ThingWorx Model Definition in Composer > Modeling > Thing Templates > Remote Templates > Thing Presence > Thing Presence Reporting Strategy Things: Security Setup
Thing Presence Reporting Strategy Things: Security Setup
Security is of the utmost importance. Ensure your ThingWorx users are configured with the minimum required visibility, design time, and run time permissions. Also, ensure that any services that the platform executes automatically are done so in a user context with the minimum required permissions.
RunAsUser Configuration for Strategy Things
Reporting strategies have a configuration field, RunAsUser, to give permissions to take platform actions. By default, the value for this configuration is a built-in user that has no permissions at all.
If a custom ReportingStrategy requires further access to the platform, such as property values of a Thing, the RunAsUser configuration must be changed. For security, only Administrators can modify this setting. The user specified for RunAsUser needs the visibility and read permissions that your Strategy Thing requires.
Troubleshooting RunAsUser Configuration
An invalid or insufficiently privileged RunAsUser prevents your device from ever being marked as reporting (isReporting set to true). Log messages appear in the Application Log after any failed reporting evaluation, including failures due to a nonexistent RunAsUser or a security exception during the attempt to call your Strategy's ReportingAlgorithm. You can directly invoke EvaluateReporting on your device Thing to test the evaluation, and monitor the logs for messages. Note that the evaluation sets isReporting to false if it was previously set to true, and the evaluation determines that the device is not connected normally.
Service Security Summary
Device Thing
The entry point to trigger Reporting evaluations. Used by timers, WebSocket binds, and other custom events that could impact the device connection status.
This service passes its parameters through to the ReportingAlgorithm. Using this service is the recommended way to pass information into your ReportingAlgorithm.
This service invokes ReportingStrategy.ReportingAlgorithm.
Device Thing
Updates the Strategy property on a device to the THINGNAME of the strategy that the device will use to determine presence.
Strategy Thing
Evaluates a Thing to determine presence. Executes in the user context of the Strategy's RunAsUser configuration to prevent unauthorized access.
It is recommended that you pass as much information as possible into the ReportingAlgorithm as arguments (to EvaluateReporting) rather than accessing ThingWorx entities from inside this service.
This method can be overridden.
ThingWorx Events and EvaluateReporting
In some instances, it may be desirable to execute the EvaluateReporting service as a result of a ThingWorx event. For example, you may want to run the service when a timer first fires. Please keep in mind that ThingWorx events execute in the context of the user who triggers the event. As a result, those users must have the appropriate permissions to execute the EvaluateReporting service as well as the subsequent call to ReportingStrategy.ReportingAlgorithm.
Was this helpful?