Wanted to share this example with the developers here.
Main reason is that knowing what all to properly secure for Visibility and Permissions can be tough to keep track off.
I saw one approach where all entities were in a table and a script applied the permissions, I think that is a great approach, but I am sharing an example here that is fully automatic.
It also makes you incredibly powerful and dangerous as there are a few methods it show cases that could give you some awesome ideas!
This Utility comes with two entities a database type Thing with services and a Mashup
You need to configure the database type Thing to connect to your Persistence Provider because my code uses that to read the Mashup definition (alternate way would've been to export the mashup and read the XML but since that is asynch I didn't want to take on that challenge)
The Mashup allows you to pick a Project, a User Group and an Organization. These must be pre-created
Also of course all your entities need to be added to the Project.
This Utility basically does it all for you.
It sets a baseline visibility on things like Subsystems, Resources, Styles, States, Persistence Provider
It sets specific visibility based on Project and selected Org to each entity in the Project
It sets a baseline Permission by applying the System user to everything
It also provides Permissions on GetAllState/Style/Theme
It sets permission on GetEffectiveMenu for the User Group based on any menu in the Project
It also checks for the use of Get or Set Properties and does an all Property Read or Write permission
Finally for 8.4 it also provides Mashup design read and Theme design read
At the end it basically provides settings for the Group and Org (sorry not org Unit) all the settings required to have a User in that Group/Org securely use your application. (Don't forget to create users to add to the Group/Org)
The main challenges were to find the services and to create the security application dynamically
As mentioned I’m using a jdbc connection to read the mashup definitions directly from the table in the persistence provider
Initially, I tried doing a LoadXML directly but that didn’t work
I know it's a bit uncomfortable to perhaps do it this way, but this is for the developer on the Dev box, not for the production server!
The nice part about using the Mashups as the source for the services means that everything that I'm securing are services that are necessary for a user to see and use the mashup. And the System user covers all internally called services.
With that, this doesn't cover securing for a REST API that is called external or an AppKey user for an Agent etc. Just the use of Mashups (I haven't checked if it would work for Thingworx Dashboards either)
Another challenge was to create the service calls dynamically, in this case I’m creating them as a string and using eval() to run them.
This is a super powerful way to do the code and allows you to very dynamically create code execution, but it therefor is also very dangerous.
This was done in 8.4, but I put try catch around applying to StyleTheme so it … should run on lower versions as well.
This btw ... is completely UNSUPPORTED! But I encourage you to go under the hood, lots of hopefully helpful bits.
This isn’t so fancy that you can split out things for different groups etc, but nothing prevents you from customizing this more, providing a list of entities that is multiselect and applying specific groups to it etc.
Entities (1 JDBC connector thing with all the services and 1 mashup plus it uses the EntityList DataShape) attached
