The use of System User

    The system user can become a vital point for properly yet conveniently securing your application.


    From the ThingWorx helpcenter:


    The system user is a system object in ThingWorx. With the System User, if a service is called from within a service or subscription (a wrapped service call), and the System User is permitted to execute the service, the service will be permitted to execute regardless of the User who initially triggered the sequence of events, scripts, or services.

     

    http://support.ptc.com/cs/help/thingworx_hc/thingworx_7.0_hc/index.jspx?id=SystemUser&action=show


    A few important notes to remember:

    • It is not possible to log in as a system user
    • Adding a system user to the Administrators group will not grant it the administrator permissions
    • Adding a system user to the Everyone organization will not grant it the same visibility

     

    As an option, one of the posts on our community provides a script to assign all of the permissions to the system user for a one time set up:

    https://community.thingworx.com/community/developers/blog/2016/10/28/assigning-the-system-user-through-script

     

    Example:

     

    1. Create a new template T1, several things Thing1, Thing2, Thing3

    2. Create a new thing NewThing and a new user BlankUser

    3. Create a service within NewThing that uses ThingTemplates[“T1"].GetImplementingThings() and give all the permissions to the new non-admin user, BlankUser

     

     

     

    Now the service on the template T1 can be accessed through the NewThing without explicit permissions for the BlankUser but rather through the system user.

     

    When manipulating with data (involving read/write and access to persistence provider), the BlankUser would require more than  just visibility permissions. For example, for a Stream, the following permissions would need to be set up:

     

    1. Visibility on Stream template,StreamProcessingSubsystem, PersistenceProvider

    2. Read/write permission on the Stream thing in the use case, created with the Stream template.

     

    Similarly, for other sources of data, things, templates and resources involved need visibility and, depending on the scenario, read/write permissions on the specific template.