16 Replies Latest reply on Jan 24, 2017 4:18 PM by pbaierl RSS
    pbaierl Creator

    Remote Thing Permissions

    Could anyone point me in the right direction for the permissions required to have my remote thing access our Thingworx Server?

     

    Currently all of our remote things use an app key that's tied to an administrator.  I am trying to remove this and reduce the remote thing permissions down to a minimum.  Any assistance would be really appreciated.

     

    We use a service to generate the thing that corresponds to the remote thing when it first connects to the server.  I have granted permission to my new user to access the remote thing template as well as permissions to create new things.  What else am I missing?  I am not seeing any warnings or permission issues when the remote thing is attempting to connect to the thingworx servers so I am not sure which piece I am missing.

     

     

    Thanks in Advance.

     

    Paul

      • Re: Remote Thing Permissions
        jkaczynski-2 Creator

        Hello Paul Baierl,

         

        As far as I understand, your remote thing is not created at all?

         

        If so, please let me point a few things that could help you in finding the missing piece:

        1. Usually in that kind of mechanisms there is a Thing that has a service to create a new Thing (invoking directly CreateThing on EntityServices is really not recommended). If so, you need to provide permissions to invoke this service as well as Design Time permission on Thing Collection to Create. Of course, permission on EntityServices:CreateThing is also necessary (in this case probably for System user, more about System user you can find here: Digital Media Publisher).

        2. In this service you should also, after creation of new thing, invoke Things[newThingName].EnableThing() and Things[newThingName].RestartThing() services to startup this new entity properly - permissions for those services are also necessary (set dynamically for the user on newly created thing or statically on the Template).

        3. All Template permissions that are necessary.

         

        One important point to consider:

        4. Those above are only Run Time / Design Time permissions. If you need also to adjust Visibility, it becomes more complex task.

         

        Hope it helps, let me know if you need further assistance.

        Regards,

        J.

          • Re: Remote Thing Permissions
            pbaierl Creator

            Hi Jakub,

             

            You are correct.  The thing does not exist.  When the remote thing first connects to the server it will create it's own thing and start sending up data.

             

            The idea is that we have two different levels of access. 

             

            1. A commissioning account.  If a module/remote thing connects with this account it will create the thing and assign new permissions to the remote thing.

            2. A remote thing account with a unique user/app key assigned.  This is the account/login information that the remote thing will use once it is connected to the server.

             

            Thanks,

             

            Paul

              • Re: Remote Thing Permissions
                jkaczynski-2 Creator

                Hi Paul,

                 

                Yes, that's a good idea. Have you validated my short list of permissions to be set and checked if now it's working or not? The list I suggested should be a good point to start and should be enough for the Agent to connect and create a Thing.

                 

                Regards,

                Jakub.

                  • Re: Remote Thing Permissions
                    pbaierl Creator

                    Jakub,

                     

                    I am just doing the testing now.  I will keep you posted.

                      • Re: Remote Thing Permissions
                        pbaierl Creator

                        Jakub,

                         

                        I have tried your suggestions and it seems to have helped, but still not all the way there.

                         

                        I can see that the module is connected to the server, but it is listed as unbound.

                         

                        Thanks,

                         

                        Paul

                          • Re: Remote Thing Permissions
                            jkaczynski-2 Creator

                            Paul,

                             

                            So: the EMS itself is connected, the Remote Thing is created, but the binding between Remote Thing and your EMS Thing is not established?

                            How do you specify the binding properties on EMS side - by name of the Thing or by identifier?

                             

                            Regards,

                            J.

                              • Re: Remote Thing Permissions
                                pbaierl Creator

                                Jakub,

                                 

                                No, the thing isn't being created.  I added a few logger print statements in the thing creation service so I could see how far the thing was getting in the initialization process.  From what I can see the thing creation service has never been run/called.

                                 

                                I can look at the remote thing status in the ThingWorxMonitor and see the unbound thing.  We are binding by thing name.

                                 

                                Thanks,

                                 

                                Paul

                                  • Re: Remote Thing Permissions
                                    jkaczynski-2 Creator

                                    Paul,

                                     

                                    So, from the different perspective - how do you invoke the creation service from the EMS? I thought that you're able to invoke the service at all, but it seems that the problem lies here.

                                    The EMS itself is in the Thingworx Remote Things monitor as a connected Gateway?

                                     

                                    Regards,

                                    J.

                                      • Re: Remote Thing Permissions
                                        pbaierl Creator

                                        I am trying to determine what needs to be enabled/accessible so that my services can be called.

                                         

                                          • Re: Remote Thing Permissions
                                            jkaczynski-2 Creator

                                            Ok, now I understand the problem. I thought that you managed to connect EMS itself to the Platform and cannot create a Thing, but as far as I can see, you didn't connect the EMS yet (is my understanding correct - this 16281043324 is EMS itself?).

                                             

                                            If so, then to connect EMS as a Gateway (so - there is no EMS - thing on the Platform side), you need to use the proper config.json configuration with auto_bind setting:

                                             

                                            {
                                                 "auto_bind": [{
                                                   "name": "TestAsset1",
                                                   "gateway": true
                                                   }
                                                 ],
                                                 // ... other configurations
                                            }
                                            

                                             

                                            If you include above, the EMS would auto-create a Thing on the basis of SDKGateway template (it won't be available to be seen in the Composer, but it would be marked as a connected in the Remote Thing Monitor).

                                             

                                            The above is one of possibilities to connect to Thingworx Platform from EMS NOT HAVING the Remote Thing created - it is called a Gateway (please refer to the Configuring Automatic Binding for WS EMS section of the Thingworx WebSocket-based EMS Developer's Guide).

                                             

                                            Then you can process further - invoke a service to create Remote Thing and bind to that thing using LSR scripts.

                                             

                                            Regards,

                                            J.

                                              • Re: Remote Thing Permissions
                                                pbaierl Creator

                                                Jakub,

                                                 

                                                I am not sure if I was clear on that before.  Yes, I can get the EMS populated and posting data automatically without an issue.  Currently I have to have the app key that remote thing uses to post data linked to the administrator group. 

                                                 

                                                When I create a new user with limited permissions and link this permissions account to our remote thing then I run into the issues described above.  I am trying to determine what permissions are required to get the EMS connected to the server and posting data.  I do not want our remote things to have access to anything more than they need once they are up and running.  The administrator group has access to everything; this is why I do not want our remote things using an app key with this permissions level.

                            • Re: Remote Thing Permissions
                              supandey Collaborator

                              Paul, how are you attempting the connection from your Remote Thing to the ThingWorx server? is it via one of the EDGE sdk or EMS? Have you checked the logs from them? As Jakub mentioned does your remote thing connect at all after the changes in permission you have applied to the appKey?

                                • Re: Remote Thing Permissions
                                  pbaierl Creator

                                  We are using the Edge SDK.  I have checked the logs on the server side, but not on the device side.  I am the web application developer while another group is handling the SDK/remote thing development.  I am not sure how to check the logs on the remote device at this time.  I will see what I can find out when I work with them this morning.

                                   

                                  It seems like the remote thing makes a connection, It just can not create an the initial thing.  I will go and try the permissions settings that were suggested by Jakub.

                                • Re: Remote Thing Permissions
                                  ttielebein Collaborator

                                  Exactly what permissions are granted for your user? Did you see this KCS Article?

                                    • Re: Remote Thing Permissions
                                      pbaierl Creator

                                      Tori,

                                       

                                      I have removed all of the collection permissions for the users that are not in the development and administrator groups.

                                       

                                      I just read through the article.  I had not see this before. 

                                       

                                      So far, I will work on creating a list of permissions I have setup so far.

                                       

                                      Thanks,

                                       

                                      Paul