Permissions for EMS tunneling

drichter · ‎Aug 18, 2020

Hi,

which permission I must set for a working tunneling connection?

My szenario: I have a device where EMS running on. The remote device is connected to TWX. With my admin user (in group Administators) I can established a tunneling connection with the device (for example ssh) and every works fine. Now when I try this with a normal user (no in Administators group) the connection failed immediately after the Thingworx Remote Access Client is started:

My current permissions:

Everyone has Visibility-Permissions via Visibility Instance of the Template of the device
The user has Runtime Property Read and Service Execute Permissions for the device
The user has DesignTime Read Permissions for the device
ThingworxInternalRemoteAccessProvider has Visibility Permissions for everyone
TunnelSubsystem has Visibility Permissions for Everyone
The user has Runtime Property Read and Service Execute Permissions for TunnelSubsystem
The user has DesignTime Read Permissions for the TunnelSubsystem

The log of ems (wsems_log1.log) lookes like this:

*****************
TUNNEL NOTIFICATION:
ID: 5f74895a-a5b0-4524-b078-3e270b1be686
ThingName: d_e_v_i_c_eb90f6514_1da6_4cbd_80ac_98de964f2bcc
State: STARTED
Target: 1.0.2.13:22
StartTime: 2020-08-18 11:21:30,671
EndTime: Still in Progress
Duration: 0 msec
User: Unknown
Bytes Sent: 0
Bytes Rcvd: 0
Message:
*****************

[FORCE] 2020-08-18 11:21:30,671 SDK: TUNNEL CREATED. Entity: d_e_v_i_c_eb90f6514_1da6_4cbd_80ac_98de964f2bcc, tid: 5f74895a-a5b0-4524-b078-3e270b1be686,>
[INFO ] 2020-08-18 11:21:30,768 SDK: twWs_Connect: Websocket connected!
[FORCE] 2020-08-18 11:21:30,768 SDK: TUNNEL STARTED. Entity: d_e_v_i_c_eb90f6514_1da6_4cbd_80ac_98de964f2bcc, tid: 5f74895a-a5b0-4524-b078-3e270b1be686,>
[WARN ] 2020-08-18 11:23:00,945 SDK: twWs_Receive: Websocket closed!
[AUDIT] 2020-08-18 11:23:00,981 :

*****************
TUNNEL NOTIFICATION:
ID: 5f74895a-a5b0-4524-b078-3e270b1be686
ThingName: d_e_v_i_c_eb90f6514_1da6_4cbd_80ac_98de964f2bcc
State: ENDED
Target: 1.0.2.13:22
StartTime: 2020-08-18 11:21:30,671
EndTime: 2020-08-18 11:23:00,981
Duration: 90310 msec
User: Unknown
Bytes Sent: 43
Bytes Rcvd: 0
Message: Websocket was closed
*****************

[WARN ] 2020-08-18 11:23:00,981 SDK: sendCtlFrame: Not connected

This two lines will appear in Application Log:

Unable to dispatch [ uri = /Things/tw-ra-client-1c90fe81-90c0-4f00-82dc-e8ce00aa4593/Services/EnableThing/]: Unable to Invoke Service EnableThing on tw-ra-client-1c90fe81-90c0-4f00-82dc-e8ce00aa4593 : Not authorized for ServiceInvoke on EnableThing in tw-ra-client-1c90fe81-90c0-4f00-82dc-e8ce00aa4593

error executing APIRequest Message: Not authorized for ServiceInvoke on EnableThing in tw-ra-client-1c90fe81-90c0-4f00-82dc-e8ce00aa4593, sending ERROR ResponseMessage to caller!

Its looks like he create a thing names tw-ra-client-1c90fe81-90c0-4f00-82dc-e8ce00aa4593 but has not the permissions to call EnableThing.

The other logs looks normal.

slangley · ‎Aug 19, 2020

Hi @drichter.

Based on the error you provided, we would recommend that you re-check to ensure the the permissions are set correctly. You can also consider using an appKey as referenced in this Help Center page. There is also a tutorial available in the Help Center that may be useful.

Regards.

--Sharon