cancel
Showing results for 
Search instead for 
Did you mean: 
Security Alert Log4j Security Vulnerability. Click here to know more.
cancel
Showing results for 
Search instead for 
Did you mean: 

Service Permission Error

dr1
5-Regular Member
5-Regular Member

Service Permission Error

Hello Everyone,

I just finished building a Mashup as an Admin User. Now I have created a new User, that I want to be able to use the Mashup. 
In Order to do so, the User needs to execute the Service "GetSortedCompleteStructure" of a Thing that I defined as an Admin User.

The Visibility of the Thing is set correctly, but in the "Run Time Permission" Section I have the following issues:

 

When adding the new User to "All Properties, Services, and Events" and allow "Service Execute", everything works just fine

But for now, I just want to allow for one specific service to be executed, namely the service mentioned earlier.
But when selecting that service in "Property, Service, or Event Overrides" and allowing for "execute" (while Denying Execution for all Services in the section above), it get the "not Authorized error".

I find this quite confusing, since the option states "Service Overrides", which should override the default option of "Deny"

Also when the user is not added for "All Properties, Services and Events" and only added for the specific Service, I get the authorization error.


Does anyone know what the problem here is?
The only way I can think of right now is to allow Execution for all Services and then deny all other services specifically (kind of an blacklist approach)

Any hints or thoughts on this are appreciated very much!

 

Best Regards,

Dominik

1 ACCEPTED SOLUTION

Accepted Solutions

Hello Dominik,

 

It's normal that it disappears, because essentially you set all options to their default values, so ThingWorx doesn't see the reason to keep the row in the table anymore.

 

When you say "which doesn't work" -- what exactly do you mean? What error messages do you see in the logs? Keep in mind that you need to grant System user access to anything that this service is executing.

 

/ Constantine

View solution in original post

5 REPLIES 5

Hello Dominik,

 

Do not deny it for all services/properties, keep "Use inherited" option, which is selected by default. This way it will work as you expect.

 

Basically, the rule of thumb that I'm applying on all my projects is not to deny anything explicitly, but allow selectively instead. Everything is denied by default, so this approach is secure, yet simplifies code maintenance.

 

Finally, does your service call other services? In this case you need to ensure your user (or System user) has the access rights for those as well.

 

ApplicationLog and ScriptLog should give you precise information about the services that your user cannot access -- usually it's a good starting point.

 

/ Constantine

dr1
5-Regular Member
5-Regular Member
(To:Constantine)

Hello Constantine,

thank you for replying to this Thread as well.

 

I am not sure, whether I followed your instructions correctly, but the following issue appears when trying to do so.

If I understand correctly, the configuration for "Run Time" should look like this:image.png

(Note that this is a Thing Template and the Configuration applies to "Run Time Instance")

=> like you said, everthing is set to "inherit" and only the needed service is "whitelisted"

 

But After saving this configuration, the User Group Config for "All Properties, Services..." (where everything was set to inherit) simply disappears, so that I am left with

image.png

which doesn't work. Whenever I set one of these Options to something different than "inherit", it does not disappear after saving...

 

My guess is, that the User Group has nothing to inherit from...

 

Anyway, do you know how to resolve this?

 

Thank you very much!

 

Best Regards,

Dominik

Hello Dominik,

 

It's normal that it disappears, because essentially you set all options to their default values, so ThingWorx doesn't see the reason to keep the row in the table anymore.

 

When you say "which doesn't work" -- what exactly do you mean? What error messages do you see in the logs? Keep in mind that you need to grant System user access to anything that this service is executing.

 

/ Constantine

Consider this example:

 

Thing A with property "pa" and service "sa", which returns the value of property pa

Thing B with service "sb", which calls A.sa

Thing C with service "sc", which calls B.sb

Mashup M, which calls service C.sc

User U, which should have access to mashup M

 

In this case you need to grant the following permissions:

 

A.pa: read for System

A.sa: execute for System

B.sb: execute for System

C.sc: execute for U

A, B, C and M must all be visible to U's organization

 

You can grant A, B and C permissions either on per-thing level, or on ThingTemplate level in that "run time > instance" mode. From practical standpoint you can grant global (not per-service / per-property) read and execute access to System user on A, B and C. But for U it's better to grant access on the individual services / properties.

 

/ Constantine

dr1
5-Regular Member
5-Regular Member
(To:Constantine)

Hello Constantine,

 

with "it doesn't work" I meant the error "Not authorized for ServiceInvoke on Service..."

 

I gave the System User service execute Permission on Thing Collection Level and now it works.

 

Thanks for your help!

Regards,

Dominik

Announcements