Document how to set minimum permissions for each Managed PI service
I want to set give minimum permissions to the service accounts that run the Managed PI services. The solution proposed by tech support was to either use the Local System account or add the service account to the local Administrators group. The former approach would require giving the entire Managed PI computer permission to the PI Data Archive, since Local System takes the identity of the machine. The latter approach gives the service account excessive permissions on the Managed PI computer. A 3rd approach was described to me, but it was too vague to complete. Clearly, none of these approaches are very secure.
Please document how to set minimum permissions for each Managed PI service. This should be put in the Installation And Upgrade Guide at the very least.
Kenneth Barber
shared this idea
The next release of Managed PI (due Q3 2021) utilizes virtual service accounts for Managed PI Services, and the documentation will reflect the updated best practices.
5 comments
-
Kenneth Barber
commented
In response to sahilp, you can already use custom service accounts and nothing is forcing you to use a PI Trust instead of a PI Mapping. You can use a PI Mapping! See my 1st comment.
-
sahilp
commented
So if I understood the OSIsoft reply correctly, the system will switch from Local System to NT Service\XXXX? That is good for machine security, but that still means that a trust is used on the DA side? Or will tightening up to virtual accounts also facilitate the use of custom service accounts?
-
Kenneth Barber
commented
In response to taterhead247, you don't have to map all of your computer accounts to a single PI Identity. You can have 1 PI Identity for each computer account. If you do this and follow the minimum permissions on the PI Data Archive that I described in my previous comment, you should be in a fairly good situation until OSIsoft finishes the documentation of minimum permissions. PI Builder will be your friend in setting those minimum permissions.
-
Kenneth Barber
commented
I should be clearer: it is especially not clear what are the minimum permissions that each Managed PI service needs on the computer on which they run.
The permissions within PI are fairly straightforward, even though they are still not documented the best. None of the services needs permission to the PI Asset Framework. PI Diagnostics UI and PI Agent both do not need any permissions on the PI Data Archive. PI Diagnostics simply needs read/write access to PIPOINT if you want it to automatically create the PI Interface health points or only read access if you create these manually, and it needs only read access to both the Point Security and the Data Security of those health points, and no other PI Points, after they are created.
-
taterhead247
commented
PLEASE! This is an obvious security risk. And an administrative nightmare. We ended up creating an identity just for mPI and mapping ALL of our machines to it. And then trying to manage tag permissions? Not fun. We need diagnostics to be able to run as a non-admin domain service account.