cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

The community will undergo maintenance on October 16th at 10:00 PM PDT and will be unavailable for up to one hour.

User / Role / Permission Management Thingworx - Best Practice

kevinb_kad
5-Regular Member

User / Role / Permission Management Thingworx - Best Practice

Dear everyone,

 

we are currently making our first steps with ThingWorx as an organization. We have version 8.5.0 of ThingWorx SCP Premium including Foundation, Asset Advisor, Connectivity and Application Building. So far we created some small applications via Mashups and we use the FactoryConsole as central entry point to our system (we added all custom apps also to the FactoryConsole). 

 

We are facing massive challenges when it comes to efficient management of users, roles and permission, though. The system seems very complicated, especially when you want to change permissions for already created mashups etc, because permission settings are not inherited by a project or whatever (do I really need to change settings on each and every thing inside a project?!).

 

Basically, we only need two different user groups: one being the group of "Developers" that have access to the Composer and to everything else, except user and permissions management which is done by the Admins. The second user group we need is the group of "Viewing Users", that only have access to the FactoryConsole (NOT to the Composer) and are able to run and work with mashups / applications. In the best case, we'd also have a way of displaying only certain apps on the FactoryConsole for a certain group of users (i.e. maintenance apps for maintenance engineers), but this is actually the second step for us.

 

The question is, are there any best practices on how to implement a user structure like this efficiently? I just had the case where I added a user that should be a viewing user and it took me a lot of trial and error on the permission settings of different mashups, things and the like until I could verify that the user can use the considered mashup. However, he's also still able to access the composer (which he shouldn't be). 

 

I hope that I could make my point clear, in case you need any additional information let me know. Would be great if someone has experience on this, I assume we cannot be the first organization facing these kind of challenges with TWX.

 

Thank you very much!

 

Kevin

ACCEPTED SOLUTION

Accepted Solutions
PaiChung
22-Sapphire I
(To:kevinb_kad)

When setting up the mfg apps, I believe there is also that same capability to associate User Groups with app Function, sounds like you have access already to the how to customize mfg apps. https://www.ptc.com/en/support/article/CS295592?&language=en&posno=1&q=manufacturing%20apps&source=search

 

I also at one point created the following, I am not sure if these entities import properly but it also depends on a direct connection to the persistence provider.

https://community.ptc.com/t5/ThingWorx-Developers/Setting-Security-for-a-User-Group-Automatically/m-p/598780

 

I think the very last upload I did should work, it really is a working example not guaranteed to work for all situations but it should give you an idea of how to more easily automate setting security.

 

Additional references:

Secrity best practice: https://community.ptc.com/t5/IoT-Tech-Tips/Best-Practice-Thingworx-Permissions/m-p/557022

Scripting the system user assignment: https://community.ptc.com/t5/IoT-Tech-Tips/Assigning-the-System-User-through-Script/m-p/534541

Nice article about system user: https://community.ptc.com/t5/IoT-Tech-Tips/The-use-of-System-User/m-p/533746

Setting up security guide: https://www.ptc.com/en/support/article/CS283404?&language=en&posno=9&q=system%20user&source=search

View solution in original post

4 REPLIES 4
PaiChung
22-Sapphire I
(To:kevinb_kad)

Don't quite know the full extend, but

use User Groups

use the fact that groups can be added to groups to inherit that group's permissions

so start with a user group who is the base permissions, then create a group with additional permissions needed, add that to the base group

now add your users to those groups

 

as far as function on mashups and navigation

you can add user groups to menus to show and hide entries.

also you can logically use the GetCurrentGroups into some statement and set visible on specific widgets

kevinb_kad
5-Regular Member
(To:PaiChung)

Hi @PaiChung ,

 

thank you for your answer! In fact, I wasn't aware about the nested groups which already helps in building up a proper group organization. Also, I learned that I can add groups to menu entries.

 

Now, in the case of the PTC.FactoryConsole, unfortunately the different apps are not a menu but rather a data table (PTC.FactoryConsole.C_DataTable_8.5.0_02), do you have any idea on how I can make these visibile with regards to certain user groups?

 

And another question that I still have is about an efficient way to apply these groups to a project, a mashup, a collection of things. So let's assume we have created a nested group structure of Group A & Group B (part of Group A). I have a project that already exists with a couple of remote things, datatables, mashups and so on. How can I efficiently set that Group A can access all mashups in the project and view them while Group B also has the permission to edit all the things. Do I really need to browse through each and every thing inside the project and make the settings for visibility, runtime and design time? Or is there a way of "Bulk Applying" permissions?

 

Thanks for the support!

PaiChung
22-Sapphire I
(To:kevinb_kad)

When setting up the mfg apps, I believe there is also that same capability to associate User Groups with app Function, sounds like you have access already to the how to customize mfg apps. https://www.ptc.com/en/support/article/CS295592?&language=en&posno=1&q=manufacturing%20apps&source=search

 

I also at one point created the following, I am not sure if these entities import properly but it also depends on a direct connection to the persistence provider.

https://community.ptc.com/t5/ThingWorx-Developers/Setting-Security-for-a-User-Group-Automatically/m-p/598780

 

I think the very last upload I did should work, it really is a working example not guaranteed to work for all situations but it should give you an idea of how to more easily automate setting security.

 

Additional references:

Secrity best practice: https://community.ptc.com/t5/IoT-Tech-Tips/Best-Practice-Thingworx-Permissions/m-p/557022

Scripting the system user assignment: https://community.ptc.com/t5/IoT-Tech-Tips/Assigning-the-System-User-through-Script/m-p/534541

Nice article about system user: https://community.ptc.com/t5/IoT-Tech-Tips/The-use-of-System-User/m-p/533746

Setting up security guide: https://www.ptc.com/en/support/article/CS283404?&language=en&posno=9&q=system%20user&source=search

slangley
23-Emerald II
(To:kevinb_kad)

Hi @kevinb_kad.

 

If one of the previous responses answered your question, please mark the appropriate one as the Accepted Solution for the benefit of others in the community.

 

Regards.

 

--Sharon

Announcements


Top Tags