I have created a user and an appkey with the user reference name. I want to restrict the user from executing the service which is bound to the mashup from mashup. The user should be able to see only the mashup but when he tries to execute any service should give some kind of error.
In order to achieve so, I gave restrictions on service execute from the permissions for that thing, but I am getting errors in the mashup.
@MM_9023322 : When we restrict a run time permission for a particular service for a user , than while viewing the mashup , if that service is used somewhere in the mashup, then that user will definitely see an error(since we have restricted the run time execution for that service). In this case , the user wont be able to execute the service from postman as well. The point here is that security for REST should be made with objects visibility and runtime/designtime permissions. Hence I think your use case looks conflicting to me. One thing which I can suggest is that you can block external REST calls to your thingworx server altogether. I would also suggest you to go through the following post: https://community.ptc.com/t5/ThingWorx-Developers/Limit-REST-calls/td-p/658812