Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2008 OSIsoft, Inc. | Company Confidential Windows Integrated Security for the PI Server Hans-Herbert Gimmler Rulik Perla.

Published byJulius Neal Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2008 OSIsoft, Inc. | Company Confidential Windows Integrated Security for the PI Server Hans-Herbert Gimmler Rulik Perla."— Presentation transcript:

1

2 © 2008 OSIsoft, Inc. | Company Confidential Windows Integrated Security for the PI Server Hans-Herbert Gimmler Rulik Perla

3 3 © 2008 OSIsoft, Inc. | Company Confidential PI Server Security? Why? PI is a system you trust! –To maintain the quality of your product –To facilitate the safety of your operations –To drive innovation and investment Anywhere, anytime access adds value… but: –Who has access? –What can they do? The keys: Authentication and Authorization

4 4 © 2008 OSIsoft, Inc. | Company Confidential Objectives Respond to your requests for: 1.More flexible access control 2.More secure authentication methods 3.Leverage Windows for account administration 4.Single sign-on (no explicit PI Server login required)

5 5 © 2008 OSIsoft, Inc. | Company Confidential Architectural Overview Our Current Security Model –Choice of access rights: read, write –A single owner (per object) –A single group association –And then everyone else... “world” The New Model –Support for Active Directory and Windows Local Users/Groups –Mapping of authenticated Windows principals to “PI Identities” –Access Control Lists for points, etc.

6 6 © 2008 OSIsoft, Inc. | Company Confidential WIS in a Nutshell Windows PI Server Active Directory Active Directory Security Principals Security Principals Authentication Identity Mapping PI Identities Access Control Lists Authorization PI Secure Objects PI Secure Objects

7 7 © 2008 OSIsoft, Inc. | Company Confidential AuthenticationAuthorization Users and GroupsPI-IdentitiesPI secure Objects And more simply: Keys and Locks ID Mapping

8 8 © 2008 OSIsoft, Inc. | Company Confidential User Authentication Until Now –Explicit Login: validation against PI internal user database –Trust Login: validation of user’s Security Identifier (SID) PI Server 2008 Release –Authentication through Microsoft Security Support Provider Interface (SSPI) – Negotiate protocol –Principals from Active Directory –Principals from local system –Configurable authentication modes (client-side and server-side)

9 9 © 2008 OSIsoft, Inc. | Company Confidential Demo: Protocol Selection

10 10 © 2008 OSIsoft, Inc. | Company Confidential PIIdentities Purpose –Link Windows principals with PI Server objects What are PI Identities? –A representation of an individual user, a group, or a combination of users and groups –All PIUser’s and PIGroup’s become PIIdentities Why? –To maximize flexibility for controlling user access to secure objects within the PI Server

11 11 © 2008 OSIsoft, Inc. | Company Confidential PIIdentities (cont’d) 3 Types: PIUser, PIGroup, and PIIdentity All existing PIUser’s and PIGroup’s are included –piadmin, pidemo –piadministrators (renamed piadmin), piusers (plural) Best viewed as “roles” or “categories” –Similar to SQL Server logins –Suggested categories (as pre-defined defaults): PIWorld, PIEngineers, PIOperators, PISupervisors –Customizable according to your needs Add new Identities Rename existing Identities Disable Identities

12 12 © 2008 OSIsoft, Inc. | Company Confidential Demo: Configuring a PI Identity

13 13 © 2008 OSIsoft, Inc. | Company Confidential PI Identity Mappings & Trusts Mappings –1 Principal (AD/Windows group) to 1 PI Identity Example: COMPANY\Supervisors to PISupervisors –Authenticated users have 1..N PI Identities A user typically belongs to many (nested) groups Trusts –A trust points to 1 and only 1 PIIdentity –Enhancement: map to any PI Identities, not just PIUsers

14 14 © 2008 OSIsoft, Inc. | Company Confidential Demo: Identity Mapping

15 15 © 2008 OSIsoft, Inc. | Company Confidential PI Secure Objects: Authorization Main objects: Points and Modules Ownership Assignments –Objects are “co-owned” by PI identities –Any PIIdentity is eligible –Multiple ownership is now supported not just 1 PIUser and 1 PIGroup Access Control Lists –Every secure object has at least 1 (points have 2) –The replacement owner, group, and access (“o:rw g:rw w:rw”) –Each identity in the list has its own set of access rights –ACLs compatible with the existing security model have 3 identities 1 PIUser, 1PIGroup, and PIWorld (any order)

16 16 © 2008 OSIsoft, Inc. | Company Confidential Demo: Comparing ACLs – Old v. New

17 17 © 2008 OSIsoft, Inc. | Company Confidential Demo: Configuring an ACL

18 18 © 2008 OSIsoft, Inc. | Company Confidential Making the Transition Existing security still supported –On upgrade: no loss of configuration, no migration –Downgrade only by restoring from backup Existing SDK applications –Preserve existing behavior Can still connect via explicit logins or trusts –Single sign-on after SDK and server upgrade No configuration or code changes to client applications!

19 19 © 2008 OSIsoft, Inc. | Company Confidential Summary Windows Integrated Security Means 1.More flexible configuration 2.More secure PI Server 3.Less maintenance 4.Preserving customer investment We welcome your feedback!

20 20 © 2008 OSIsoft, Inc. | Company Confidential Thank You

Download ppt "© 2008 OSIsoft, Inc. | Company Confidential Windows Integrated Security for the PI Server Hans-Herbert Gimmler Rulik Perla."

Similar presentations

PI Server Security Bryan S. Owen Omar A. Shafie.

PI Server Security Bryan S. Owen Omar A. Shafie.
© 2008 OSIsoft, Inc. | Company Confidential PI System Security Bryan S. Owen PE.

© 2008 OSIsoft, Inc. | Company Confidential PI System Security Bryan S. Owen PE.
1 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential OCEANIA TECHNOLOGY SEMINAR 2008 PI System Security Taking it to the Next.

1 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential OCEANIA TECHNOLOGY SEMINAR 2008 PI System Security Taking it to the Next.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Understanding Active Directory

Understanding Active Directory
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Understanding Active Directory

Understanding Active Directory
Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved. Architecture and Best Practices: Recommendations for PI Systems.

Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved. Architecture and Best Practices: Recommendations for PI Systems.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Similar presentations

Ads by Google