© 2008 OSIsoft, Inc. | Company Confidential Windows Integrated Security for the PI Server Hans-Herbert Gimmler Rulik Perla.

Slides:



Advertisements
Similar presentations
PI Server Security Bryan S. Owen Omar A. Shafie.
Advertisements

© 2008 OSIsoft, Inc. | Company Confidential PI System Security Bryan S. Owen PE.
1 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential OCEANIA TECHNOLOGY SEMINAR 2008 PI System Security Taking it to the Next.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Introduction To Windows NT ® Server And Internet Information Server.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Understanding Active Directory
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Understanding Active Directory
Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved. Architecture and Best Practices: Recommendations for PI Systems.
Chapter 7 WORKING WITH GROUPS.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
Copyright © 2007, SAS Institute Inc. All rights reserved. SAS Activity-Based Management Survey Kit (ASK): User Management & Security.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
DB-19: OpenEdge® Authentication Without the _User Table
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Security Ray Verhoeff Vice President – Engineering.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
Managing Active Directory Domain Services Objects
Chapter 7: WORKING WITH GROUPS
PI ICE and Web Applications – Gregg Le Blanc PI ICE Gregg Le Blanc PI System Product Manager.
Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders Permissions Inheritance Access Control List NTFS Permissions.
Module 9 Authenticating and Authorizing Users. Module Overview Authenticating Connections to SQL Server Authorizing Logins to Access Databases Authorization.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
SQL Server Security By Mattias Lind For PASS Security VC.
Part II - Microsoft ® Project 2000 Enterprise Deployment Templates.
Chapter 9: SHARING FILE SYSTEM RESOURCES1 CHAPTER OVERVIEW  Create and manage file system shares and work with share permissions.  Use NTFS file system.
Grid Chemistry System Architecture Overview Akylbek Zhumabayev.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
Module 3: Managing a Microsoft ® Windows ® Small Business Server Environment.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 The SqlConnection Object ADO.NET - Lesson 02  Training time: 10 minutes 
2. SQL Security Objectives –Learn SQL Server 2000 components Contents –Understanding the Authentication Process –Understanding the Authorization Process.
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.
IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.
Module 6: Data Protection. Overview What does Data Protection include? Protecting data from unauthorized users and authorized users who are trying to.
Module 5 : Security I Jong S. Bok
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
1 Objectives Discuss File Services in Windows Server 2008 Install the Distributed File System in Windows Server 2008 Discuss and create shared file resources.
1 Chapter Overview Understanding the Authentication Process Understanding the Authorization Process Creating and Managing Logins.
Module 6: Administering Reporting Services. Overview Server Administration Performance and Reliability Monitoring Database Administration Security Administration.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
CEG 2400 Fall 2012 Directory Services Active Directory Tree Domain.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Copyright© 2003 Avaya Inc. All rights reserved Avaya – Proprietary Use pursuant to Company instructions How TSAPI works with SDB Yanli.
Configuring the User and Computer Environment Using Group Policy Lesson 8.
Administrating a Database
Configuring and Troubleshooting Routing and Remote Access
Module 8: Securing Network Traffic by Using IPSec and Certificates
Active Directory Administration
Common Security Mistakes
Implementing Database Roles in the Enterprise Geodatababse
Module 8: Securing Network Traffic by Using IPSec and Certificates
Administrating a Database
Day 2, Session 2 Connecting System Center to the Public Cloud
06 | SQL Server and the Cloud
Presentation transcript:

© 2008 OSIsoft, Inc. | Company Confidential Windows Integrated Security for the PI Server Hans-Herbert Gimmler Rulik Perla

3 © 2008 OSIsoft, Inc. | Company Confidential PI Server Security? Why? PI is a system you trust! –To maintain the quality of your product –To facilitate the safety of your operations –To drive innovation and investment Anywhere, anytime access adds value… but: –Who has access? –What can they do? The keys: Authentication and Authorization

4 © 2008 OSIsoft, Inc. | Company Confidential Objectives Respond to your requests for: 1.More flexible access control 2.More secure authentication methods 3.Leverage Windows for account administration 4.Single sign-on (no explicit PI Server login required)

5 © 2008 OSIsoft, Inc. | Company Confidential Architectural Overview Our Current Security Model –Choice of access rights: read, write –A single owner (per object) –A single group association –And then everyone else... “world” The New Model –Support for Active Directory and Windows Local Users/Groups –Mapping of authenticated Windows principals to “PI Identities” –Access Control Lists for points, etc.

6 © 2008 OSIsoft, Inc. | Company Confidential WIS in a Nutshell Windows PI Server Active Directory Active Directory Security Principals Security Principals Authentication Identity Mapping PI Identities Access Control Lists Authorization PI Secure Objects PI Secure Objects

7 © 2008 OSIsoft, Inc. | Company Confidential AuthenticationAuthorization Users and GroupsPI-IdentitiesPI secure Objects And more simply: Keys and Locks ID Mapping

8 © 2008 OSIsoft, Inc. | Company Confidential User Authentication Until Now –Explicit Login: validation against PI internal user database –Trust Login: validation of user’s Security Identifier (SID) PI Server 2008 Release –Authentication through Microsoft Security Support Provider Interface (SSPI) – Negotiate protocol –Principals from Active Directory –Principals from local system –Configurable authentication modes (client-side and server-side)

9 © 2008 OSIsoft, Inc. | Company Confidential Demo: Protocol Selection

10 © 2008 OSIsoft, Inc. | Company Confidential PIIdentities Purpose –Link Windows principals with PI Server objects What are PI Identities? –A representation of an individual user, a group, or a combination of users and groups –All PIUser’s and PIGroup’s become PIIdentities Why? –To maximize flexibility for controlling user access to secure objects within the PI Server

11 © 2008 OSIsoft, Inc. | Company Confidential PIIdentities (cont’d) 3 Types: PIUser, PIGroup, and PIIdentity All existing PIUser’s and PIGroup’s are included –piadmin, pidemo –piadministrators (renamed piadmin), piusers (plural) Best viewed as “roles” or “categories” –Similar to SQL Server logins –Suggested categories (as pre-defined defaults): PIWorld, PIEngineers, PIOperators, PISupervisors –Customizable according to your needs Add new Identities Rename existing Identities Disable Identities

12 © 2008 OSIsoft, Inc. | Company Confidential Demo: Configuring a PI Identity

13 © 2008 OSIsoft, Inc. | Company Confidential PI Identity Mappings & Trusts Mappings –1 Principal (AD/Windows group) to 1 PI Identity Example: COMPANY\Supervisors to PISupervisors –Authenticated users have 1..N PI Identities A user typically belongs to many (nested) groups Trusts –A trust points to 1 and only 1 PIIdentity –Enhancement: map to any PI Identities, not just PIUsers

14 © 2008 OSIsoft, Inc. | Company Confidential Demo: Identity Mapping

15 © 2008 OSIsoft, Inc. | Company Confidential PI Secure Objects: Authorization Main objects: Points and Modules Ownership Assignments –Objects are “co-owned” by PI identities –Any PIIdentity is eligible –Multiple ownership is now supported not just 1 PIUser and 1 PIGroup Access Control Lists –Every secure object has at least 1 (points have 2) –The replacement owner, group, and access (“o:rw g:rw w:rw”) –Each identity in the list has its own set of access rights –ACLs compatible with the existing security model have 3 identities 1 PIUser, 1PIGroup, and PIWorld (any order)

16 © 2008 OSIsoft, Inc. | Company Confidential Demo: Comparing ACLs – Old v. New

17 © 2008 OSIsoft, Inc. | Company Confidential Demo: Configuring an ACL

18 © 2008 OSIsoft, Inc. | Company Confidential Making the Transition Existing security still supported –On upgrade: no loss of configuration, no migration –Downgrade only by restoring from backup Existing SDK applications –Preserve existing behavior Can still connect via explicit logins or trusts –Single sign-on after SDK and server upgrade No configuration or code changes to client applications!

19 © 2008 OSIsoft, Inc. | Company Confidential Summary Windows Integrated Security Means 1.More flexible configuration 2.More secure PI Server 3.Less maintenance 4.Preserving customer investment We welcome your feedback!

20 © 2008 OSIsoft, Inc. | Company Confidential Thank You

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.