- Guide Concept
- Step 1: Examples and Strategy
- Step 2: Setup Organizations and Departments
- Step 3: Setup Users and User Groups
- Step 4: Setup Permissions
Setup methods and schemes to secure your data
Guide Concept
Securing data is often something thought of after an application is designed. It should always be the first and more important.
These concepts and steps will allow you to focus on development of your application while still allowing the ability to utilize the power of ThingWorx!
We will teach you how to design a secure environment and application from scratch
You'll learn how to
- How to design and implement organizations and organization sections
- Creating secure User Groups with specific goals
- Limit access to resources
NOTE: The estimated time to complete this guide is 30 minutes
Step 1: Examples and Strategy
If you’d like to skip ahead, download and unzip the completed example of the Aerospace and Defense learning path: AerospaceEntitiesGuide1.zip. Import the .twx files included.
In an ever-changing world, you are going to need to protect everything that is considered private. This includes your data, the data people provide you, and the resources you consider important. All of this can be done using the ThingWorx environment.
ThingWorx provides a system for security that can be configured endlessly. There is the security being handled at the server level internally and with Apache, in which you have access to. The security being handled in the ThingWorx Composer, which you can customize. Lastly, there is the security you provide at the client side for users accessing your application or system.
Let us start working on securing our system before we add extra users and workers. First, we will create and organization and organization levels within our agency to help designate access. We will create the security access to the ThingWorx Composer, which is where our data will be held for now in this learning path. We will then create access levels for internal employees, including administrators, developers, and workers based on security clearance levels.
Step 2: Setup Organizations and Departments
Creating Our Organizations
If you need a refresher on how to create security groups and permissions, take a look back at our Configure Permissions Guide. If you are ready to get started, follow the instructions below:
1. In the ThingWorx Composer, click the + New button in the top left.
2. In the dropdown list, click Organizations.
3. In the Name field, give our agency name, such as PTCDefenseDepartment.
4. Set the Project field to an existing Project (ie, PTCDefaultProject) and click Save to save your work.
5. Go to the Organization tab and you will see the beginning of our Organization.
Creating Our Departments
Let us add some departments in our Organizations. We will add a few here but add as many as you like. Just keep in mind, these departments do not need to match every department in the actual Organization. These departments will be used for access to different resources.
1. Click on the first unit and update the Name field to DefenseDepartment. Click the check mark to save your changes.
NOTE: You can add the spaces if it looks better to you. You will be using these departments throughout this learning path. You can also change these later.
2. Under our first unit (DefenseDepartment), click the green + button. Name this unit HumanResources.
3. Repeat the last step to create three more departments under our DefenseDepartment unit. Name these new units Agents, Visitors, and IT.
4. Under the Visitors unit, click the green + button to add a unit and name it Applicants.
5. Repeat the last step to add one more unit under the Visitors unit. Name this group OtherAgencies. Your setup should have the following departments.
You now have a complete start to our agency. What does that mean exactly? An Organization allows us to limit resources to only members of that overall Organization or specific unit within that Organization. You will get firsthand experience as we move further in this guide.
Let us create our Security Groups to those that will absolutely need it. This is a big decision point into how you would like to do this and there is no truly wrong answer. Will each user for this application or utility have their own User account in ThingWorx or share User accounts based on usage? Will you grant access to this application through LDAP, database verification, or a Create An Authentication Extension. The list of questions into what is supported for authentication in ThingWorx is almost endless.
Step 3: Setup Users and User Groups
Creating User Groups and Users
For simplicity and timing, we will create a User Group and User for each department (be mindful of the number of allowed Users in the ThingWorx version you are using). We will also create a super user account that will provide us with full access. Finally, we will need to create an extra User Groups for ThingWorx Composer access.
First, User Groups
1. In the ThingWorx Composer, click the + New at the top left of the screen.
2. Select User Groups in the dropdown.
3. Name the User Group Agency.ComposerAccess.
4. Set the Project field to an existing Project (ie, PTCDefaultProject) and click Save.
5. Repeat steps 1-4 to create a User Group for each department (Agency.HumanResources, Agency.Agents, Agency.Visitors, Agency.Applicants, Agency.OtherAgencies, and Agency.IT).
Now, Users
1. In the ThingWorx Composer, click the + New at the top left of the screen.
2. Select User in the dropdown.
3. Name the User User.AgencySuperUser and add a password.
4. Set the Project field to an existing Project (ie, PTCDefaultProject) and click Save.
5. Repeat steps 1-4 to create a User for each department (User.HumanResources, User.Agents, User.Visitors, User.Applicants, User.OtherAgencies, and User.IT).
Adding Members to User Groups
Assign each user to the corresponding User Group using the below instructions.
1. Open the Agency.HumanResources User Group.
2. Click on the Manager Members tab.
3. Filter and select the User you want to add in the Available Members section. In this case, User.HumanResources.
4. Click the arrow on that User’s row or drag and drop the User to the Members section.
5. Click Save.
6. Repeat steps 1-5 for each department User Group you created earlier with their corresponding User.
We should have an extra User Group (Agency.ComposerAccess) and an extra User (User.AgencySuperUser). We will utilize these Entities below. For now, only our IT department needs access to the ThingWorx Composer.
1. Open the Agency.ComposerAccess User Group.
2. Click on the Manager Members tab.
3. Filter and select the User Group you want to add in the Available Members section. In this case, Agency.IT.
4. Click the arrow on that User’s row or drag the User to the Members section.
5. Click Save.
Our super user will need top level access to everything in ThingWorx. To do this, we will add the User to the Administrators User Group.
1. On the left-hand side of the ThingWorx Composer, click Browse.
2. Click on User Groups on the left panel.
3. At the top of the screen, click the filter button near the search bar.
4. Check the checkbox for Show System Objects and click Apply.
5. Filter and select the Administrators User Group.
6. Click on the Manager Members tab.
7. Filter and select the User you want to add in the Available Members section. In this case, User.AgencySuperUser.
8. Click the arrow on that User’s row or drag the User to the Members section.
9. Click Save.
Step 4: Setup Permissions
Setting Bulk Permissions
1. On the left panel, select Permissions.
2. Click Collections on the menu that appears.
3. Select the checkbox at the top to select all available Entities then click Edit Permissions.
4. On the Visibility tab, click the + button in the Search Organizations filter.
5. Enter PTCDefenseDepartment and click the expand arrows to select the IT department. A more granular Visibility level can be set on the specific Entities when created later in this learning path.
6. Select the Design Time tab.
7. Enter Agency.ComposerAccess in the search bar and select the Agency.ComposerAccess User Group.
8. Select the check marks for Create, Read, Update, and Delete. A more expansive design for a production environment would create more Users and User Groups to have such access.
9. Set the permissions for the other groups we have created to not allow any Create, Read, Update, and Delete permissions for groups outside of Agency.ComposerAccess and Agency.IT. It should look like the below configuration.
10. Set the same permissions in the Run Time tab for the User Groups we have created.
11. Click Save.
Now, if you log into the ThingWorx Composer using any account other than our super user account or the User.IT account, you’ll see that you may be able to see Entities, but you cannot open them. You will see an unauthorized popup. If you have access to a browser with a Private or Incognito mode, use it instead of logging out of your Administrator account.
Click here to view Part 2 of this guide.
