Re: ThingShape Instance Permission

CS_9203536 · ‎Sep 01, 2020

Hello all,

i want to have a Thing that implements a ThingTemplate and various ThingShapes with exclusive permissions, i.e. a "ProjectAdmin_ThingShape" that provides services only available to users within the "ProjectAdmin" Group, a "ProjectSupervisor_ThingShape" with services only available to members within the "ProjectSupervisor" Group etc.

When i set the permissions, users with access to the implementing thing were still able to execute any services from the implemented ThingShapes.

Is this desired behaviour or did i miss something? I need cascaded permissions, so the thing is already instantiated on another permission restriction and if i had to instantiate the things for each of the groups mentioned above, the complexity multiplies.

The access "should not" be possible on a mashup level anyways, but for security reasons i want this properly modeled with the Thingworx permissions framework.

Thanks for your help.

PaiChung · ‎Sep 01, 2020

Did you do specific 'override' permissions on the services?

From what you describe, if I have several shapes and I permit the services on a shape for a particular group and I do not 'overturn' that by setting sweeping permissions on the Template or Thing, it should function as you desire.

CS_9203536 · ‎Sep 02, 2020

Thanks for your response.

I did some more tuning, but the result remains the same. When i enable the respective groups to execute services on the ThingTemplate, the ThingShape services can be executed as well. If i deny service execution there, none of the services can be executed.

Any hints how i could realize a functionality like that? There will be more groups in the future, the design can't be static but some of the funcionality remains the same depending on the "FunctionalityGroup" membership - which i wanted to be represented within the ThingShapes. I want to avoid to add and set permissions for multiple groups every time.

PaiChung · ‎Sep 02, 2020

Are you using Override?

CS_9203536 · ‎Sep 02, 2020

No, override is disabled in the ThingShapes in question.

PaiChung · ‎Sep 02, 2020

I mean when you set the permission did you do a 'sweeping' permission set.

or did you use Override and call out each specific service to set a permission on?

CS_9203536 · ‎Sep 02, 2020

No, i did not set permissions for each service. I wanted to bulk set permissions on ThingShape Level. However, i can set permissions for each service and group at the Instance level in the end so that would be my fallback if there is no other possibility to achieve the behaviour we need.

PaiChung · ‎Sep 02, 2020

That is what you will need to do, I think it just assumes if you give to 'all' on a TS or TT it applies to the whole Thing

CS_9203536 · ‎Sep 02, 2020

Okay, thanks for your help. In that case, i probably drop the ThingShape outsourcing and group services in the template. Sad

Cheers