Document how to set minimum permissions for each Managed PI service
I want to set give minimum permissions to the service accounts that run the Managed PI services. The solution proposed by tech support was to either use the Local System account or add the service account to the local Administrators group. The former approach would require giving the entire Managed PI computer permission to the PI Data Archive, since Local System takes the identity of the machine. The latter approach gives the service account excessive permissions on the Managed PI computer. A 3rd approach was described to me, but it was too vague to complete. Clearly, none of these approaches are very secure.
Please document how to set minimum permissions for each Managed PI service. This should be put in the Installation And Upgrade Guide at the very least.
Damon Vinciguerra commented
PLEASE! This is an obvious security risk. And an administrative nightmare. We ended up creating an identity just for mPI and mapping ALL of our machines to it. And then trying to manage tag permissions? Not fun. We need diagnostics to be able to run as a non-admin domain service account.