cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - You can change your system assigned username to something more personal in your community settings. X

Creating minimum User permissions, associated with AppKey and used in TW SDK agent

rad1
9-Granite

Creating minimum User permissions, associated with AppKey and used in TW SDK agent

I want to create a new Application Key that will be used by TW agent SDK to send a list of Property values on an VirtualThing using updateSubscribedProperties() method as well as call a few Services on "UtilityThing" thing, like when I need to register this VirtualThing (Create a Thing based on a certain RemoteThingTemplate).

I also have a few other services on UtilityThing thing that in turn call a couple of other custom services (There can be 2-3 levels of calls in the chain). 

 

Question: Will I need to use "System" users for execute permission for these dependent services and only worry about Client visible Service.

 

Question: I need to be able to revoke "sending" permission from TW SDK agent which uses an appKey, let's say when the contract expires after 1 year if contract is not extended.

 

I want to know how to setup a new user associated with this Key with just enough rights to do above.

I also want to push some files or call services on VirtulThing from the serve.

 

Question: Do I need to call these services and/or something else?

//AddRunTimePermission
//AddVisibilityPermission

 

Queston: What I will apply these to?

 

 

1 REPLY 1
supandey
19-Tanzanite
(To:rad1)

Hi @rad1 I'll try to address some of this questions, please see below :

 


@rad1 wrote:

I want to create a new Application Key that will be used by TW agent SDK to send a list of Property values on an VirtualThing using updateSubscribedProperties() method as well as call a few Services on "UtilityThing" thing, like when I need to register this VirtualThing (Create a Thing based on a certain RemoteThingTemplate).

I also have a few other services on UtilityThing thing that in turn call a couple of other custom services (There can be 2-3 levels of calls in the chain). 

 

Question: Will I need to use "System" users for execute permission for these dependent services and only worry about Client visible Service.

 

If i understand it right just by giving System user access right and denying the visibility / execution right to the actual user I think it likely not work while the user itself won't have the write to call those service. Anyhow System user is used only to handle the basic ThingWorx service. So in your case I think you will need to grant both visibility and execution write to this user see best practice on System user here

 

Question: I need to be able to revoke "sending" permission from TW SDK agent which uses an appKey, let's say when the contract expires after 1 year if contract is not extended.

 

I want to know how to setup a new user associated with this Key with just enough rights to do above.

I also want to push some files or call services on VirtulThing from the serve.

 

It's difficult to answer without full visibility on the precise use case but generically speaking depending on the requirements i.e. whether or not user need design time & runtime permission apart from obviously visibility,  both will be needed on all the entities.

 

For the point that you'll need to disable this App key after say contract expiry, may be calling the SetExpirationDate service on the Application key e.g.

 

var params = {
	expirationDate: undefined /* DATETIME */
};

// no return
ApplicationKeys["CurlAppKey"].SetExpirationDate(params);

 

Question: Do I need to call these services and/or something else?

//AddRunTimePermission
//AddVisibilityPermission

 

Queston: What I will apply these to?

 

Services mentioned by you above would work if you are doing individual access permission mgmt. Since you'd likely have bunch of entities on which the user will need permission look for CollectionFunctions which is available under Resources in the Composer it contains services like 

 24-05-2018 16-15-56.jpg

 

When calling them individually for e.g. i have a user "M" and to grant Visibility permission on an organisation I would do something like this from a service 

 

var params = {
	principal: "MOrg" /* STRING */,
	principalType: "Organization" /* STRING */
};

// no return
Users["m"].AddVisibilityPermission(params);


 

Top Tags