We would like to change users often. Could we have a logout button or something similar?

There should be provision of granting access to PI Identities or PI users on  PI Vision using PI Vision admin webpage.

Integration with enterprise ‘non-windows’ (claims) authentication systems.

A significant number of customers in my region are not using/don’t plan to adopt WIS as their authentication policy. As a result many of them are not using Windows AD.

Customers need PI Vision to be more flexible: PI Vision should be able to be integrated with their chosen SSO system.

Currently, only 1 AF server is configured to provide identities for vision display security. Displays can show data from multiple AF servers, which could have different security mappings. It would be nice to be able to pull identities from multiple AF servers for display security that matches the AF security that already exists.

As a PI Vision admin, I would like displays to automatically inherit the permissions of their parent folder so that permissions are set automatically when users save displays to the appropriate folder.

Currently permissions for folders and displays are not tied together but they can be propagated manually using the 'Propagate permissions' checkbox in the Folder Settings dialog.

Ability to restrict Pi Vision users to use the PI Data Archive tag search when building displays.
There exists a feature to restrict user access to AF Databases in the PIVision\admin\UserSettings. However, there is no way to restrict PI Vision users from the PI Data Archive.
Or be able to rename the PI DA symbol in the search.

PI Vision currently makes use of cookies for it's implementation of claims authentication. Google Chrome is phasing out third party cookies, as you can read here: https://www.bounteous.com/insights/2020/04/09/google-chrome-third-party-cookies

This means that in the future third party cookies won't be supported by Chrome anymore, which will break PI Vision's claims authentication.

As all major browser vendors will likely follow this path an alternative solution is needed.

Customers would like to fully controll access to folders and sub-folders without having administrator access to the entire PI Vision server.

Multiple organization specific folders with their own "administrators"
Theese folder-admins can take ownership and modify displays in their folder but no other folders.

At the moment only administrators and the owner can change owner on displays.

Having folders of the same level, you need to go one by one and manage the permissions. To fix this, have the ability to select numerous folders and manage the permissions for them all.

As a PI Vision administrator, it would be helpful for PI Vision Event acknowledgement and annotation to function without Kerberos delegation. This would allow the feature to work on cross domain environments where Kerberos may not be possible.

PI Vision admins should be able to manage Identities to review and delete stale Identity entries from the SQL back-end, along with any display sharing for them. Since PI Vision administrators have no way of managing the Identities on their Vision server, they cannot clean up identities that were deleted or were from an old AF Server.

As a owner of a display, i would like to be able to modify it even if it is marked as read-only.

Actually, I need to go on the main page, uncheck the read-only, edit the display, save it, and back to the home page again to modifiy to read-only again

The highest version of TLS that PI Vision currently supports by default is 1.2. Please add support for TLS 1.3 to make PI Vision load faster and more securely.

Currently PI Vision documentation does not provide any artifacts from security development tools such as web application security scanners that can be used by organizations to assess vulnerabilities and inform best practice configuration based on the artifacts.

Please drop support for TLS 1.0 & TLS 1.1. These have been known to be insecure protocols for a while now, are not supported by modern browsers, and have been superseded by TLS 1.2 & TLS 1.3.

"Compatibility with older browsers" is not a good reason to keep them around, since even Internet Explorer supports TLS 1.2 & TLS 1.3. Anyone using an older browser should upgrade for their own good.

In v2019, the PI Vision Display Utility cannot connect to PI Vision servers using Claims based Authentication. The utility can connect to a PI Vision server configured for claims authentication, but since it doesn't support claims it must connect with Windows authentication.

Currently PI Vision support claims based authentication through openid connect one of which is Azure b2b. However Azure B2B is not flexible when it comes to onboarding process. For this Azure B2C is a preffered option however the library's required are not natively support in PI Vision.

PI Vision's current CTP claims implementation is based off of OAuth 2.0. With OAuth 2.1 coming out PI Vision's claims implementation will need to be revised to be compliant with the new version of the framework. Specifically OAuth 2.1 is removing the implicit grant type which PI Vision requires in order to recieve tokens from the authorization endpoint of the identity provider.