The System user is pivotal in securing your application and the simplest approach is to assign the System user to ALL Collections and give it Runtime Service Execute.

These Collection Permissions ONLY Export to ThingworxStorage vs. the File Export, it becomes quite painful to manage this and then roll this out to a new machine.

Best and fastest solution? Script the Assignment, you can take this script which does it for the System user and extend it to include any other Collection Level permissions you might need to set, like adding Entity Create Design Time for the System user.

---------------------------------------------------------

//@ThingworxExtensionApiMethod(since={6,6})

//public void AddCollectionRunTimePermission(java.lang.String collectionName,

//       java.lang.String type,

//       java.lang.String resource,

//       java.lang.String principal,

//       java.lang.String principalType,

//       java.lang.Boolean allow)

//    throws java.lang.Exception

//

//Service Category:

//    Permissions

//

//Service Description:

//    Add a run time permission.

//

//Parameters:

//    collectionName - Collection name (Things, Users, ThingShapes, etc.) - STRING

//    type - Permission type (PropertyRead PropertyWrite ServiceInvoke EventInvoke EventSubscribe) - STRING

//    resource - Resource name (* = all or enter a specific resource to override) - STRING

//    principal - Principal name (name of user or group) - STRING

//    principalType - Principal type (User or Group) - STRING

//    allow - Permission (true = allow, false = deny) - BOOLEAN

//Throws:

//    java.lang.Exception - If an error occurs

//   

 

 

var params = {

    modelTags: undefined /* TAGS */,

    type: undefined /* STRING */

};

 

// result: INFOTABLE dataShape: EntityCount

var EntityTypeList = Subsystems["PlatformSubsystem"].GetEntityCount(params);

 

for each (var row in EntityTypeList.rows) {

    try {

        var params = {

            principal: "System" /* STRING */,

            allow: true /* BOOLEAN */,

            resource: "*" /* STRING */,

            type: "ServiceInvoke" /* STRING */,

            principalType: "User" /* STRING */,

            collectionName: row.name /* STRING */

        };

 

        // no return

        Resources["CollectionFunctions"].AddCollectionRunTimePermission(params);

    }

    catch(err) {

    }

}