User Management and Access Control > Configure Access to ThingWorx Group Memberships
  
Configure Access to ThingWorx Group Memberships
* 
The authorization application key described in this section is created automatically and is configured by the installer. These instructions are included in case you need to manually recreate that application key.
As mentioned earlier, the Experience Service leverages the user and group management capabilities of the ThingWorx server for authentication and authorization. To authorize users, the Experience Service must be able to synchronize the membership of Experience Service roles with the membership of ThingWorx user groups that are used in Experience Service access control rules.
Application Key Configuration
* 
This section does not apply if the Experience Service has been configured to use SSO.
The Experience Service uses an application key to synchronize role memberships. Use the following steps to create the necessary application key in ThingWorx.
1. Create a user named es-authorization.
2. Create an organization named es-authorization-org.
3. Add the es-authorization user to the es-authorization-org organization.
4. Configure es-authorization so that it has the following necessary run time permissions to allow the Experience Service to access memberships of ThingWorx user groups:
Service Execute run time permission on User Groups collection
Service Execute run time permission on Users collection
5. Configure the es-authorization-org organization so that it has the following necessary visibility permissions to access the membership of ThingWorx user groups that are used in the Experience Service access control rules:
Visibility permission on the User Groups collection
Visibility permission on the Users collection
6. Create an application key and associate it with the es-authorization user. For more information, see Generate an Application Key.
* 
Be sure to set an appropriate expiration date for the application key.
7. Edit the configuration.json file located in the Experience Service installation directory and set the value of the authentication.authorization.appKey parameter equal to value of the keyId property for the application key that was created in Step 6.
Optional Enhanced Security Configurations
The following optional configurations can be made for enhanced security.
Permission Type
Description
Runtime
For more security, access can be granted to only the required services on the required users and groups.
For each user that must be granted access to the Experience Service, grant Service Execute runtime permission on GetGroups service for each user.
For each group that is used in the definition of an Experience Service access control rule, grant Service Execute runtime permission on GetGroupMembers service for each group
* 
Be sure to grant access to the GetGroupMembers (plural) service and not the GetGroupMember (singular) service.
For more information about granting these permissions, see the “Enabling Access to Properties, Services, and Events” section in Granting User Permissions.
Visibility
For more security, visibility can be granted to only the users and groups whose membership needs to be synchronized with the Experience Service. In this case, grant the es-authorization-org organization visibility to each user that must be granted access to the Experience Service, and visibility to each group that is used in the definition of an Experience Service access control rule.
For more information about granting these visibility permissions, see the “Granting Visibility to Users and Groups Collections” section in Granting User Permissions.