Remote Access for Axeda Agent Assets through ThingWorx > Security for Remote Sessions
Security for Remote Sessions
To run remote sessions with the devices for which they are responsible, end users need permissions and visibility to the Things and/or the Thing Templates from which the Things are derived. In addition, they need permissions and visibility to execute the remote access services available on their RemoteAccessible Things. The system administrator is responsible for setting up the security entities that require permissions and visibility, such as non-admin users, user groups, and organizations. Administrators are also responsible for executing the services that grant permissions and visibility for remote access.
The Remote Access Extension (RAE) and Axeda Compatibility Extension (ACE) provide services that automate the setting of permissions and visibility for remote access. The eMessageServices Thing provides the following services that set up the permissions and visibility:
eMessageServices.GrantRemoteAccessPermissionsGASForThing
eMessageServices.GrantRemoteAccessPermissionsGASForTemplate
In ThingWorx Composer, navigate to the Services page of the eMessageServices Thing that and then run either or both of the services to grant visibility and permissions to an organization and user group:
To grant visibility and permissions to a single Thing, use the service, GrantRemoteAccessPermissionsGASForThing.
To grant visibility and permissions to a set of Things (for example, all of the same model), use the GrantRemoteAccessPermissionsGASForTemplate service.
In either case, you MUST set the following parameters for the service:
organization — Specify the name of the organization that should be granted visibility and permissions to start, end, and get remote sessions on the specified Thing or Things derived from the specified Thing Template. The ThingWorx base type of this parameter is STRING.
userGroup — Specify the name of the user group that should be granted visibility and permissions to start, end, and get remote sessions on the specified Thing or Things derived from the specified Thing Template. The ThingWorx base type of this parameter is GROUPNAME.
Specify the name of the entity to which you want to grant remote access permissions and visibility for the specified organization and user group:
thingName — For the service that grants remote access permissions to a Thing, specify the name of the Thing in ThingWorx. The base type for this parameter is THINGNAME.
templateName — For the service that grants remote access permissions to a Thing Template, specify the name of the Thing Template. The base type for this parameter is THINGTEMPLATENAME.
IMPORTANT! The Thing or Thing Template specified for the service must implement the RemoteAccessible Thing Shape. For Axeda eMessage Agents, you can specify the AxedaEMessageGatewayModel, AxedaManagedModel, or AxedaStandaloneModel Thing Templates. If you have created custom Thing Templates, you can also specify those Thing Templates. Make sure, however, that the Thing Templates implement the RemoteAccessible Thing Shape.
Security for the ThingWorx Remote Access Client (RAC)
The Remote Access Client (RAC) can be launched from a mashup that provides a user interface for managing and creating remote sessions. As of v.1.2.0 of the Remote Access Extension (RAE) and v.1.1.0 of the RAC, a temporary authentication key, called a nonce key, is generated by the RAClientLinker widget. Once the nonce key is created, a URI is constructed that includes the nonce key, the platform's public host and port, and the session ID of the newly created remote session. This URI is used to launch the Remote Access Client. The nonce key in the URI is used to establish connectivity from the Remote Access Client to the ThingWorx Platform. As soon as possible after the nonce key is either used or expires, it is removed from the platform.
* 
The nonce key version of RAE requires v.8.5.2 or later of the ThingWorx Platform.
Platform User Permissions
As of v.1.2.0 of the Remote Access Extension (RAE) and v.1.1.0 of the Remote Access Client (RAC), the nonce key is generated by the RAClientLinker widget and associated to the user initiating the session. The user, through the Remote Access Client, has the minimum set of security requirements necessary for the client to start a session with the remote device:
READ on the RemoteAccessible Thing
PROPERTY READ on the RemoteAccessible Thing
SERVICE INVOKE on the session service(s) such as StartSession on the RemoteAccessible Thing
Requirements for Remote Sessions
Using the RAClientLinker Widget
ThingWorx Remote Access Client
RemoteAccess Subsystem
Remote Access Providers
Remote Interfaces in ThingWorx
Associating a RemoteAccessible Thing with its Remote Access Provider
Was this helpful?