Could anyone point me in the right direction for the permissions required to have my remote thing access our Thingworx Server?
Currently all of our remote things use an app key that's tied to an administrator. I am trying to remove this and reduce the remote thing permissions down to a minimum. Any assistance would be really appreciated.
We use a service to generate the thing that corresponds to the remote thing when it first connects to the server. I have granted permission to my new user to access the remote thing template as well as permissions to create new things. What else am I missing? I am not seeing any warnings or permission issues when the remote thing is attempting to connect to the thingworx servers so I am not sure which piece I am missing.
Thanks in Advance.
Hello Paul Baierl,
As far as I understand, your remote thing is not created at all?
If so, please let me point a few things that could help you in finding the missing piece:
1. Usually in that kind of mechanisms there is a Thing that has a service to create a new Thing (invoking directly CreateThing on EntityServices is really not recommended). If so, you need to provide permissions to invoke this service as well as Design Time permission on Thing Collection to Create. Of course, permission on EntityServices:CreateThing is also necessary (in this case probably for System user, more about System user you can find here: Digital Media Publisher).
2. In this service you should also, after creation of new thing, invoke Things[newThingName].EnableThing() and Things[newThingName].RestartThing() services to startup this new entity properly - permissions for those services are also necessary (set dynamically for the user on newly created thing or statically on the Template).
3. All Template permissions that are necessary.
One important point to consider:
4. Those above are only Run Time / Design Time permissions. If you need also to adjust Visibility, it becomes more complex task.
Hope it helps, let me know if you need further assistance.
Paul, how are you attempting the connection from your Remote Thing to the ThingWorx server? is it via one of the EDGE sdk or EMS? Have you checked the logs from them? As Jakub mentioned does your remote thing connect at all after the changes in permission you have applied to the appKey?
You are correct. The thing does not exist. When the remote thing first connects to the server it will create it's own thing and start sending up data.
The idea is that we have two different levels of access.
1. A commissioning account. If a module/remote thing connects with this account it will create the thing and assign new permissions to the remote thing.
2. A remote thing account with a unique user/app key assigned. This is the account/login information that the remote thing will use once it is connected to the server.
We are using the Edge SDK. I have checked the logs on the server side, but not on the device side. I am the web application developer while another group is handling the SDK/remote thing development. I am not sure how to check the logs on the remote device at this time. I will see what I can find out when I work with them this morning.
It seems like the remote thing makes a connection, It just can not create an the initial thing. I will go and try the permissions settings that were suggested by Jakub.
Yes, that's a good idea. Have you validated my short list of permissions to be set and checked if now it's working or not? The list I suggested should be a good point to start and should be enough for the Agent to connect and create a Thing.
I have tried your suggestions and it seems to have helped, but still not all the way there.
I can see that the module is connected to the server, but it is listed as unbound.
So: the EMS itself is connected, the Remote Thing is created, but the binding between Remote Thing and your EMS Thing is not established?
How do you specify the binding properties on EMS side - by name of the Thing or by identifier?
No, the thing isn't being created. I added a few logger print statements in the thing creation service so I could see how far the thing was getting in the initialization process. From what I can see the thing creation service has never been run/called.
I can look at the remote thing status in the ThingWorxMonitor and see the unbound thing. We are binding by thing name.