Security > User Groups
  
User Groups
User groups are convenient to aggregate a number of users and assign permissions at the aggregate level. They are similar to the way groups are typically used in an LDAP system. Groups can also contain other groups, which allows a group to inherit the authorization scheme applied to other groups. This provides a great deal of flexibility in the authorization setup.
Groups can also be managed in run time by using the Resources services.
Predefined Default User Groups
There are predefined system object user groups in ThingWorx. Most groups have specific permissions as defined below.
* 
The Show System Objects option must be enabled by an administrator for the following groups to display.
Administrators Group
The Administrators group has full visibility, run time, and design time permissions to all of ThingWorx. In addition, the group also has access to the Import/Export and Monitoring menus.
* 
To ensure proper security, assign the appropriate user accounts to the Administrators group and remove the Administrator user from the Administrators group.
ComposerUsers Group
* 
The ComposerUsers Group is available in ThingWorx 8.4+.
The ComposerUsers group is part of the Composer organization, and exists as an easy way to grant users permissions to operate Composer. By default, the group grants Run Time Service Invoke permissions on the following entities and their services. All users in the system will have access to Composer by default because the Users group is included in this group. To make ThingWorx more secure, remove the Users group from the ComposerUsers group and proceed by assigning more granular permissions for users and groups that should be able to access Composer. Users not in the ComposerUsers group will be logged out immediately upon trying to access Composer.
* 
For some entity types, InstanceRunTimePermissions is noted, meaning entities using that entity type will inherit the permissions.

AlertFunctions
* -- All services
BrowserGateway (InstanceRunTimePermissions)
AddDynamicRemoteSubscription
RemoveDynamicRemoteSubscription
ContentLoaderFunctions
* -- All services
CurrentSessionInfo
* -- All services
DashboardFunctions
GetDashboardsForCurrentUser
GetSharedOrganizationUnits
RemoveSharedOrganizationUnit
SearchAllDashboards
SearchGadgets
ShareDashboard
EntityServices
GetClientApplicationKey
GenericThing (InstanceRunTimePermissions)
GetNamedProperties
InfoTableFunctions
Aggregate
BetweenFilter
Clone
Combine
CreateInfoTable
CreateInfoTableFromDataShape
DeleteQuery
DeriveFields
Distinct
EQFilter
GEFilter
GTFilter
Interpolate
Intersect
LEFilter
LTFilter
LikeFilter
MissingValueFilter
NEFilter
NearFilter
Pivot
Query
RegexFilter
RenameField
SetFilter
Sort
TagFilter
TimeShift
TopN
Union
UpdateQuery
LicensingSubsystem
GetCustomerId
GetInstanceId
GetLicenseState
GetCurrentLicenseModelType
CheckoutComposerLicense
PlatformSubsystem
GetAllStyleDefinitions
GetAllStyleThemes
GetAllStateDefinitions
GetAspects
GetBaseTypes
GetDataConnectSettings
GetEntityCount
GetEntityUsageCount
GetLearningConnectorConfiguration
GetLicenseState
IsInternalVersion
IsEvaluationVersion
RuntimeLocalizationFunctions
* -- All services
ScriptServices
* -- All services
SearchFunctions
* -- All services
SecurityServices
* -- All services
ThingPackages
GetHandlerDefinitions
GetHandlerDefinition
Developers Group
The Developers group does not have any default design or run time permissions.
* 
In versions before 8.1.1, the Developers group has read and update design time permissions (not delete) for all entities. In these versions, when moving your model from sandbox to production, administrators should remove all Developers in the production environment and lock down the Developers group to prevent the creation of users in this group.
Designers Group
The Designers group does not have any default design or run time permissions.
Users Group
Every user entity in ThingWorx is included in the Users group. Members can not be added or removed from the Users group unless a user entity is created or deleted in ThingWorx. The Users group is in the ComposerUsers group by default.
* 
In ThingWorx versions prior to 8.4.0, the Users group had the same permissions that the ComposerUsers group has.
Security Administrators Group
A user who is in Security Administrator group, but not in the Administrators group will have access to the three services below, but not to everything else that the Administrators group can access. The Security Administrators group has access to the following user services:
AssignNewPassword: can set a user password. This service is restricted to this Security Administrator group only.
SetLanguagePreferences: can set language preferences for any user. An exception is thrown if the user in the current security context (who is not in the Security Administrator group) attempts to call this on a different user.
GetUserPreferenceInfo: retrieves the preferences for a user.