User Groups
User groups are used to aggregate multiple users and assign permissions at the aggregate level. They are similar to the way groups are typically used in an LDAP system. Groups can also contain other groups, which allows a group to inherit the authorization scheme applied to other groups. This provides flexibility in the authorization setup.
Groups can also be managed in run time by using the resources services.
Predefined Default User Groups
ThingWorx provides predefined system object user groups. Most groups have specific permissions, as defined in the next sections.
|
An administrator must enable the Show System Objects option for the following groups, that are described in the next sections, to appear.
|
Administrators Group
The Administrators group has full visibility, run time, and design time permissions to all of ThingWorx. In addition, the group also has access to the Import/Export and Monitoring menus.
To ensure proper security, assign the appropriate user accounts to the Administrators group and remove the Administrator user from the Administrators group.
ComposerUsers Group
The ComposerUsers group is part of the Composer organization and exists as an easy way to grant users permission to work with Composer. By default, the group grants run time service invoke permissions on the following entities and their services. All users in the system will have access to Composer by default because the users group is included in this group. To make ThingWorx more secure, remove the users group from the ComposerUsers group and assign more granular permissions for users and groups that should be able to access Composer. Users who are not in the ComposerUsers group will be logged out immediately when they try to access Composer.
|
For some entity types, InstanceRunTimePermissions is noted, meaning that the entities using that entity type will inherit the permissions.
|
AlertFunctions
* -- All services
BrowserGateway (InstanceRunTimePermissions)
AddDynamicRemoteSubscription
RemoveDynamicRemoteSubscription
ContentLoaderFunctions
* -- All services
CurrentSessionInfo
* -- All services
DashboardFunctions
GetDashboardsForCurrentUser
GetSharedOrganizationUnits
RemoveSharedOrganizationUnit
SearchAllDashboards
SearchGadgets
ShareDashboard
EntityServices
GetClientApplicationKey
GenericThing (InstanceRunTimePermissions)
GetNamedProperties
InfoTableFunctions
Aggregate
BetweenFilter
Clone
Combine
CreateInfoTable
CreateInfoTableFromDataShape
DeleteQuery
DeriveFields
Distinct
EQFilter
GEFilter
GTFilter
Interpolate
Intersect
LEFilter
LTFilter
LikeFilter
MissingValueFilter
NEFilter
NearFilter
Pivot
Query
RegexFilter
RenameField
SetFilter
Sort
TagFilter
TimeShift
TopN
Union
UpdateQuery
LicensingSubsystem
GetCustomerId
GetInstanceId
GetLicenseState
GetCurrentLicenseModelType
CheckoutComposerLicense
PlatformSubsystem
GetAllStyleDefinitions
GetAllStyleThemes
GetAllStateDefinitions
GetAspects
GetBaseTypes
GetDataConnectSettings
GetEntityCount
GetEntityUsageCount
GetLearningConnectorConfiguration
GetLicenseState
IsInternalVersion
IsEvaluationVersion
RuntimeLocalizationFunctions
* -- All services
ScriptServices
* -- All services
SearchFunctions
* -- All services
SecurityServices
* -- All services
ThingPackages
GetHandlerDefinitions
GetHandlerDefinition
Developers Group
The developers group does not have any default design or run time permissions.
Designers Group
The designers group does not have any default design or run time permissions.
Importers Group
Importers can use the Importer to create or update entities in bulk. They must be authorized for each operation the import performs, with permissions assigned to their user groups (including Importers) or on a per-user basis. A failed permission check anywhere in the import process will roll back the entire import, so ensure that Importers have appropriate visibility and design-time permissions (to create or update) for the entities they will be responsible for.
Users Group
Every user entity in ThingWorx is included in the users group. Members cannot be added or removed from the Users group unless a user entity is created or deleted in ThingWorx. The users group is in the ComposerUsers group by default.
Security Administrators Group
A user who is in security administrator group, but not in the Administrators group will have access to the three services below, but not to everything else that the Administrators group can access. The security administrators group has access to the following user services:
• AssignNewPassword — Sets a user password. This service is restricted to this security administrator group only.
• SetLanguagePreferences — Sets language preferences for any user. An exception is thrown if the user in the current security context (who is not in the security administrator group) attempts to call this service on a different user.
• GetUserPreferenceInfo — Retrieves the preferences for a user.
SolutionCentralSiteAdministrators Group
The SolutionCentralSiteAdministrators group is part of the Composer organization and exists as an easy way to grant administrative permissions for Solution Central. A user who is in this group can view notifications and read and execute services present in the SolutionCentralSubsystem. This user can also register and update registration details and deploy solutions.
SolutionCentralDevelopers Group
A user in the SolutionCentralDevelopers group, also part of the Composer organization, will be able to package and publish solutions to Solution Central.
|
SolutionCentralSiteAdministrators and SolutionCentralDevelopers groups are available in ThingWorx 8.5 and later.
|
Auditors Group
The Auditors group exists as a way to enable non-Administrator users to execute the
QueryAuditHistory service at the Thing level and see the actions of all other users but only for that Thing. The users in this group have only this visibility in the search results of the query on the Thing. These users must also have permissions to view and run services on the Thing. For more information about security for the audit subsystem, refer to
Security for Audit Activities.