Visibility in Organizations
Visibility is a form of access control. If an entity is visible to members of an organizational unit, those members have read access to the entity. The underlying, granular security model determines what specific interaction any users that are members of that organization unit may have with a specific asset. If a user in the system is not granted visibility, that asset does not exist within that user’s domain. That user cannot see the asset, list it, or interrogate that asset’s name space.
In ThingWorx, it is possible to define the visibility rules to make specific Things only visible to a single organization, or to allow multiple organizations visibility to the same asset. An organization is made up of organizational units.
Default Visibility
By default, a non-administrative user is only granted visibility to entities that they have created.
Granting Visibility
To grant visibility permissions on entities for non-administrative users, create an organization or organizational unit to contain the user or users. Once the organization is created, you need to grant visibility permissions to the organization or organizational unit.
This can be accomplished at the following levels:
The collection level that applies the visibility settings to all members of the collection.
The individual entity level (i.e. VM101 vending machine).
The instance level (only applicable to Thing Templates). Instance visibility settings remain intact to any Thing derived from that Thing Template.
You can add visibility through the user interface or with REST API services (with the exception of the ThingPackages collection, as described in the next section).
When visibility to an asset is granted at the lower levels in the organization hierarchy, they are automatically granted to the higher levels. For example, if a line operator is granted visibility to their line, a supervisor for all lines in the organization hierarchy is automatically granted visibility to the assets that the subordinate operator is granted.
There is one exception to the roll-up model: granting an entire organization visibility to an asset. When an entire organization is added, the organization and all its subunits are assigned visibility to that entity.
Granting Visibility to an Organization Unit
In the example below, a new organization is created with associated org units and users. Visibility is then applied to the org unit.
1. Create a new organization. In this example, it is named J W Power Company Fleet. Click Save.
2. Click the Organization view. The default root level name is Unit 1. Add users to this unit, as you cannot add them outside of an org unit.
3. Rename Unit 1. In this example, it is named RootLevelDefault.
4. Create a child org unit of RootLevelDefault. In this example, it is named SubLevel.
5. Assign visibility to RootLevelDefault.
If you assign visibility to the organization name, J W Power Company Fleet in this example, the entire organization will gain visibility permissions (similar to collection level permission). The image below shows both options. The first row shows that the entire organization has visibility permission. The second row displays that the org unit has visibility permissions.
Granting Visibility to the ThingPackages Collection
You can only grant visibility to the ThingPackages collection through the REST API. There is no user interface option.
Use the AddCollectionVisibilityPermissions service from the CollectionFunctions resource. The input parameters identify the principal for which you want to grant visibility.
For example, to grant visibility to the Everyone organization, you would use the following input parameters: principal = Everyone, principalType = Organization, and collectionName = ThingPackages.
By default, only administrator users can create SQL Query and SQL command services for a Thing that implements a database Thing Template. Additional permissions must be granted on the ThingPackages collection to allow non-Administrator users to perform this function. Follow these steps to grant these permissions:
1. In Composer, go to System > Resources.
2. Select the CollectionFunctions resource.
3. Select Services.
4. Select the AddCollectionRunTimePermission service.
5. Execute the service with the following parameters:
collectionName - ThingPackages
type - ServiceInvoke
resource - * or something specific
principal - Name of User or Group
principalType - User or Group
Allow - True
Configuring Visibility for an Asset
Users and groups must be defined before organizations can be configured.
1. In the Explorer, open the Thing or entity.
2. Click Permissions.
3. Under Visibility, select the appropriate organization.
4. Click Save.
To delete an organizational unit from an organization, click the delete icon next to the unit.
To delete the visibility, select the organization, click the check box, then click Remove.
Run time and design time permission sets are also accessible at the top of the page where visibility permissions are controlled.
Configuring Instance Visibility
Instance visibility applies only to Thing Templates, and visibility set at this level is inherited by any entities that use that Thing Template.
1. In the Explorer, open the Thing Templates section.
2. Locate and select the template of interest.
3. Click Permissions in the menu bar.
4. Under Visibility click Search Organizations.
5. Click the magic picker and select the appropriate organization.
6. Click Save.
Was this helpful?