individual user. See Use PI Users and Groups (page 28).
25
5. Grant Historian access permissions. Give your PI identities access to the necessary
Historian Server resources. The access permissions specify what tasks each PI identity is
allowed to do on the Historian Server. See Configure Access Permissions (page 21).
6. Configure access for client applications. Client applications typically connect to the
Historian Server using PI SDK. You need SDK 1.3.6 or later to use Windows
authentication. Certain Historian client applications require a connection to a separate
application server in addition to a Historian Server (for example, Historian DLES and
Historian WebParts). These types of applications require additional configuration steps.
See How Will FactoryTalk Historian 3.0 Affect My Clients and Interfaces? (page 61) for
more information.
7. Configure access for interfaces. You need to set up trusts for the interfaces that will
connect to the Historian Server. Each trust is based on a PI identity. See Configure
Historian Interface Connections (page 30).
There are a number of things you can do to provide extra security for your Historian Server.
See Tightening Security (page 53) for suggestions and instructions.
Configure Windows Groups
To use Windows groups for Historian Server authentication:
1. Configure user accounts on client and server workstations. In order to use Windows users
and groups, the Windows user accounts on the Historian Server must exactly match the
accounts on each client workstation. The account names and passwords must be identical.
2. Configure Windows groups and PI identities so that you have a 1:1 relationship between
them. Follow these guidelines:
3. Review your Windows groups to ensure that all Windows users can get the appropriate
Historian Server permissions (Managing User Access Permissions with Windows Groups
(page 26)).
Managing User Access Permissions with Windows Groups
The access permissions for each Windows user are determined by the PI identities that user is
associated with. Each Windows group is mapped to a PI identity. Windows users that belong
to that Windows group get the access permissions for that PI identity.
26
Windows users that belong to more than one Windows group get the cumulative access
permissions for all the associated PI identities. For example, in the following illustration, the
Windows user, Bob, belongs to both Windows groups. Bob, therefore, gets the permissions
configured for PI Identity1 and PI Identity2.
Look at the access needs for all your Windows users. Which Windows groups do the users
belong to? Which PI identities do those Windows groups map to? Make sure that each
Windows user belongs to the appropriate Windows groups.
Create Mappings
Once you have the necessary PI identities and Windows groups, you need to map each
Windows group to a PI identity. The mapping associates the specified PI identity with the
specified Windows group. Members of that Windows group will be authenticated
automatically on the Historian Server as the specified PI identity.
To map a Windows group to a PI identity:
1. Open SMT.
2. Under Collectives and Servers, select the server.
3. Under System Management Tools, select Security > Identities, Users, & Groups.
4. Select the PI Identities tab. (If you do not see the PI Identities tab, verify that you are
connected to a FactoryTalk Historian 3.0 or later. This tab does not appear in SMT with
earlier versions of the Historian Server.)
5. Double-click the identity to open the Properties dialog box.
6. Click the Mappings and Trusts tab. The top portion of the dialog box shows all existing
mappings for this PI identity. The bottom portion shows all existing Trusts for this PI
identity.
27
7. Click the Add button under the mappings portion of the dialog box to open the Add New
Mapping dialog box. (There is also an Add button under the trusts portion, so be sure to
click the right button.)
Note: The Add button is disabled if the selected PI identity is flagged as disabled or
not usable in a mapping.
8. In Windows Account, enter the Windows group. To select the account either:
9. Enter a description of the mapping (optional). There are no restrictions on the contents of
this field.
10. Click OK. The new mapping appears under Mappings.
28
3. Grant Historian access permissions. Give each PI groups access to the necessary
Historian Server resources. The access permissions specify what tasks each PI group can
do on the Historian Server. See Configure Access Permissions (page 21).
4. Create Historian Server user accounts. Each user who needs access to the Historian
Server should have an associated account. See Create a New PI User (page 29). If you
allow multiple users to share a single Historian Server account, then you will not have
any way to know who made what changes on the Historian Server.
5. Configure group memberships. Add each PI user to the appropriate PI group or groups.
6. Configure access for interfaces. Set up trusts for the interfaces that will connect to the
Historian Server. Each trust is based on a PI user, a PI group, or a PI identity. See
Configure Historian Interface Connections (page 30).
7. Upgrade administrative client applications. If you have existing client computers that
will connect to this Historian Server, upgrade any applications that configure access
permissions (Administrative Client Applications (page 62)).
Create a New PI User
To create a new PI user:
1. Under Collectives and Servers, select a server.
2. Under System Management Tools, select Security > Identities, Users, & Groups.
3. Select the PI Users tab.
4. Click the New button
5. In Username, type the a name of the new PI user. This field is required. Note the
following restrictions:
Note that you can change a PI user name any time after creation.
6. Select the appropriate server from the drop-down Server list. This list shows the servers
selected under Collectives and Servers.
7. Optionally, enter a brief description in Description. There are no restrictions on the
contents of this field.
8. In Password, enter a password for the PI user.
Click Create. The new PI user now appears in the PI Users tab.
Create a PI Group
To create a new PI group:
Configuring FactoryTalk Historian SE Security
29
5. In Group, type the name for the new PI group. This field is required. Note the following
restrictions on group names:
Names must be unique. They cannot match the name of an existing PI user, PI group,
or PI identity.
Names cannot include the vertical pipe (|) character or the colon (:) character.
Names cannot be a positive integer, although they can contain numbers. For example,
the name 329 is not valid, but the name Admins329 is valid.
Names are not case sensitive.
Note that you can change a PI group name any time after creation.
6. In Server, select the appropriate server. This list shows the servers selected under
Collectives and Servers.
7. In Description, enter a brief description, if desired. There are no restrictions on the
contents of this field.
8. Click Create to create the new PI group.
The correct application name to use when defining the trust (The Application Name
(page 32))
IP information for the connecting computer (IP Information (page 33))
For SDK connections only, you have the option to specify Windows account
information, but this is not recommended (Windows Account Information (page 33))
3. Decide how many Trusts you will create. You can create explicit individual trusts for
each Historian interface or you can group them according to subnet, host machine, or
username. A group of Historian Interfaces can share the same privileges.
4. For each Trust, create a PI identity. See How to Create a PI Identity (page 17).
5. Give that PI identity all the access permissions required by the Trust. See Product Access
Permissions Reference and Configuration Issues (page 71) as well as the documentation
for the interface.
30
6. Create a trust based on that PI identity. See How to Create a Trust (page 31).
About Trusts
Trusts allow applications to access the Historian Server without explicitly logging onto
Windows (or onto the Historian Server). Typically, you use trusts for Historian Interfaces,
which run unattended.
Each Trust is defined against a PI identity, a PI group, or a PI user. The trust gives the
interface the same access permissions as the associated identity, group, or user. Trust
authentication works by comparing the connection credentials of the connecting application
to the trust records in the trust database. Human intervention is not required at the time of
connection.
5. Select the Historian Server name and type in a name for the trust (and, optionally, a
description). Click Next.
6. Select the type of trust to add:
Historian-API application (this is the right choice for most Historian Interfaces)
Historian-SDK application on a Windows NT based OS
7. Click Next. The next screens allow you to define optional information for the Trust. If
you leave a field blank, then that information is not checked for the trust authentication.
When you fill in fields, then only applications with matching information can
authenticate against this Trust.
Application Name: This is slightly different for API and SDK connections.
SDK: This is the full name of the connecting application, including the extension,
but not the path (for example: PI-ICU.exe).
Network Path: Fully-qualified domain name of the interface node (for example
my_laptop.my_company.com).
IP Address: The IP address of the interface node.
Net Mask: The net mask for the interface node (for example, 255.255.255.255).
For SDK connections only, you also have the following optional fields:
31
Windows Domain: the Windows domain of the user who runs the application
(for example: osi).
Windows Account: the Windows user name of the user who runs the application
(for example: my_account).
8. Select the PI identity that you want to use for this trust. Applications authenticated
through this trust will have all the access permissions granted to this PI identity.
Alternatively, you can select a PI group or a PI user for this step.
Connection Types
When you configure a Trust, you need to know the type of connection the trust will be used
for. There are two different Historian Server connection types. Each Historian interface and
client application is configured to use one or the other. (There are also a few interfaces that
use both.) The two mechanisms are:
PI API Connection: Most Historian Interfaces use the PI API to connect to the Historian
Server. PI API does not support Windows authentication. Trusts are the standard way to
authenticate PI API connections.
PI SDK Connection: Most client applications use the PI SDK to connect to the Historian
Server. PI SDK versions 1.3.6 and later support Windows authentication, so use
Windows authentication for these connections if possible. Windows authentication is the
most secure authentication method available for the Historian Server.
Note: In previous releases of the Historian Server, PI API connections that failed would
typically still get world access to Historian Server resources. In FactoryTalk
Historian 3.0 and later, this loophole is closed. See Check for Unauthenticated API
Connections (page 62) for more information.
Applications that connect through the API send an identifier called an application process
name, or procname. This is a four-character string with an E appended. For example, the
procname for the Perfmon interface is: PIPeE
Note: PI API versions before 1.6.0 always send a five-character string: 4 characters
plus a capital E. For PI API versions 1.6.0 and later, up to 8 characters may
be specified as the procname, if configured to do so (in this case, there is no
longer an E appended to the procname).
32
For applications that connect through the SDK, use the full name of the connecting
application, including the extension, but not the path. For example, the application name
for ICU is: PI-ICU.exe
If you are running the same Historian interface on another Historian Server, then you can use
SMT to determine the correct application name. Select Operation > Network Manager
Statistics. Find the interface in the list. The application name is listed under Name.
IP Information
A Trust can specify IP information about the computer running the Historian interface or
client application for which you are defining the trust. To collect this information, you can
run pidiag -host on the computer where the interface or client application runs. This
returns the connection credentials as retrieved from the local operating system.
Note: Using pidiag -host is helpful, but it is not a guarantee of getting the right
information, depending on many factors, including the type of interface, the
version of the SDK (if SDK-based), and whether there are firewalls / NAT devices
in between the interface computer and the Historian Server computer. If you have
difficulty configuring the trust, contact Rockwell Automation Technical Support.
Network Path. The fully-qualified domain name. For PI API, this should match what the
Historian Server thinks based on a reverse-name lookup using the interface's IP address.
For PI SDK (1.3.6.x and later), this should match what the client thinks, based on the
Windows configuration (you can use pidiag host on the client to see this
information). For example, my_laptop.my_company.com
IP Address.
Netmask. If you specify an IP address, you must also explicitly provide a netmask value.
Failure to do so will generate an error. If you require an exact match on an IP address,
specify the netmask as 255.255.255.255. If you specify a class C subnet, specify the
netmask as 255.255.255.0 and the fourth field of the IP address as 0.
Note: When applications run on machines with multiple network cards, you cannot
predict which credentials the application will send to the Historian Server for the
trust authorization. Rockwell Automation thus recommends that you either avoid
such configurations, or create a Trust for every IP address on the machine where
the application runs.
Windows Domain: the Windows domain of the user who runs the application.
Windows Account: the Windows user name of the user who runs the application.
33
Chapter 3
Windows Authentication. Previous versions of the Historian Server had two methods of
authentication: Trusts and Historian password authentication (typing in PI user name and
password). FactoryTalk Historian 3.0 adds a third method: Windows authentication. This
method is more secure than the other two and is now the recommended method for
authenticating users.
PI Identities. The old model had only PI users and PI groups. This model was based on
the necessity for managing user accounts on the Historian Server. The new model
provides PI identities. The PI identity is essentially an abstraction layer. It allows you to
map Windows groups or users to categories of access on the Historian Server.
Mappings. Mappings are the mechanism for associating Windows users or groups with
PI identities. You can also create mappings to existing PI users and PI groups.
New Version of SMT. SMT has changed to support the new security model. A new
Backup tool is included, as well as a Security Settings tool and a Firewall tool. See New
in SMT (page 99) for more.
Note: Previous versions of the Historian Server had a built-in PI user and a built-in PI
group that were both named piadmin. The name of the PI group called piadmin
has been changed to piadmins (plural) for consistency. Similarly, previous
versions of the Historian Server had a built-in PI user and a built-in PI group that
were both named piuser.
35
Improves Security. You can now use Windows authentication to control user access to
the Historian Server. Historian password authentication (typing in a PI user name and
password) are nowhere near as secure as Windows authentication. If you configure your
Historian Server for Windows authentication, you will greatly improve security.
Windows AD is preferable because it uses the more secure Kerberos protocol. However,
you can use local Windows authentication if necessary.
Simplifies Server Administration. If you use Windows for authentication, then you do
not need to manage individual PI users or PI groups. You can simplify your Historian
Server configuration by maintaining a much smaller set of PI identities. Each PI identity
should define a unique set of access permissions on the Historian Server. Both the audit
trail and last change information preserve the Windows user ID, so you can keep a record
of who is doing what on the Historian Server.
Provides Single Sign-on. If you use Windows for authentication, your users no longer
need to separately log onto the Historian Server.
36
Option 1: Migrate over time. If you choose this option, you immediately switch to
Windows authentication, but you continue to use some components of your existing
configuration. You can replace these components over time. See Migrate Over Time
(page 38) for instructions. This is the recommended path for most Historian Server
installations.
Option 2: Quick-start migration. If your existing configuration is very simple (you use
only a handful of PI users and PI groups) then you can start with a quick upgrade
configuration. You can keep this configuration indefinitely, or you can use it as a starting
point for a slow migration to the new model. See Quick-Start Security Migration (page
37) for instructions.
Option 3: Implement from scratch. You can implement an entirely new security
configuration to take advantage of the new security model. The disadvantage is that this
could be disruptive to existing users. See Implement a New Configuration (page 46) for
instructions.
Option 4: Keep existing configuration. You have the option to continue to use your
existing security configuration for as long as you choose. See Keep Existing
Configuration (page 46) for tips and concerns.
The biggest security hole in this quick-start plan is that pidemo and piadmin are still
accessible through PI user passwords. PI user passwords are not especially secure. To fix,
disable explicit logins (typing in a PI user name and password) for the pidemo and
piadmin accounts. Then the Historian Server disallows user-name and password access
for those accounts and only provides access through the mappings you created or through
Trusts. See Disable Explicit Logins for Individual User Accounts (page 56) for
instructions.
Review the follow-up steps, which include upgrading the SDK on client workstations,
upgrading administrative applications, and so on. You can choose if and when to
complete each step. See Follow-up Steps (page 45).
37
Initial Configuration Steps: Perform these basic steps to set up a Historian Server
security configuration that uses Windows authentication. See Initial Configuration Steps
(page 38).
Follow-up Steps: Perform these follow-up steps over time. See Follow-up Steps (page
45).
If your existing configuration relies on very few PI users or PI groups, the Quick-Start
Security Migration (page 37) might work better for you.
Initial Configuration Steps
When you migrate your Historian Server to the new security model, you need to create an
initial configuration that authenticates Windows users and grants them the appropriate access
permissions on the Historian Server. You can use components of your existing configuration,
which you can replace over time.
To create an initial configuration:
1. Review Existing Access Permissions. Export the access permissions for all existing
points and modules and for all the entries in the SMT Database Security tool. See Review
Access Permissions (page 38).
2. Create a List of Unique Access Strings. You will use this list to determine the needed
sets of access permissions. See Create List of Access Strings (page 39).
3. Create a Configuration Plan. Identify which PI groups you will keep and which are
redundant. If you have any sets of access permissions that are not covered by existing PI
groups, determine how you will fill those gaps. See Create a Configuration Plan (page
41).
4. Create New Identities to Fill Gaps. If you decided to create new PI identities to fill
configuration gaps, create them now. See Create PI Identities to Fill Gaps (page 43).
5. Review AD Groups. Determine how your AD groups correspond with your
configuration plan. You might need to create new AD groups or adjust group
membership. See Review AD Groups (page 43).
6. Create the Mappings. Set up mappings between AD groups and PI groups and
identities. See Create Mappings (page 44).
7. Verify Initial Configuration. Check your new security configuration to make sure that
everyone is getting the correct level of access. See Verify Initial Configuration (page 44).
Step 1. Review Access Permissions
When you move to the new security model, typically the goal is to preserve the access
permissions for your existing users. To do that, you first need to identify the existing access
permissions. You need to look at the permissions for all the modules and points (data and
configuration access), as well as for all items listed in the Database Security tool in SMT.
38
Note: If you do not need to preserve existing access permissions, then you can
implement a new security configuration instead (Configuring Security on a New
Historian Server Installation (page 11)).
When you export the existing data access permissions, each object will have an associated
access control list (ACL). This is different from the old owner/group model. For example, in
earlier versions of the Historian Server, the access permissions for the sinusoid point might
look like this:
Tag
dataaccess
datagroup
dataowner
sinusoid
pi_users
bob
When you upgrade the Historian Server, those access permissions are converted to the new
model and would look like this:
Tag
datasecurity
sinusoid
See About Access Permissions on the Historian Server (page 21) for more information on the
ACL.
CREATE AN ACCESS PERMISSIONS SPREADSHEET
To create a spreadsheet that contains all the existing access permissions on your Historian
Server, create the following three separate spreadsheets and merge them together:
Point Data and Point Configuration: Use Tag Configurator to import all your point
security information into an Excel spreadsheet. Do this for all point classes. Which
attributes you need to import depends on which version of the Historian Server you are
using.
For FactoryTalk Historian 3.0 and later, import the ptsecurity and datasecurity
attributes (these attributes are new in FactoryTalk Historian 3.0).
On earlier versions of the Historian Server import the dataowner, datagroup,
ptowner, ptgroup, dataaccess, and ptaccess attributes.
Modules: Use Module Database Builder to export all module security information into a
spreadsheet.
Database Security: Open the Database Security tool in SMT. Click the Export To File
button to export the list into a .csv file. Open that file in Excel.
39
point
dataaccess
datagroup
dataowner
tag1
pi_ops
bob
tag2
pi_ops
bob
tag3
pi_ops
bob
tag4
pi_eng
nancy
tag5
pi_ops
bob
The following table shows what the same access permissions look like after upgrading to
Historian Server version 3.0.
40
point
datasecurity
tag1
tag2
tag3
tag4
tag5
What we want to do is collapse these access permissions into a set of unique access strings. It
does not matter whether we use the owner/group/word notation or the ACL strings. We will
use ACLs for the rest of this example.
datasecurity
In this manner, reduce all your access permissions to a set of unique access strings. The next
step is to determine what PI groups you need, based on this list.
Step 3. Create a Configuration Plan
We want to identify the smallest set of existing PI groups that can define our existing access
permissions. Ideally we want to retire all PI user accounts. To see how this works, look at the
list of unique access strings we identified in the previous example:
41
Points
datasecurity
tag4
We need to distill our list down into the smallest number of access permission sets and we
need to keep track of who currently has that level of access. Another way to look at our
current access permissions is as follows:
Who?
What Access?
bob
pi_eng
nancy
pi_ops
PIWorld
If we are not going to disable PIWorld, then the pi_ops access permissions are not
needed. For the purposes of this example, assume we will continue to rely on PIWorld.
The PI user nancy and the PI group pi_eng have identical access permissions. Since
these access permissions are already defined for pi_eng, we will leave this PI group in
place. We need to create a mapping between pi_eng and a Windows group that contains
the following users:
Windows users represented by the PI user members of pi_eng
Windows user represented by the PI user nancy
We can retire the PI user called nancy.
42
The PI user bob has unique access permissions. We have two choices:
We can keep the PI user bob and create a mapping between the corresponding
Windows user and PI user bob. This gives us Windows authentication, which is
much more secure than PI user accounts. We can continue to use the access
permissions defined for bob.
Another solution would be to create a new PI identity, grant it the same access
permissions as bob then map a Windows group containing the corresponding
Windows user to this new PI identity.
We choose to continue using bob for now, but we plan to create a new PI identity and
retire the PI user bob in the future.
Type:
Mapping:
pi_eng
PI group
bob
PI user
PIWorld
PI identity
The next step is to create the required mappings and then disable the PI group pi_ops and the
PI user nancy.
Step 4. Create PI Identities to Fill Gaps
Some of your old PI users might have access permissions that do not match the access
permissions of any of your PI groups. Ideally you should create a PI identity for each set of
access permissions that you need. You then need to set the access permissions for each new
PI identity. See Create PI Identities (page 16).
If you decide to keep PI user and PI groups for some period of time, you should at least create
mappings for them. Windows authentication is much more secure than Historian password
authentication.
Step 5. Review AD Groups
Ideally, you want one AD group for each PI group and PI identity on your Historian Server.
When you determined the needed sets of access permissions, you also compiled a list of PI
users and PI groups that required those access permissions.
Hopefully, your AD configuration includes groups that somewhat match these required sets
of access permissions. If not, work with your domain administrator to create or reconfigure
AD groups for the Historian Server. You need an AD group for each set of access
permissions.
Configuring FactoryTalk Historian SE Security
43
Each set of access permissions are associated with a PI identity, PI group, or PI user on the
server. The ideal configuration is a one-to-one mapping between an AD group and a PI
identity or a PI group.
The goal is for all of your users to get the same access permissions that they had before the
upgrade. In most cases this should not be difficult. However, if you have a large number of
users with different access permissions, then you are probably going to have some gaps on
your first pass.
During this configuration period, you can rely on the access permissions for piadmin and the
built-in PIWorld identity. You can create a mapping between an AD group representing your
administrators and the PI user piadmin. All authenticated users get the access permissions
defined for PIWorld. By default, PIWorld has read-only access to most Historian Server
resources.
Note: If your domain administrator is unwilling to reconfigure AD, you can nest existing
AD groups inside local Windows groups. See Use Local Windows Security with
AD (page 28).
See Specifying AD Users and Groups (page 20) for more information.
Step 7. Verify Initial Configuration
After you complete your initial Historian Server security configuration, deploy to a small
number of test clients. Verify that the connections are working. Exercise all the mappings
from this small set of clients and verify with test applications that you get proper
authentication and proper access permissions through your mappings.
44
Follow-up Steps
After you have an initial Historian Server configuration, you can continue to transition to the
new model over time. This section discusses some measures that you should take.
Configure Application Server Clients. If you are using applications where the client is
accessing the Historian Server through an application server, then you might need to take
additional steps to complete your security configuration. See Products that Connect to an
Application Server (page 62) for more information.
Disable Explicit Logins. Explicit logins are logins in which the user actually types in a
PI user name and passwords (also called Historian password authentication). This is the
least secure Historian Server authentication method and it is best to disable it entirely or
at least partially. See Disable Historian Password Authentication (Explicit Logins) (page
54) for more information.
Note: Remember that Windows authentication requires SDK 1.3.6 or later. If you are
replacing explicit logins with Windows authentication, then be sure to upgrade
the SDK on all client workstations before you disable explicit logins.
Replace SDK Trusts. After you upgrade SDK on your client workstations, replace PI
SDK trusts with PI mappings. Windows authentication is more secure than authentication
through Trusts. In most cases, the Historian Server will no longer use existing trusts
anyway (see Retire SDK Trusts (page 56)).
Retire PI Users and PI Groups. This is a cleanup step. PI users and PI groups still
work. However, they imply management of users and groups on the Historian Server
itself. This could cause confusion over time. (A handful of built-in PI users and PI groups
will remain (piadmin and piadmins for example) but these have well-defined roles on
the Historian Server). Additionally, PI users have associated passwords that are not
secure. Ideally, you should plan to replace your PI users and PI groups with descriptivelynamed PI identities.
45
Protect the piadmin account with a password. The piadmin PI user is the Historian
Server super-user account. This powerful account should be protected and should not be
used regularly. If you have not already done this, be sure to at least protect piadmin with
a password. See Protect piadmin (page 53) for more information on protecting piadmin.
Require passwords for all PI Users. Do not allow blank passwords. Disable logins for
accounts with blank passwords. See Disable Explicit Logins with Blank Passwords (page
55).
Plan to migrate to the new security model. You can do this gradually over time. See Migrate
Over Time (page 38). Even before you begin configuration on the Historian Server, you can
gradually perform many of the steps listed in Follow-up Steps (page 45).
46
Chapter 4
You do not have access to AD and must configure authentication through local Windows
security on the primary and secondary servers.
Custom configuration in collective servers can affect FactoryTalk Historian applications and
users when accessing Historian Server information. If the same mappings are not available on
all collective members, applications might fail to connect or might receive different
permissions on failovers. Rockwell Automation recommends avoiding custom configurations
whenever possible. Custom configurations are more complex. To set up and maintain a
custom configuration, you must consider who needs access to each collective member, and
who will need to fail over. Consult Rockwell Automation Technical Support if you need help.
Configuring FactoryTalk Historian SE Security
47
48
button.
6. In Value, type:
1
7. Click OK.
8. Restart the servers Historian Base Subsystem.
Note: Collectives do no replicate this setting (like any tuning parameter).
49
The following table lists all attributes in the PIIDENTMAP table. You can specify any of
these attributes when you create a mapping.
50
Attribute
Description
IdentMap
The name of the PI mapping. This must be unique, but is not case-sensitive.
This field is required to create a new mapping.
Desc
Optional text describing the mapping. There are no restrictions on the contents
of this field.
Flags
Bit flags that specify optional behavior for the mapping. There are two options:
0x01 = Mapping is inactive and will not be used during authentication.
0x00 = (Default value). Mapping is active and will be used during authentication
after initial setup.
IdentMapID
PIIdent
Name of the PI identity to which the security principal specified by Principal will
be mapped. The contents of this field must match Ident in an existing entry in
the PIIDENT table. The target identity must not be flagged as Disabled or
MappingDisabled. Multiple IdentMap entries can map to the same PIIdent
entry. This field is required to create a new identity mapping
Attribute
Description
Principal
The name of the security principal (domain user or group) that is to be mapped
to the identity named in PIIdent. This field is required to create a new identity
mapping. For principals defined in an Active Directory domain, the format of
input to this field can be any of the following:
Fully qualified account name (my_domain\principal_name)
Fully qualified DNS name (my_domain.com\principal_name)
User principal name (UPN) (principal_name@my_domain.com)
SID (S-1-5-21-nnnnnnnnnn--nnnn)
For security principals defined as local users or groups, only the fully qualified
account name (computer_name\principal_name) or SID formats may be used.
Output from piconfig for this field will always be in SID format, regardless of
which input format was used.
PrincipalDisp
User-friendly rendering of the principal specified by Principal. This is an outputonly field. The principal name will be displayed in the fully-qualified account
name format.
Type
This is a reserved field indicating the type of the mapping. In this release, this
attribute is always set to 1.
51
Chapter 5
Tightening Security
This section discusses how you can improve the security on your Historian Server.
Protect piadmin
The piadmin PI user is the Historian Server super-user account. Take the following basic
measures to protect this powerful account:
Disable explicit logins for the piadmin account (Disable Explicit Logins for piadmin
(page 53)). Explicit logins (also called password authentication) on the Historian Server
are not nearly as secure as Windows authentication or Trusts. Instead, control access to
this account through Windows authentication.
If you cannot disable explicit logins for the piadmin account, then at least make sure that
the piadmin account does not have a blank password. New Historian Server installations
require a password for piadmin. While this is not mandatory for upgrades, it is strongly
recommended.
Note: Do not use piadmin for normal administrative tasks. See The piadmin User (page
8) for more information.
53
Tightening Security
Disable All Explicit Logins (page 54). This is the most secure option, but if your current
configuration requires users to log into PI user accounts, then you are not ready for this
move.
Disable Explicit Logins with Blank Passwords (page 55). If it is not possible for you to
disable explicit logins, then you should disable explicit logins for all PI users with a blank
password. Before doing so, give your users an opportunity to create passwords for their
PI user accounts.
Disable Explicit Logins for Individual User Accounts (page 56). As you begin to
configure Windows authentication for your users, you can disable explicit logins for
these accounts.
54
4. Click Save.
5. Stop and restart Historian Base Subsystem:
a. Under System Management Tools, select Operation > PI Services.
b. Right-click the PI Base Subsystem entry and choose Stop Service.
6. After the subsystem stops, right-click on the PI Base Subsystem entry again and choose
Start Service.
4. Click Save.
5. Stop and restart Historian Base Subsystem:
a. Under System Management Tools, select Operation > PI Services.
b. Right-click the PI Base Subsystem entry and choose Stop Service.
55
Tightening Security
c. After the subsystem stops, right-click the PI Base Subsystem entry again and choose
Start Service.
56
Though more secure than explicit logins, Trusts are not as secure as Windows
authentication.
If you create a trust, application users might still be authenticated through Windows and
not the trust (When Both a Mapping and a Trust Apply (page 57)). This means that their
access permissions will be dictated through Windows, rather than the trust.
After you replace your SDK trusts by Windows authentication, you can further secure the
Historian Server by disabling SDK trusts altogether.
Windows Security. If a valid PI mapping exists for the Windows user (or for any group
to which the user belongs) then the user is authenticated as the PI identity, PI user, or PI
group defined for that mapping.
Trust. If the connection request matches an existing Trust, then the user is authenticated
as the PI identity, PI user, or PI group defined for that trust.
The first method that succeeds defines the access permissions granted to the connecting
application. Once one authentication method succeeds, no other methods are tried. By default
the SDK (1.3.6 and later) tries to authenticate first through Windows.
You can configure which methods the SDK tries first. To do this from SMT:
1. Select File > Connections to open Connection Manager.
2. Select Tools > Options to open the Connection Option dialog box.
3. Under Specify Authentication Procedure, specify which protocols to allow and in
which order to try them in Protocol order.
Note: You can also access Connection Manager from the About PI-SDK application.
Select File > Connections.
57
Tightening Security
4. Click Save.
5. Stop and restart Historian Base Subsystem:
a. Under System Management Tools, select Operation > PI Services.
b. Right-click the PI Base Subsystem entry and choose Stop Service.
c. After the subsystem stops, right-click the PI Base Subsystem entry again and choose
Start Service.
58
Disable PIWorld
Disable PIWorld
You can disable the PIWorld identity. This improves your control over access to the
Historian Server. All users get only the access that is explicitly configured for them and no
more. The decision to disable PIWorld should not be taken lightly.
For Historian Server upgrades, or for new installations that are part of an existing
configuration of Historian Interfaces and client applications, disabling PIWorld is a
dangerous measure that could unintentionally lock down areas of access. It is very
difficult to determine in advance which users or applications are relying on PIWorld
access. If you need to disable PIWorld in these situations, consult technical support to
help you form a plan.
59
Chapter 6
Products That Connect Through a Trust (page 61) (most will work fine; some custom
applications might need reconfiguring)
Unless a client meets one of the above criteria, it should work with the FactoryTalk Historian
3.0 without any extra configuration. If you want to use new Historian Server security
features, you need to:
Upgrade the PI SDK to version 1.3.6 or later. Nearly all functionality for the new
Windows security on the client side resides within the PI SDK.
Upgrade Administrative Client Applications (page 62) (applications that can set access
permissions)
Note: PI API does not support Windows authentication. API-based applications can
authenticate only through a Trust or explicit login. Most interfaces are HistorianAPI-based.
Read access to PIPOINT in the Database Security tool, unless the interface supports point
creation, in which case it needs read/write access
61
Note: In previous versions of the Historian Server, you could not define a Trust against a
PI group. This restriction no longer applies. For FactoryTalk Historian 3.0 and
later, you can define a Trust against a PI identity, a PI user, or a PI group.
If you are implementing a new FactoryTalk Historian System using FactoryTalk Historian
3.0, we recommend that you follow the instructions in Configure Historian Interface
Connections (page 30).
Message ID = 7054, which contains text "No trust established for: <identifyingString>.
Explicit login is required for access "
Message ID = 7140, which contains text "Timeout expired for unauthenticated API
Connection"
You can filter these unique message IDs in the SMT Message Logs tool.
to FactoryTalk Historian 3.0, your existing access permissions are converted to the new
model. New versions of most administrative tools can display access permissions for either
the old or the new model, depending on the version of the connected Historian Server.
Older versions of administrative applications cannot interpret new-model access permissions
unless the access permissions are compatible with the old model. The display of
incompatible access permissions depends on the specific client tool. Typically the tool will
show:
owner: PIUserIncompatible
group: PIGroupIncompatible
SMT version 3.3.1.3 or later (includes Point Builder, Module Database tool, and
Database Security tool)
PIWorld identity
If any of these conditions is not met, then the Historian Server cannot determine an owner
and group. It will use the PIUserIncompatible and PIGroupIncompatible identities for the
owner and group. Older versions of client tools will try to display an owner and group even
when connected to new-model servers. If the access permissions are incompatible, then these
tools will display the PIUserIncompatible and PIGroupIncompatible identity names.
63
64
Chapter 7
The Historian Server and AF Server must either be in the same domain, in trusted
domains, or in a trusted forest.
Use Windows authentication on the Historian Server for all MDB access. All the PI
identities, users, and groups that have access to Modules must have explicit mappings.
Furthermore, the Windows accounts from these mappings must be used directly in the AF
permissions.
For example, suppose the Windows user Bob belongs to a group BobGroup, and
BobGroup is mapped to a PI identity called ModuleAccessIdentity. ModuleAccessIdentity
has access to a Module on the Historian Server. When modifying the security of the
corresponding Element in AF, you should use BobGroup not Bob itself because
BobGroup is the Windows account specified in the mapping.
Do not delete mappings that are needed by module security. If you delete a Mapping that
is needed by a module, then the access permissions for AF and MDB will no longer be
synchronized, and you will not be able to edit the security of the affected Module.
Make sure that no users rely on PIWorld for MDB access. PIWorld cannot be mapped,
and access permissions defined for PIWorld are not reflected to AF.
Make sure that no users rely on piadmin for MDB access. The piadmin PI user has
unrestricted read and write access to everything on the Historian Server. Thus, Rockwell
Automation recommends that you do not map piadmin and do not use it for routine
access to the Historian Server. Reserve piadmin exclusively for the very few and rarely
executed administrative tasks that no other PI identity can perform.
65
66
In AF, do not use deny access for any AF Element under the Historian Server element.
AF allows you to explicitly deny access, but the Historian Server does not. If you use
deny on an element in AF, then everyone except piadmin will lose all access to the
corresponding module.
Appendix A
Database Security
permissions
Archives: Backing up
PIBACKUP (r,w)
PIARCADMIN (w)
PIARCDATA (r)
PIARCDATA (w)
Auditing: Enable
PITUNING (r,w)
PIAUDIT (r)
PIBACKUP (r,w)
Other Permissions
PIModules (r)
PIBatch (r,w)
PICampaign (r,w)
PITransferRecords (r,w)
PIBatch (r,w)
PIUnit (r*,w)
PICampaign (r,w)
PIBatch (r,w)
67
68
Task
Database Security
permissions
Other Permissions
PIModules (r)
PIUnit (r1,w)
PIBatch (r)
If contains PIUnitBatches,
also need permissions for
task batch database: View
PIUnitBatch, PISubBatch
PICampaign (r)
If contains PIBatches,
also need permissions for
task batch database: View
PIBatch
PITransferRecords (r)
PIBATCHLEGACY (r,w)
unit (r,w)
PIBATCHLEGACY (r,w)
PIBATCHLEGACY (r)
unit (r,w)
PIBATCHLEGACY (r)
PIDBSEC (r,w)
PIDBSEC (r)
PIDS (r**,w)
PIDS (r**)
PITUNING (r,w)
Firewall: Configure
PITUNING (r,w)
PIREPLICATION (r,w)
PIBACKUP (r,w)
PIHeadingSets (r***,w)
Task
Database Security
permissions
Other Permissions
PIHeadingSets (r***,w)
PIHeadingSets (r***)
PIHeadingSets (r***)
PIUSER (r,w)
PIUSER (r)
PIMAPPING (r,w)
Mappings: View
PIMAPPING (r)
PIMSGSS (w)
PIMSGSS (r)
Modules: Create
PIModules (r,w)
Modules: Delete
PIModules (r,w)
Modules: Edit
PIModules (r)
module (r*,w)
PIModules (r)
PIModules (r)
module (r*,w)
permissions for Task
Point: View attributes
PIModules (r)
module (r*,w)
permissions for Task
Heading Sets: View
heading
Modules: View
PIModules (r)
module (r*)
Points: Create
PIPOINT (r,w)
Points: Delete
PIPOINT (r,w)
PtSecurity (r,w)
PIPOINT (r)
PtSecurity (r,w)
PIPOINT (r)
PtSecurity (r,w)
DataSecurity (w)
PIPOINT (r)
PtSecurity (r)
DataSecurity (r,w)
PIPOINT(r)
PtSecurity (r)
69
Task
Database Security
permissions
Other Permissions
PIPOINT(r)
PtSecurity (r)
DataSecurity (r)
PITRUST (r,w)
Trusts: View
PITRUST (r)
PITUNING (r,w)
PITUNING (r)
module (r) / PIUnit (r) also assumes (r) for all modules along the hierarchy path above it
**
***
70
Appendix B
71
AF 2.x Client
72
Database Security
Permission
Notes
PIDS
PIPOINT
r,w
Point Database
Permission
Notes
PtSecurity
r,w
w: only
necessary for
autocreate
option of
Historian
PointData
Reference
DataSecurity
r,w
w: only if writing
data to
Historian
AF 1.3 Server
AF 1.3 Server
Database Security
Permission
Notes
PIDS
PIModules
r,w
PIPOINT
r,w
Point Database
Permission
Notes
PtSecurity
r,w
DataSecurity
r,w
Module Database
Permission
Notes
Module Security*
r,w
73
AF 1.3 Client
Database Security
Permission
Notes
PIDS
PIModules
PIPOINT
r,w
w: only
necessary for
autocreate
option of
Historian
PointData
Reference
Point Database
Permission
Notes
PtSecurity
r,w
w: only
necessary for
autocreate
option of
Historian
PointData
Reference
DataSecurity
r,w
w: only if writing
to Historian
Module Database
Permission
Notes
Module Security*
74
ACE
ACE
Database Security
Permission
PIModules
r1,w2,3,4
PIPoint
r1,w5
PIDS
PIMSGSS
r1,w2
PIDBSec
r2,3,4,5
Point Database
Permission
PtSecurity
r1,w5
DataSecurity
r1,w2
Module Database
Permission
Module Security*
r1,w2,3,4
Notes
Notes
Notes
In order for ACE Manager to look at ACE configuration, read permission is required for
PIPoint and PIModules, as well as on the Module Database.
ACE schedulers/hosts have two types of connection to the Historian Server: PI SDK and PI
API.
The PI SDK connections need read/write permission to the PIModules containing the ACE
configuration. PI SDK connections also need read permission for all data source points and
digital states.
The PI API connection needs read/write permission for all output points for the ACE
modules. Typically, a Trust has to be setup for the PI API connection while the PI SDK
connection can be mapped to a Windows user. If ACE scheduler/host is running on a
Historian Server, it needs read/write permission to the PIMSGSS to log messages.
3
Users of ACE Manager that configure and manage ACE calculations need read/write
permission to PIModules. Most of the tasks in ACE Manager only require read permission to
the PIPoint table. Item 5 below describes the exception.
4
Users developing ACE calculations using the ACE wizard in a MS Visual Studio
environment need read/write permission to PIModules, and read permission to the data source
tags, including the PIDS table.
ACE wizard includes the option to configure/create tags. To use this option, you need
read/write permission to the PIPoint table and read permission to PIDBSec.
75
Permission
Notes
PIModules
PIPOINT
Point Database
Permission
PtSecurity
DataSecurity
r,w
w: only
necessary for
users that write
data to
Historian
Module Database
Permission
Notes
Module Security*
Notes
76
DataSheet Control
DataSheet Control
Database Security
Permission
Notes
PIUSER
PIBatch
r,w
PIModules
PIPoint
Point Database
Permission
PtSecurity
DataSecurity
r,w
Module Database
Permission
Notes
Module Security*
r,w
w: to create PIBatches,
and to insert
PIUnitBatches into
PIBatches
Notes
77
78
DataSheet Control
Permission
Notes
PIBatch
PIDS
PIModules
PIPOINT
Point Database
Permission
Notes
PtSecurity
DataSecurity
Module Database
Permission
Notes
Module Security*
79
80
Historian Notifications
Historian Notifications
Database Security
Permission
PIDS
r1
PIPOINT
r1,w2
PIMSGSS
r,w2
Point Database
Permission
PtSecurity
r1,w2
DataSecurity
r1,w2
Notes
Notes
Read permission for Historian Notification client (e.g. FactoryTalk Historian System
Explorer) is required to the PIDS and PIPoint tables as well as to the data source tags and
notification history tags.
81
Historian OLEDB
Database Security
Permission
Notes
PIBatch
r,w
PICampaign
r,w
PIDS
r,w
PIHeadingSets
r,w
PIModules
r,w
PIPOINT
r,w
PITransferRecords
r,w
PIUSER
r,w
Point Database
Permission
Notes
PtSecurity
r,w
DataSecurity
r,w
Module Database
Permission
Module Security*
r,w
Notes
82
Permission
Notes
PIBatch
PICampaign
PIDBSEC
PIDS
PIHeadingSets
PIModules
PIPOINT
r,w1
PITransferRecords
PIUSER
Point Database
Permission
PtSecurity
DataSecurity
r,w
Module Database
Permission
Notes
Module Security*
Notes
Write access not required if you have PI SDK 1.4 or later installed
Note: FactoryTalk Historian ProcessBook Displays that contain custom VBA code might
require additional security configuration depending on what PI SDK calls are
invoked.
RtAlerts
Database Security
Permission
PIDS
Notes
83
Database Security
Permission
PIModules
r,w
PIPOINT
Point Database
Permission
PtSecurity
DataSecurity
Module Database
Permission
Module Security*
r,w
Notes
Notes
Notes
84
Permission
Notes
PIBatch
PIDBSEC
PIHeadingSets
PIModules
r,w
PIPOINT
PIUSER
Point Database
Permission
PtSecurity
DataSecurity
r,w
Module Database
Permission
Notes
Module Security*
r,w
r: for FactoryTalk
Historian data Services
ProcessID
w: for an administrator
UserID to make
configuration changes
r: for FactoryTalk
Historian data Services
ProcessID
w: for an administrator
UserID to make
configuration changes
Notes
85
UserID, or user mapping, used when connecting the client machine to the Web server to
ensure that queries for FactoryTalk Historian System data use the identity of the end user
who makes the request.
ProcessID, or process mapping, used in the Web server connection to the Historian
Server to allow the Web server to process all updates to data and configuration on behalf
of all end users.
If you are using Web Services, open IIS Manager and select the Application Pools
node to view the Windows identity that is used. Then, use SMT to inspect the PI
identity to which the Windows identity is mapped.
Both the UserID and the ProcessID need to be valid Active Directory users with at least
one mapping between a PI identity and a Windows identity. Rockwell Automation
recommends that you map the UserID and the ProcessID to two different PI identities,
but this is not mandatory.
Kerberos delegation must be configured between the Web server and Historian Server if
you are using Web Services, or between the SharePoint Server and Historian Server.
The client machine must belong to the same Active Directory forest.
86
Interfaces
Interfaces that Create Points
Database Security
Permission
Notes
PIPOINT
r,w1
Point Database
Permission
Notes
PtSecurity
r,w
DataSecurity
r,w
Interfaces with separate utilities that create points (for example, Historian-Perfmon,
Historian-Ping, SNMP, etc.) and run from SMT only require that you have read access for
PIPOINT.
87
88
Database Security
Source
Historian
Server
Receiving
Historian Server
PIPOINT
Point Database
Source
Historian Tags
Receiving
Historian Tags
PtSecurity
DataSecurity
r,w
Notes
Notes
Interfaces
Permission
PIPOINT
Point Database
Permission
PtSecurity
DataSecurity
r,w
Notes
Notes
89
90
[recommended] Connect to the Historian Server via a Trust set up with a PI identity. This
will allow both the PI SDK and the PI API to connect. With this method you can have
read and write access permissions granted to that PI identity. See How to Create a Trust
(page 31) for more details.
Connect to the Historian Server via Windows Security with a PI identity. Because the PI
API does not support Windows Security, this option only allows the PI SDK to connect;
therefore, the OPC Server will only have read access to the Historian Server.
[recommended] Connect to Historian Server using both a Trust and Windows Security.
Set up a trust for the PI API connection and use Windows Security for the PI SDK
connection. This option is recommended, but slightly more complicated to set up.
Interfaces
APS
Database Security
APS
Configuration
Utility
Sync
Engine
Sync Trigger
PIDS
r,w: for
automatic
set/state
creation
and edits
(for digital
points);
r: for nonautomatic
modes
PIModules
r: to review APS
configuration;
r,w: to change
APS
configuration
r,w
PIPOINT
r,w: for
automatic
point
creation;
r: for nonautomatic
modes
Point Database
APS
Configuration
Utility
Sync
Engine
PtSecurity
r: to display
existing
interface points;
r,w: to
interactively edit
or delete
interface points
r,w: to
automatical
ly edit or
delete
points;
r: for non
automatic
modes
Module Database
APS
Configuration
Utility
Sync
Engine
Sync Trigger
Module Security*
r: to review APS
configuration
r,w: to change
APS
configuration
r,w
r,w
PItoPI_APS
r,w
Sync
Trigger
PItoPI_APS
DataSecurity
PItoPI_APS
91
The Synchronization Engine runs as a service and therefore requires some form of automatic
log on (either a Trust or new PI mapping).
Synchronization Trigger is also a service and therefore requires some form of automatic log
on. Without write permission for the Module Database, Synchronization Trigger is nonfunctional. Synchronization Trigger only uses the Module Database (no point access).
The PItoPI_APS Connector requires read permission to points on the source Historian
Server. Since APS Connectors run inside the Synchronization Engine process, which is a
service, some form of automatic log on to the source Historian Server is required. That is, the
Synchronization Engine that is running the PItoPI_APS Connector requires automatic log on
to two Historian Servers: the target Historian Server and the source Historian Server. The
method of connection and the access rights granted do not need to be the same for both
Historian Servers. The Synchronization Engine only needs read access to the PIPOINT and
PIDS tables on the source Historian Server for the PItoPI_APS Connector to function.
However, the Synchronization Engine requires read and write access to the PIPOINT and
PIDS tables for automatic point creation on the target Historian Server. For non-automatic
modes, only read access is needed (on the target Historian Server).
92
Interfaces
Historian Server security to grant the required access rights to these connections.
Note: A copy of APS on the Historian Server node does not require any security
configuration in the Historian Server, however Rockwell Automation discourages
using APS on the Historian Server node except to synchronize points for Historian
COM Connectors.
The APS Synchronization Engine and APS Synchronization Trigger service are both
Windows services. You need to set up either a Trust or a PI mapping to connect each of them
to the Historian Server. The APS Configuration Utility is an interactive application, so you
can use either a Trust, a PI mapping, or an explicit login to a Historian Server User account.
PI mappings are the most secure option; explicit logins are the least secure. Use PI mappings
where possible (PI mappings require Historian Server version 3.0 and PI SDK 1.3.6 or later).
PI Mappings for Windows Services
By default, APS services log on as the Local System account, which cannot be used for PI
mappings on a remote Historian Server. In order to create a PI mapping, you must first
change the APS services to log on as Windows accounts (e.g. domain accounts) that are
configured with sufficient privileges to access the local Windows registry and files.
Module Database Permissions
The APS Configuration Utility creates the module AutoPointSync under the %OSI module.
APS configuration settings are stored in a hierarchy of modules under this module. Other
information also is stored in the modules used by APS. For example, the last synchronization
time (stored by the APS Synchronization Engine) and the SyncImmediately flag (set by the
APS Synchronization Trigger service or APS Configuration Utility) are stored in the
AutoPointSync hierarchy.
The APS Configuration Utility requires:
Write access for the PIModules table (Database Security) in order to create modules
Write access for the %OSI module in order to create the AutoPointSync module
Write access for the AutoPointSync hierarchy to register interface instances with APS, to
change configuration settings, or to manually initiate a synchronization scan. Read access
is sufficient to view configuration settings.
The APS Synchronization Engine and APS Synchronization Trigger service require write
access for modules in the AutoPointSync hierarchy for normal operation.
93
94
Interfaces
ICU
Database Security
Permission
Notes
PIDS
r,w
w: to create
"InterfaceStatus
" digital set if it
does not exist
PIModules
r,w
PIPOINT
r,w
w: to create or
delete Perfmon
Performance
Counter Points,
UniInt
Performance
Points, or UniInt
Health Points
Point Database
Permission
Notes
PtSecurity
r, w
Module Database
Permission
Module Security*
r,w
Notes
95
Configuring ICU
When ICU is installed on an interface node, the ICU obtains permissions to access Historian
Server objects by logging on with some form of credentials. The Historian Server
authenticates these credentials and establishes a security context for each client program. The
security context is specific to the credentials used to log on. Each securable Historian Server
object has access control information. Authorization for a client program to access a
securable Historian Server object is determined by comparing information in the security
context with the access control information for the object.
Several methods are available for logging on:
Explicit login
Trust
PI mapping (requires Historian Server version 3.0 or later and PI SDK 1.3.6 or later)
The ICU is an interactive application and all the methods for logging on to the Historian
Server can be used.
If the Historian Server is version 3.0 or later, Rockwell Automation recommends using
Windows security through PI mappings. Windows security provides the strongest
authentication and full Windows account traceability in the Historian Server log and audit
trail records.
Module Database Permission
The ICU creates the module interfaces under the %OSI module. ICU configuration settings
are stored in a hierarchy of modules under the interfaces module.
The ICU requires the following:
Write access for the PIModules table (Database Security) in order to create modules
Write access for the %OSI module in order to create the interfaces module
Write access for the interfaces hierarchy to register interface instances with ICU and to
change configuration settings
96
Interfaces
To create or delete these types of points, ICU requires write access for the Historian Server
PIPOINT table (Database Security).
To edit or delete individual points of these types, ICU requires write access for each point.
Historian Points have two sets of security attributes: one set controls access to the point
attributes and the other set controls access to the point data. ICU needs write access for point
attributes of these types of points. ICU does not access point data.
The ICU Controls for some interfaces have the ability to create interface-specific points.
Consult the user guide for each interface that ICU manages. Since ICU Controls run inside
the ICU process, the ICU requires write access for the Historian Server PIPOINT table for an
ICU Control to create points.
97
Appendix C
SMT now tells you exactly how you are connected to each Historian
Server (whether through a trust, a mapping, or an explicit login). The
lower left corner contains an information panel with this information.
Click for more complete information.
New Tools
Backup tool
Allows you to view backup history and run quick backups (not for
scheduling regular backups)
Firewall tool
Tool Changes:
Users and Groups tool
The Users and Groups tool becomes the Identities, Users, &
Groups tool. When connected to a Historian Server version 3.0 and
later, it includes a PI Identities tab. The PI Identities tab does not
appear unless you are connected to at least one appropriately
versioned Historian Server.
Trusts tool
The Trusts tool becomes the Mappings and Trusts tool. When
connected to a Historian Server version 3.0 and later, it includes a
Mappings tab. The Mappings tab does not appear unless you are
connected to at least one appropriately versioned Historian Server.
The Message Log viewer has been greatly enhanced with new
filtering and searching options and fields.
99
Appendix D
Notes
Create mappings
Verify configuration
101
102
(Optional)
Appendix E
Notes
Upgrade the SDK on client computers to 1.3.6 or (only for installations with existing clients &
later
interfaces; required for Windows authentication)
Configure clients that connect through an
application server (for example, PI DLES and PI
WebParts)
103
http://www.rockwellautomation.com/support/
Knowledgebase
The KnowledgeBase provides a searchable library of documentation and technical data, as
well as a special collection of resources for system managers.
http://www.rockwellautomation.com/knowledgebase/
Installation Assistance
If you experience a problem within the first 24 hours of installation, review the information that is contained in
this manual. You can contact Customer Support for initial help in getting your product up and running.
United States or Canada
Outside United States or
Canada
1.440.646.3434
Use the Worldwide Locator at http://www.rockwellautomation.com/support/americas/phone_en.html, or contact your
local Rockwell Automation representative.
Contact your distributor. You must provide a Customer Support case number (call the phone number above to obtain
one) to your distributor to complete the return process.
Please contact your local Rockwell Automation representative for the return procedure.
Documentation Feedback
Your comments will help us serve your documentation needs better. If you have any suggestions on how to
improve this document, complete this form, publication RA-DU002, available at
http://www.rockwellautomation.com/literature/.
Copyright 2013 Rockwell Automation, Inc. All rights reserved. Printed in the U.S.A.