Modify ThingWorx Permissions: Users and Groups
Non-administrator users must be granted permission to access ThingWorx Navigate tasks. A lack of permission may be the problem if your users receive the following error message:
Reason: 403 - You don't have a valid license. Ask your administrator for access to the following license feature: ptc_navigate_view
To grant permission, perform the following steps:
1. Add the non-administrator user to one ThingWorx Navigate License group as per your licenses. For more information on the different licence groups, see the section below, License Groups. After you have identified the appropriate licence group, add the user to that group using instructions from Populate User
Groups.
2. Add a non-administrator user to respective ThingWorx Navigate role groups for which the user wants to access to ThingWorx Navigate tasks. For information on creating role groups, see the section below, Create a New
Role Group.
3. Set the access and visibility of the role groups using common tailoring page. For more information on tailoring permissions, see the section below, Tailor
Roles and Custom User Groups.
4. When ThingWorx Navigate is configured with Single Sign-on, disable user modification. This is necessary to prevent PingFederate from removing users from groups after login:
a. In ThingWorx Composer, click 
Browse. Under Security, click Authenticators, and then select ThingworxSSOAuthenticator.
Browse. Under Security, click Authenticators, and then select ThingworxSSOAuthenticator.b. Click Configuration, and then clear the User Modification Enabled check box.
c. Click Save.
 | If the User Modification Enabled check box is selected, then user accounts in ThingWorx can be modified. This is important to allow future updates to accounts during subsequent login events after the initial login when the user is created to synchronize the ThingWorx user data with the user account data in the identity provider. For more information see, Single Sign-on Authenticator. |
5. Log in with the non-administrator credentials to verify that the users get access and visibility only to the tasks their specific role group provides.
Licensing
This section provides information on the available license groups, licensing basis, and license types in ThingWorx Navigate.
License Groups
In ThingWorx Navigate licensing, the following groups are available:
• navigate_view_named_group
• navigate_view_concurrent_group
• navigate_contribute_named_group
• navigate_contribute_concurrent_group
In navigate_view_named_group and navigate_contribute_named_group, the number of the users is defined in the license.
While in navigate_view_concurrent_group and navigate_contribute_concurrent_group, the limitation of the license is limited by a time frame. An active user holds a license for a 24-hour period.
Beginning ThingWorx Navigate 9.3.4, the following license groups have been introduced:
• navigate_view_designated_computer_group
• navigate_contribute_designated_computer_group
These license groups are intended for users who access ThingWorx Navigate from a shared terminal, workstation, kiosk, or device, due to the absence of a dedicated IT login.
Licensing Basis
The licensing basis for the available ThingWorx Navigate licenses is described below:
Licensing Basis | Definition | Associated License Group |
|---|---|---|
Registered User (RU) | For "Registered User", the product may only be used by individual, named registered users on a password basis. You may add and/or substitute from time to time new Registered Users as long as the aggregate number of Registered Users does not exceed at any point in time the number of licenses in effect at such time for that particular product. | • navigate_view_named_group • navigate_contribute_named_group |
Active Daily User (ADU) | For "Active Daily User", the product is licensed on the basis of the number of unique users who access a ThingWorx Navigate application at any time during a 24 hour calendar day. For example, if a user accesses a ThingWorx Navigate application thrice on a Monday and twice on the following Friday, then the user is counted as an active user for Monday and Friday only. The 24 hour period is defined using the time zone set for the connected ThingWorx server. | • navigate_view_concurrent_group • navigate_contribute_concurrent_group |
Designated Computer (DC) | For "Designated Computer", the product is licensed to operate solely on the designated computer on it is are installed. It is not permitted to move Designated Computer licenses from one computer to another by means of installing such products on an external, portable, or removable device or through other means. The product name contains the words 'fixed', 'locked', or 'node-locked'. | • navigate_view_designated_computer_group • navigate_contribute_designated_computer_group |
Detailed definitions and descriptions of the various licenses offered by PTC are available in the PTC Software Products Licensing Basis guide.
License Types
License Type | Description | Associated License Group |
|---|---|---|
ThingWorx Navigate View | • Allows a user to access tasks in the PART TASKS COLLECTION, DOCUMENT TASKS COLLECTION (View apps), and OTHER TASKS COLLECTION. • Entitles a user to directly log into the Windchill application with view privileges. | • navigate_view_named_group • navigate_view_concurrent_group • navigate_view_designated_computer_group |
ThingWorx Navigate Contribute | • Allows a user to access tasks in PART TASKS COLLECTION, DOCUMENT TASKS COLLECTION, CHANGE MANAGEMENT TASKS COLLECTION (View and Contribute apps), and OTHER TASKS COLLECTION. • Entitles a user to directly log into the Windchill application with view and contribute privileges. | • navigate_contribute_named_group • navigate_contribute_concurrent_group • navigate_contribute_designated_computer_group |
ThingWorx Connected PLM View | Entitles a user to use ThingWorx Composer and ThingWorx Mashup Builder to create custom apps and connect to PTC and third party enterprise systems to only view information in the connected systems. | N/A |
ThingWorx Connected PLM | Entitles a user to use ThingWorx Composer and ThingWorx Mashup Builder to create custom apps and connect to PTC and third party enterprise systems to both view as well as to create and update information in the connected systems. | N/A |
Tailor Roles and Custom User Groups
The user groups in ThingWorx Navigate let you expose different tasks to users of different roles. The groups also make it possible for you to tailor ThingWorx Navigate by role. User groups appear in the Select role to tailor list on the collection tailoring pages and the task-specific tailoring pages.
Each user must be assigned to only one tailoring role to see any ThingWorx Navigate tasks on the landing page. This can be one of the two default tailoring roles that come with ThingWorx Navigate, Manufacturing and Purchasing, or one of the custom user groups that your site provides.
| | If you delete a group without reassigning the users in that group, they can no longer see any tasks on the landing page. |
Create a New Role Group
For new groups to appear as roles on tailoring pages, edit each group to add the following tag: PLMAppsRolesTag under AccessAppTags.
| | If the PLMAppsRolesTag tag is removed from any group, the role does not appear on the collection tailoring pages and the task-specific tailoring pages. |
Populate User Groups
You can change or add users in the user groups.
1. In ThingWorx Composer, click 
Browse. Under Security, click User Groups, and then select the user group you want to edit.
Browse. Under Security, click User Groups, and then select the user group you want to edit.2. Click Edit and modify the groups in these ways:
◦ Drag users from the Available Members list to the Members list.
◦ Remove users.
3. Click Save.
Remove User Groups
If a group is no longer relevant as a ThingWorx Navigate role, complete the following steps:
1. Remove the group from the members of the ThingWorx Navigate Organization.
2. In ThingWorx Navigate, use the options on the collection tailoring pages to hide all tasks from the group.
3. In ThingWorx Composer, remove the PLMAppsRolesTag tag from the group.
| | If the PLMAppsRolesTag tag is removed from any group before you hide the tasks on the collection tailoring pages, the tasks remain visible to the users of the group. |