cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - You can change your system assigned username to something more personal in your community settings. X

Permissions for EMS tunneling

drichter
14-Alexandrite

Permissions for EMS tunneling

Hi,

 

which permission I must set for a working tunneling connection?

 

My szenario: I have a device where EMS running on. The remote device is connected to TWX. With my admin user (in group Administators) I can established a tunneling connection with the device (for example ssh) and every works fine. Now when I try this with a normal user (no in Administators group) the connection failed immediately after the Thingworx Remote Access Client is started:

drichter_0-1597747192829.png

My current permissions:

  • Everyone has Visibility-Permissions via Visibility Instance of the Template of the device
  • The user has Runtime Property Read and Service Execute Permissions for the device
  • The user has DesignTime Read Permissions for the device
  • ThingworxInternalRemoteAccessProvider has Visibility Permissions for everyone
  • TunnelSubsystem has Visibility Permissions for Everyone
  • The user has Runtime Property Read and Service Execute Permissions for TunnelSubsystem
  • The user has DesignTime Read Permissions for the TunnelSubsystem

The log of ems (wsems_log1.log) lookes like this:

*****************
TUNNEL NOTIFICATION:
ID: 5f74895a-a5b0-4524-b078-3e270b1be686
ThingName: d_e_v_i_c_eb90f6514_1da6_4cbd_80ac_98de964f2bcc
State: STARTED
Target: 1.0.2.13:22
StartTime: 2020-08-18 11:21:30,671
EndTime: Still in Progress
Duration: 0 msec
User: Unknown
Bytes Sent: 0
Bytes Rcvd: 0
Message:
*****************

[FORCE] 2020-08-18 11:21:30,671 SDK: TUNNEL CREATED. Entity: d_e_v_i_c_eb90f6514_1da6_4cbd_80ac_98de964f2bcc, tid: 5f74895a-a5b0-4524-b078-3e270b1be686,>
[INFO ] 2020-08-18 11:21:30,768 SDK: twWs_Connect: Websocket connected!
[FORCE] 2020-08-18 11:21:30,768 SDK: TUNNEL STARTED. Entity: d_e_v_i_c_eb90f6514_1da6_4cbd_80ac_98de964f2bcc, tid: 5f74895a-a5b0-4524-b078-3e270b1be686,>
[WARN ] 2020-08-18 11:23:00,945 SDK: twWs_Receive: Websocket closed!
[AUDIT] 2020-08-18 11:23:00,981 :

*****************
TUNNEL NOTIFICATION:
ID: 5f74895a-a5b0-4524-b078-3e270b1be686
ThingName: d_e_v_i_c_eb90f6514_1da6_4cbd_80ac_98de964f2bcc
State: ENDED
Target: 1.0.2.13:22
StartTime: 2020-08-18 11:21:30,671
EndTime: 2020-08-18 11:23:00,981
Duration: 90310 msec
User: Unknown
Bytes Sent: 43
Bytes Rcvd: 0
Message: Websocket was closed
*****************

[WARN ] 2020-08-18 11:23:00,981 SDK: sendCtlFrame: Not connected

 

This two lines will appear in Application Log:

Unable to dispatch [ uri = /Things/tw-ra-client-1c90fe81-90c0-4f00-82dc-e8ce00aa4593/Services/EnableThing/]: Unable to Invoke Service EnableThing on tw-ra-client-1c90fe81-90c0-4f00-82dc-e8ce00aa4593 : Not authorized for ServiceInvoke on EnableThing in tw-ra-client-1c90fe81-90c0-4f00-82dc-e8ce00aa4593

 

error executing APIRequest Message: Not authorized for ServiceInvoke on EnableThing in tw-ra-client-1c90fe81-90c0-4f00-82dc-e8ce00aa4593, sending ERROR ResponseMessage to caller!

 

Its looks like he create a thing names tw-ra-client-1c90fe81-90c0-4f00-82dc-e8ce00aa4593 but has not the permissions to call EnableThing.

 

The other logs looks normal.

 

1 REPLY 1
slangley
23-Emerald II
(To:drichter)

Hi @drichter.

 

Based on the error you provided, we would recommend that you re-check to ensure the the permissions are set correctly.  You can also consider using an appKey as referenced in this Help Center page.  There is also a tutorial available in the Help Center that may be useful.

 

Regards.

 

--Sharon

Announcements


Top Tags