Create User Groups for Content Authorization

User Management and Access Control > Create User Groups for Content Authorization

Make sure that the es-authorization user and es-authorization-org organization have the necessary permissions to access ThingWorx user groups. For more information, see Configure Access to ThingWorx Group Memberships.

You can create your own user groups in ThingWorx to control the content access and permissions of Vuforia Studio users.

The rules that control access to content stored with the Experience Service are defined in the access-control-rules.json, which can be found in the digest directory. This file contains a single JSON object with two properties—rules and roles.

The value of the rules property is an array of JSON objects that define the access control policies for theExperience Service instance. Each JSON object in the `rules` array has the following properties:

• roles—the name of a role that is being granted the permissions provided by this rule

This must be the name of a User Group that is defined in the associated ThingWorx server.

• allows—a list of JSON objects that define permissions that are granted to members of the role

The JSON objects that appear in the allows property, have the following properties:

• resources—a list of resources. Resources are identified by the path. The following is a list of resources that can be access controlled:

◦ /ExperienceService

◦ /ExperienceService/admin/logs

◦ /ExperienceService/admin/proxies

◦ /ExperienceService/compliance

◦ /ExperienceService/content

◦ /ExperienceService/id-resolution/mappings

◦ /ExperienceService/properties

◦ /ExperienceService/username

• permissions—the list of permissions that are granted to the resources. The following permissions can be granted:

Permission	Description
get	Grants permission to use the GET method on the resource. This allows users to view the resource.
post	Grants permission to use the POST method on the resource. This allows users to create new instances of the resource.
put	Grants permission to use the PUT method on the resource. This allows users to update the resource.
delete	Grants permission to use the DELETE method on the resource. This allows users to delete the resource.
options	Grants permission to use the OPTIONS method on the resource. This allows users to see the permissions that they have been granted for the resource.

The following is an example JSON snippet that can be used to define an access control rule in the access-control-rules.json:

{
"roles":"PublishOnly",
"allows":[
{
"resources":["/ExperienceService/content/projects"],
"permissions":["post", "put"]
}
]
},

The value of the roles property at the very end of the access-control-rules.json file must always be set equal to an empty JSON array. Therefore, the configuration setting for the roles property should look like the following:

"roles" : []