ThingWorx Remote Access > Security for Remote Access
Security for Remote Access
To run remote sessions with the devices for which they are responsible, end users need permissions and visibility to the Things to which an administrator has applied the RemoteAccessible or GASRemoteAccessible Thing Shape. If these users create Things for your devices, they also need permissions and visibility to the Thing Templates to which either of these Thing Shapes has been applied.
* 
The RemoteAccessible and GASRemoteAccessible Thing Shapes must be applied to any Agent Things that use the Global Access Server (GAS) for remote sessions. For Axeda agent Things, The Thing Template used to create the Thing must be one of the Axeda Thing Templates - AxedaEMessageGatewayModel Thing Template, AxedaStandaloneModel Thing Template
In this help center, the phrase, "remotely accessible devices", refers to remote devices that are represented in ThingWorx as Things to which the RemoteAccessible or GASRemoteAccessible Thing Shape has been applied.
End users also need permissions and visibility to execute the remote access services available on their remotely accessible Things. The system administrator is responsible for setting up the security entities that require permissions and visibility, such as non-admin users, user groups, and organizations. Administrators are also responsible for executing the services that grant permissions and visibility for remote access.
The Remote Access Extension (RAE) and Axeda Compatibility Extension (ACE) provide services that automate the setting of permissions and visibility for remote access. While the eMessageServices Thing provides the following services that set up the permissions and visibility, these services call their equivalents in the RAE's RemoteAccessPermissionServices Thing:
eMessageServices.GrantRemoteAccessPermissionsGASForThing
eMessageServices.GrantRemoteAccessPermissionsGASForTemplate
In ThingWorx Composer, navigate to the Services page of the eMessageServices Thing and then run either or both of the services to grant visibility and permissions to an organization and user group:
To grant visibility and permissions to a single Thing, use the service, GrantRemoteAccessPermissionsGASForThing.
To grant visibility and permissions to a set of Things (for example, all of the same model derived from the same Thing Template), use the GrantRemoteAccessPermissionsGASForTemplate service.
In either case, you MUST set the following parameters for the service:
organization — Specify the name of the organization that should be granted visibility and permissions to start, end, and get remote sessions on the specified Thing or Things derived from the specified Thing Template. The ThingWorx base type of this parameter is STRING.
userGroup — Specify the name of the user group that should be granted visibility and permissions to start, end, and get remote sessions on the specified Thing or Things derived from the specified Thing Template. The ThingWorx base type of this parameter is GROUPNAME.
Specify the name of the entity to which you want to grant remote access permissions and visibility for the specified organization and user group:
thingName — For the service that grants remote access permissions to a Thing, specify the name of the Thing in ThingWorx. The base type for this parameter is THINGNAME.
templateName — For the service that grants remote access permissions to a Thing Template, specify the name of the Thing Template. The base type for this parameter is THINGTEMPLATENAME.
IMPORTANT! The Thing or Thing Template specified for these GAS-specific services must implement the GASRemoteAccessible Thing Shape. For Axeda eMessage Agents, you can specify the AxedaEMessageGatewayModel, AxedaManagedModel, or AxedaStandaloneModel Thing Templates. If you have created custom Thing Templates, you can also specify those Thing Templates. Make sure, however, that the Thing Templates implement the GASRemoteAccessible Thing Shape.
Security for the ThingWorx Remote Access Client (RAC)
The Remote Access Client (RAC) can be launched from a mashup you create using ThingWorx Composer. The mashup can provide the user interface for managing and creating remote sessions. As of v.1.2.0 of the Remote Access Extension (RAE) and v.1.1.0 of the RAC, a temporary single-use authentication key, called a nonce key, is generated by the raClientLinker widget. Once the nonce key is created, a URI is constructed that includes the nonce key, the platform's public host and port, and the session ID of the newly created remote session. This URI is used to launch the Remote Access Client. The nonce key in the URI is used to establish connectivity from the Remote Access Client to the ThingWorx Platform. As soon as possible after the nonce key is either used or expires, it is removed from the platform.
Platform User Permissions
As of v.1.2.0 of the Remote Access Extension (RAE) and v.1.1.0 of the Remote Access Client (RAC), the nonce key is generated by the raClientLinker widget and associated to the user initiating the session. The user, through the Remote Access Client, has the minimum set of security requirements necessary for the client to start a session with the remote device:
READ on the remotely accessible Thing
PROPERTY READ on the remotely accessible Thing
SERVICE INVOKE on the session service(s) such as StartSession on the remotely accessible Thing
Requirements for Remote Sessions
Remote Interfaces in ThingWorx for eMessage Agents
Using the RAClientLinker Widget
ThingWorx Remote Access Client
Remote Access Subsystem
Remote Access Providers
Associating a RemoteAccessible Thing with its Remote Access Provider
Was this helpful?