2 Replies Latest reply on Dec 21, 2016 5:00 PM by pchung RSS
    Digital One Explorer

    How to set up permissions for a nondeveloper - domain/application user

    In the multi tenant scenario the application developed in ThingWorx will provide the facility to create the non-developer ThingWorx users i.e. domain users for the application. Once these domain users e.g. Supervisor, Viewer etc. try to login the multi-tenant application, since they do not have various design time, visibility  & run time permissions it will not allow to do any operations and users would not be able to access the functional modules. From ThingWorx Composer super user can set the design time, visibility  & run time permissions for such domain users. Here question is, does ThingWorx provides out-of-the-box feature to set the permissions for newly created domain users via service/ custom mashup program?

     

    There will be API's and services for setting up permissions, however for that we need to manually go through all of the design/run time permission to enable for all the respective entities (Collection, Template, Thing, Service, Mashup) for each domain user, which will be lengthy and time consuming solution. Please suggest.

      • Re: How to set up permissions for a nondeveloper - domain/application user
        polinao Collaborator

        Please refer to this article, Assigning the System User through Script which can be tailored for non-system users. Currently there is no alternative out-of-the-box feature to set the permissions on newly created users via service (except for the snippets available to use in a custom server).

        • Re: How to set up permissions for a nondeveloper - domain/application user
          pchung Collaborator

          Having gone through securing an application recently myself, I can understand the desire for features like these.

          At this juncture the best way is to add security as you are building vs. finishing an application and layer security afterwards.

          Since you should know the different 'type' of users ahead of time, you can create Application Security User Groups that have certain permissions that you can then stack for the actual 'Application Role User Groups'

          ie.

          AppDefaultPermissions User Group that can execute all necessary services to get around in the application and see default information.

          Has the necessary property read

          AppEditPermissions User Group that can perhaps do value edits or something like that

          AppManagerPermissions User Group that can create new users etc.

           

          then you create at the end groups like

          ReadOnlyUsers

          Technicians

          ApplicationManagers

          and you add these to the groups above (note that the permissions stack)