Configuring Visibility and Permissions for ThingWorx Entities
In ThingWorx, there are three types of permissions:
• Design time—These permissions define which user groups and users have access to create, read, update, and delete entities.
• Run time—These permissions define which user groups and users can access data, execute services, and trigger events on a Thing, which include data tables, streams, and users. You can set run time permissions at a Thing, Thing Template, or entities collection level. The abstract entities, Thing Shapes, Data Shapes, and user groups in the model do not have run time permissions.
• Visibility—These permissions define which organization and organizational units have access to view an entity. If the members of an organization or organizational units do not have visibility access, they are not able to view the entity in the entity list or search results.
It is recommended that you manage the permissions for your solution as you build it. Implementing permissions at the end is very difficult.
Note that by default security checks do not allow an operation. If no specific permission is given to a user, then that operation is denied.
Avoid assigning unnecessary permissions to a group, as it might expose your solution to unwarranted risks. You can use the override functionality to deny permissions on services that are available on the ThingWorx Platform.
Recommended Workflow While Defining Visibility and Permissions for Entities
When you define visibility and permissions for entities such as Things, mashups, and so on, the recommended workflow is:
4. Assign
visibility for entities based on organization or organizational units.
5. Assign
permissions for entities based on user groups or users.
Use the following best practices while defining visibility and permissions:
• Run time Instance Permission for User Groups for All Things
Use run time instance permission to assign permissions to user groups for all Things that implement a specific Thing Template, rather than assigning permission to each Thing individually.
• Import User Groups and Users Before Other Types of Entities
Collections may not be written as expected to the solution if the corresponding user groups or users do not exist before you import From Thingworx Storage on the target server. To ensure that the permissions import properly, create the user groups and users in ThingWorx. Export the user groups and users from the system as an export file in binary or XML format. Then import them back into the same or new system, and finally import the rest of your model.
• Import and Export of Collection-Level Permissions
Collection-level permissions for Things, Thing Templates, Logs, and so on, are exported or imported only when you export or import From Thingworx Storage. If you import or export From File, the collection-level permissions apply only on the entity level.
• Reset the Default Administrator Password
Warning: It is critical to reset the Administrator password after your first login. If you do not change the default password, it can allow the system to be compromised in the future.