How can we improve our NOC Services?

← NOC Services

Document how to set minimum permissions for each Managed PI service

I want to set give minimum permissions to the service accounts that run the Managed PI services. The solution proposed by tech support was to either use the Local System account or add the service account to the local Administrators group. The former approach would require giving the entire Managed PI computer permission to the PI Data Archive, since Local System takes the identity of the machine. The latter approach gives the service account excessive permissions on the Managed PI computer. A 3rd approach was described to me, but it was too vague to complete. Clearly, none of these approaches are very secure.

Please document how to set minimum permissions for each Managed PI service. This should be put in the Installation And Upgrade Guide at the very least.

8 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Kenneth Barber shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

3 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Kenneth Barber commented  ·   ·  Flag as inappropriate

    In response to taterhead247, you don't have to map all of your computer accounts to a single PI Identity. You can have 1 PI Identity for each computer account. If you do this and follow the minimum permissions on the PI Data Archive that I described in my previous comment, you should be in a fairly good situation until OSIsoft finishes the documentation of minimum permissions. PI Builder will be your friend in setting those minimum permissions.

  • Kenneth Barber commented  ·   ·  Flag as inappropriate

    I should be clearer: it is especially not clear what are the minimum permissions that each Managed PI service needs on the computer on which they run.

    The permissions within PI are fairly straightforward, even though they are still not documented the best. None of the services needs permission to the PI Asset Framework. PI Diagnostics UI and PI Agent both do not need any permissions on the PI Data Archive. PI Diagnostics simply needs read/write access to PIPOINT if you want it to automatically create the PI Interface health points or only read access if you create these manually, and it needs only read access to both the Point Security and the Data Security of those health points, and no other PI Points, after they are created.

  • taterhead247 commented  ·   ·  Flag as inappropriate

    PLEASE! This is an obvious security risk. And an administrative nightmare. We ended up creating an identity just for mPI and mapping ALL of our machines to it. And then trying to manage tag permissions? Not fun. We need diagnostics to be able to run as a non-admin domain service account.

NOC Services: Security

Categories

Feedback and Knowledge Base

(thinking…)
Posted ideas will have one of the following statuses.
Full definition of these statuses can be found on the Home Page.
No status
TELL US MORE
EVALUATING
PLANNED
IN DEVELOPMENT
COMPLETED
DECLINED