How can we improve our NOC Services?

← NOC Services

Document how to set minimum permissions for each Managed PI service

I want to set give minimum permissions to the service accounts that run the Managed PI services. The solution proposed by tech support was to either use the Local System account or add the service account to the local Administrators group. The former approach would require giving the entire Managed PI computer permission to the PI Data Archive, since Local System takes the identity of the machine. The latter approach gives the service account excessive permissions on the Managed PI computer. A 3rd approach was described to me, but it was too vague to complete. Clearly, none of these approaches are very secure.

Please document how to set minimum permissions for each Managed PI service. This should be put in the Installation And Upgrade Guide at the very least.

7 votes
Sign in Sign in with OSIsoft
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Kenneth Barber shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

1 comment

Attach a File
Sign in Sign in with OSIsoft
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • taterhead247 commented  ·   ·  Flag as inappropriate

    PLEASE! This is an obvious security risk. And an administrative nightmare. We ended up creating an identity just for mPI and mapping ALL of our machines to it. And then trying to manage tag permissions? Not fun. We need diagnostics to be able to run as a non-admin domain service account.

NOC Services: Security

Categories

Feedback and Knowledge Base

(thinking…)
Posted ideas will have one of the following statuses.
Full definition of these statuses can be found on the Home Page.
No status
NEEDS MORE DISCUSSION
RESEARCHING/EVALUATING
DECLINED
PLANNED
STARTED/IN DEVELOPMENT
IN BETA
COMPLETED