Getting an Azure IoT Hub Connector Up and Running > Step 10. Run the Service to Grant Permissions and Visibility to the Connector
Step 10. Run the Service to Grant Permissions and Visibility to the Connector
The principle of least privilege is a common tenet of system security, stating that subjects should only be given the permissions and privileges necessary to do their job, nothing more. Applying this to the Azure IoT Hub Connector means that the user referenced by the ThingWorx application key used by the Connector should only have the visibility and permissions on ThingWorx entities necessary for it to function properly. You can run the Azure IoT Hub Connector as a non-administrator user by creating that user for the Connector and running a service to grant it the required permissions and entity visibility.
The AzureServices Thing provides the service that grants the Azure IoT Hub Connector user the visibility and permissions that it requires when communicating with a ThingWorx Platform as a non-administrator user. The services is called GrantAzureConnectorPermissions. To run this service:
1. Log in to ThingWorx Composer as an Administrator user.
2. In the Browse pane, select Things, and in the Things page, select the AzureServices Thing.
3. In the AzureServices Thing page, click Services, and scroll down in the list of services until you find the GrantAzureConnectorPermissions service.
4. In the Execute column, click the icon.
5. Under Inputs on the GrantAzureConnectorPermissions page, select the azureConnectorUserGroup for the User Group and the azureConnectorOrganization for the Organization.
6. Click the Execute button.
7. The services runs, displaying any results under Output.
8. When ready, continue to Step 11. Start the Azure IoT Hub Connector.
Azure IoT Hub Connector Visibility and Permissions Requirements
The following table lists the entities and their visibility and permissions requirements that are granted by the GrantAzureConnectorPermissions service.
Entity
Visibility
Permissions
ConnectionServicesHub Thing
Entity
Service execute for all services
EventInvoke for all events
ConnectionServicesHub Thing Template
Entity
Read Design time permission. This permission is needed for AddShapeToThing on the ConnectionServicesHub on Connector startup
AzureServices Thing
Entity
Service execute for all services
AzureIotThing Thing Template
Entity
Service execute for all services
AzureIotHubTemplate Thing Template
Entity
Service execute for GetConfiguration
This service is used on Connector startup to get the configuration for the Azure IotT Hub.
AzureBlobStorageTemplate Thing Template
Entity
Service execute for GetConfigurationTable
This service is used on Connector startup to get the configuration for the Azure Storage Container (Blob).
AzureDeviceJob Data Shape
Entity
Service execute for GetFieldDefinitions
AzureBlobStorageTemplate Thing Template
Entity
Service execute for GetFileInfo
EventInvoke for all events
InfoTableFunctions Resource
Entity
Service execute for CreateInfoTableFromDataShape and for AzureStorageContainerFileRepositoryTemplate.GetSupportedFileChecksumAlgorithmss
EntityServices Resource
Entity
Service execute for AddShapeToThing, which is used by the service, AzureIotHubAdapterServices.ImportAzureIotThing.
Service execute for CreateThing, which is used by the service,AzureIotHubAdapterServices.CreateThing.
Things, Thing Shapes, Thing Templates
Collection
Create permission, used on imports
Update permission, used on Connector startup.
EventSubscribe Run Time permission for the specified user group. (Things). This permission is needed under the following conditions:
1. The Connector is configured to run with a non-admin user application key.
2. The Connector fires an event to the ThingWorx Platform.
3. An event subscription was created for that event on a Thing that is not owned by the same non-admin user that fired the event.
A user must have EventInvoke and EventSubscribe permissions on an event and associated subscriptions in order to trigger them.
GenericThing Thing Template-based Things
Entity
PropertyRead, needed to fire events for Twin changes.
PropertyWrite, needed to fire events for Twin changes.