@mode edit @modify ptaccess=o:rw g:rw w:rw @modify dataaccess=o:rw g:rw w:rw @select tag="*" @endsection @exit
6.7.6 Security for Default Points in the PI Server
PI is distributed with all default points owned by user piadmin, and assigned to group piadmin. Although they have the same name, the user and group have no special relationship to each other. The user piadmin is the PI System Manager, but the group piadmin has no special privileges.
6.8 User Security
As mentioned earlier, the PI Server has its own user identification and password security. Client applications may obtain login credentials through a PITrust login, or by passing a user name and password. A PITrust assigns a user to the login session based on a set of
credentials; this mechanism is discussed in the next section, Trust Login Security.
To log in to the PI Server from one of the PI client applications, such as PI ProcessBook or PI DataLink, requires a PI user name and password or a valid PITrust. The user is also assigned to one or more groups of users.
Note: The PI Server does support PI API based logins without supplying a user
name/password or a trust. This is the “default” user access that assigns world rights to the connection. This feature may be disabled by adding the PITimeout table entry “DefaultUserAccess” and setting the value 0. A non-zero value or no entry allows default user access. If default user access is disabled no secure objects may be accessed regardless of security attribute settings.
When a user accesses the PI Server, after the request passes the PI Firewall, the user ID and password are used to determine what access to grant.
There are three types of user access: owner, group, and world. Owner access is typically read- write privileges. Group access is often read-only. World access is by default, none.
Two user accounts are included in the installation of PI Server, piadmin and pidemo. The piadmin user always has read/write access to all objects regardless of access settings. This is similar to a super user account in UNIX. The pidemo user has read-only access to all objects. Do not delete either account. You should establish passwords for both accounts. This does not affect the trust login process.
6.8.1 Group Database
Access to data or to point attributes is normally granted to groups of users, such as instrument engineers or operators, rather than to individuals. The PI Group Database is where all
PI groups are defined. Every user is a member of one or more groups. This determines their access to the various PI databases and their individual elements.
Adding a New PI Group
The piconfig utility is used to modify the PI Group Database. The table name is PIGROUP. The primary key is GROUP. The following attributes are defined:
GROUP group name
USERS users belonging to this group DESCRIPTION free text
This piconfig example, opens the table and then lists all entries:
* (Cr) Piconfig> @table pigroup * (Cr) Piconfig> @mode list
* (Ls) Piconfig> @ostructure group, description,users,... * (Ls) Piconfig> @select group="*"
* (Ls) Piconfig> @endsection piadmin,Administration,piadmin piuser,User,pidemo
ptmaintenance,,
Next, a new group is added. In this example, the description attribute is used to specify the group’s purpose. User is a read-only attribute.
Note: To add users to groups, use the User Database, NOT the Group Database.
* (Ls) Piconfig> @mode create
* (Cr) Piconfig> @istructure group, description
* (Cr) Piconfig> Section1, Section1 crew chiefs and engineers *> Section1, Section1 crew chiefs and engineers
* (Cr) Piconfig> @mode list
* (Ls) Piconfig> @ostru group,description * (Ls) Piconfig> @select group="*"
* (Ls) Piconfig> @endsection piadmin,Administration piuser,User
ptmaintenance,
Section1,Section1 crew chiefs and engineers
6.8.2 User Database
The PI User Database is where individual PI users are defined, and assigned to already existing groups.
Passwords are also stored here. Users maintain their passwords using the pisetpass utility. The table name is PIUSER. The primary key is USER.
6.8 - User Security
The following attributes are defined:
USER user name
DESCRIPTION free text
GROUPS group(s) to which the user belongs CONTEXT <reserved for future use>
Adding a New PI User
The piconfig utility is used to modify the PI User Database. This piconfig example opens the table, and then lists all entries:
$ piconfig
* (Ls) Piconfig> @table piuser
* (Ls) Piconfig> @ostructure user, description, groups * (Ls) Piconfig> @select user="*"
* (Ls) Piconfig> @endsection piadmin,PI Administration,piadmin pidemo,PI Demo,piuser
The description attribute is used to specify such information as the user’s full name, telephone extension, and email address.
To add a new user, specify each group to which the user should be added. The user may be added to one or more groups.
The default password is the same as the user name. A different password can be assigned upon creation by appending /password to the user attribute.
* (Ls) Piconfig> @mode create
* (Cr) Piconfig> @istructure user, description, groups, ...
* (Cr) Piconfig> tom/mypassword, [email protected], piadmin, piuser * (Cr) Piconfig> @mode list
* (Ls) Piconfig> @ostructure user, description, groups, ... * (Ls) Piconfig> @select user=tom
* (Ls) Piconfig> @endsection
tom, [email protected], piadmin,piuser
Changing PI User Passwords
PI users may change their passwords by using the pisetpass utility in the PI\adm directory. PI must be running for this utility to work. You must enter the current password in order to change the password.
You can also set a password to a blank entry by using pisetpass, although this is not recommended.
The manager can also specify the old password as "!" (exclamation mark) and new password as required. This bypasses old-password verification when the user running pisetpass as piadmin.