Security > Organizations > Visibility in Organizations
Visibility in Organizations
Visibility is a form of access control. If an entity is visible to members of an organizational unit, those members have read access to the entity. The underlying, granular security model determines what specific interaction any users that are members of that organization unit may have with a specific asset. If a user in the system is not granted visibility, that asset essentially does not exist within that user’s domain. That user cannot see the asset, list it, or interrogate that asset’s name space.
In ThingWorx, it is possible to define the visibility rules to make specific things only visible to a single organization, or to allow multiple organizations visibility to the same asset. An organization is made up of organizational units.
Default Visibility
By default, a non-administrative user is only granted visibility to entities that they have created.
Granting Visibility
To grant visibility permissions on entities for non-administrative users, create an organization or organizational unit to contain the user or users. Once created, you need to grant visibility permissions to the organization or organizational unit.
This can be accomplished at the following levels:
The collection level that applies the visibility settings to all members of the collection.
The individual entity level (i.e. VM101 vending machine).
The instance level (only applicable to Thing Templates). Instance visibility settings remain intact to any Thing that is derived from that Thing Template.
You can add visibility through the user interface or with REST API services (with the exception of the ThingPackages collection, as described below).
When visibility to an asset is granted at lower levels in the organization hierarchy, they are automatically granted to the higher levels. For example, if a line operator is granted visibility to their line, a supervisor for all lines in the organization hierarchy is automatically granted visibility to the assets that the subordinate operator is granted.
There is one exception to the roll-up model: granting an entire organization visibility to an asset. When an entire organization is added, the organization and all its subunits are assigned visibility to that entity.
Granting Visibility to the ThingPackages Collection
You can only grant visibility to the ThingPackages collection through the REST API. There is no user interface option.
Use the AddCollectionVisibilityPermissions service from the CollectionFunctions resource. The input parameters identify the principal for which you want to grant visibility.
For example, to grant visibility to the Everyone Organization, you would use the following input parameters: principal = Everyone, principalType = Organization, and collectionName = ThingPackages.
Configuring Visibility for an Asset
Users and groups must be defined before organizations can be configured.
1. In the Explorer, open the Thing or Entity.
2. Click Permissions.
3. Under Visibility, select the appropriate organization.
4. Click Save.
To delete an organizational unit from an organization, click the delete icon next to the unit.
To delete the visibility, select the organization, click the check box, then the Remove button.
Run time and design time permission sets are also accessible at the top of the page where Visibility permissions are controlled.
Configuring Instance Visibility
Instance visibility applies only to Thing Templates, and visibility set at this level is inherited by any entities that use that Thing Template.
1. In the Explorer, open the Thing Templates section.
2. Locate and select the template of interest.
3. Click Permissions in the menu bar.
4. Under Visibility click Add in the Organization list box.
5. Click the magic picker and select the appropriate organization.
6. Click Save.