Step 9. Run the Service to Grant Permissions and Visibility to the Connector
The principle of least privilege is a common tenet of system security, stating that subjects should only be given the permissions and privileges necessary to do their job, nothing more. Applying this to the Azure IoT Hub Connector means that the user referenced by the ThingWorx application key used by the Connector should only have the visibility and permissions on ThingWorx entities necessary for it to function properly. You can run the Azure IoT Hub Connector as a non-administrator user by creating that user for the Connector and running a service to grant it the required permissions and entity visibility.
The AzureServices Thing provides the service that grants the Azure IoT Hub Connector user the visibility and permissions that it requires when communicating with a ThingWorx Platform as a non-administrator user. The services is called GrantAzureConnectorPermissions. To run this service:
1. Log in to ThingWorx Composer as an Administrator user.
2. In the Browse pane, select Things, and in the Things page, select the AzureServices Thing.
3. From the AzureServices Thing General page, click Services, and scroll down in the list of services until you find the GrantAzureConnectorPermissions service.
4. In the Execute column, click the 
icon.
icon.5. Under Inputs on the GrantAzureConnectorPermissions page, select the azureConnectorUserGroup for the User Group and the azureConnectorOrganization for the Organization.
6. Click the Execute button.
7. The services runs, displaying any results under Output.
Azure IoT Hub Connector Visibility and Permissions Requirements
The following table lists the entities and their visibility and permissions requirements that are granted by the GrantAzureConnectorPermissions service. This service applies its own permissions for Azure functionality. In addition, this service invokes the ConnectionServicesHub.GrantConnectorPermissions to apply base Connector permissions.
Entity | Visibility | Permissions |
|---|---|---|
Permissions granted by ConnectionServicesHub.GrantConnectorPermissions | ||
PlatformSubsystem subsystem | Entity | ServiceInvoke for GetExtensionPackageList |
ConnectionServicesHub Thing | Entity | ServiceInvoke for the GetMetadata service EventInvoke for the following events: • AuthenticationError • ThingNotFoundError • UserError • ClearCacheEntry • ProtocolError • EdgeError • WritePropertyError • FileNotFoundError • InternalError |
FileTransferSubsystem subsystem | Entity | None |
ThingworxPersistenceProvider Persistence Provider | Entity | ServiceInvoke for GetVisibilityPermissions |
CollectionFunctions Resource | None | EventSubscribe permission for the Things collection |
Permissions granted by AzureServices.GrantAzureConnectorPermissions in addition to the permissions granted by ConnectionServicesHub.GrantConnectorPermissions | ||
AzureServices Thing | Entity | ServiceInvoke for all services |
AzureOpcUaPropertyMapDataTable Thing | None | ServiceInvoke for all services |
InfoTableFunctions Resource | Entity | ServiceInvoke for CreateInfoTableFromDataShape |
ThingShapes Collection | Collection | Create permission Update permission Read permission |
ThingTemplates Collection | Collection | Create permission Update permission. |
Things Collection | Collection | Create permission Update permission EventSubscribe Run Time permission for the Things collection |
EntityServices Resource | Entity | ServiceInvoke for • AddShapeToThing • CreateThing • DeleteThing |
GenericThing Thing Template | None | PropertyRead instance permission PropertyWrite instance permission |
RemoteThing Thing Template | None | ServiceInvoke for • GetPropertySubscriptionss on template instances • UpdateSubscribedPropertyValues on all Things that implement the RemoteThingThing Template |
IndustrialGateway Thing Template | None | ServiceInvoke for GetIndustrialThings on template instances |
AzureIotThing Thing Template | None | ServiceInvoke for all services on template instances EventInvoke for all events on template instances |
ConnectionServicesHub Thing | Entity | ServiceInvoke for all services EventInvoke for all events Read Design Time permissions on template instances |
AzureIotHubTemplate Thing Template | Entity | ServiceInvoke for • GetConfiguration on template instances • GetConfigurationTable on template instances |
AzureBlobbStorageTemplate Thing Template | None | ServiceInvoke for GetConfigurationTable on template instances |
AzureDeviceJob Data Shape | Entity | ServiceInvoke for GetFieldDefinitions on all Things and Thing Templates that implement this data shape |
AzureStorageContainerFileRepository Thing Template | None | ServiceInvoke for GetFileInfo on template instances EventInvoke on template instances |
MetricServices Resource | Entity | ServiceInvoke for all services of the MetricServices resource |