cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Want the oppurtunity to discuss enhancements to PTC products? Join a working group! X

User has not permission to do something.

Malior
7-Bedrock

User has not permission to do something.

Hello,

I am new at thingworx, trying to setup some things in my test instance.
I am currently figuring out how I the users should be managed.
Small chronology:
- After setting up installation, I have an admin user.
- For this, I created a appkey.
- Using the appkey I was able to tell my sensor where to send the data to.
- Data is sent to a "InstallerThing" i created, that has a service to either create a new thing or update the values.
- Everything is working fine so far.

Code of InstallerThing:

var thingName = "test_" + hardware_serial ;

if(!Things[thingName])
{
    Resources["EntityServices"].CreateThing({
            name: thingName /* STRING */,
            description: "new thing in room "+ dev_id /* STRING */,
            tags: undefined /* TAGS */,
            thingTemplateName: "MyRoomSensor" /* THINGTEMPLATENAME */
    });
    
    Things[thingName].EnableThing();
    Things[thingName].RestartThing();
}

Things[thingName].humidity = payload_fields.humidity;
Things[thingName].temperature = payload_fields.temp;
Things[thingName].pressure = payload_fields.pressure;
Things[thingName].room = dev_id;

But is was/is the appkey for Administrator, which I would assume not to be ideal to "store" this in my device.

So I created a new user, "thingsUser" and a key for this one.
But I looks as if this user can not do any thing at all.

- So I added a new orginazation and added the user
- I added the organization to the "InstallerThing" permissions (Visibility Tab)
(Still not working)
- in permissions/Run Time and Design Time
(Then it appeared in the list and I could see content - When loggin in with this user)


Then I used this appKey for my device to post data to the "InstallerThing".
But there I am getting errors.

 

If the thing is new, I am getting this:
Entity [EntityServices] does not exist
If the thing already exists, I am getting this:
Entity [myExistingEntity] does not exist.

 

I guess I got something wrong concerning user management and/or organizations.
So the question is:
- Do I need an extra user for security reason at all?
- How can a user do anything, like creating new things? I should mention here, that the new user has all checkboxes checked in User Profile settings.

- or how can the code of a service can be executed in the context of another permission?

1 ACCEPTED SOLUTION

Accepted Solutions
slangley
23-Emerald II
(To:Malior)

Hi @Malior.

 

The System user is a built-in user for executing services without having to give the logged in user explicit permissions.  Here is a screenshot showing access to the Things Collection by the System user:

 

Capture.PNG

 

Based on your scenario, you will need to provide a number of permissions to be able to perform the various functions (create, update, etc.) but there is no simple answer that would provide a solution.  You will need to rely on the log output to address each of the permissions issues as they occur.

 

We recommend going through the previous link that was provided for setting up the permissions and then working through each error as they occur.  After doing so, if you still have issues, a case would be the best approach for assisting you further.

 

Regards.

 

--Sharon

View solution in original post

4 REPLIES 4
slangley
23-Emerald II
(To:Malior)

Hi @Malior.

 

To answer your first question, yes, as a good security practice, you should create a new user that has access only to the entities required for the use case.

 

For the 2nd question re: the user profile settings, these only determine what is visible in Composer.  They have no effect on permissions.

 

For the last question, it is recommended that you wrap your services within the context of the system user which would allow the user to run the higher level service but not expose the base services for creating entities.  By doing it this way, you are controlling what is getting created vs. granting access for the creation of anything.

 

This previous community post may provide a better understanding of security.

 

Regards.

 

--Sharon

Malior
7-Bedrock
(To:slangley)

Hi Sharon,

 

thanks for the link, but this explaination lead to many more questions. In the answer: What was meant by "Give the System user all service execute on collection level" - Should a go to permissions/collections and check everything and allow it to my thingsUser?

 

Also, I don't understand how the solution of my issue would look like. I want to achive, that a thing sending data, either creates a new thing, or updates an existing. But all service that are triggered though the http POST are executed in the thingUser rights context. So even trying to make some "SensorProxy" thing that forwards the command to another thing - I wont have access.

How this is ment to be solved?

 

Regards,

 

Lionel

slangley
23-Emerald II
(To:Malior)

Hi @Malior.

 

The System user is a built-in user for executing services without having to give the logged in user explicit permissions.  Here is a screenshot showing access to the Things Collection by the System user:

 

Capture.PNG

 

Based on your scenario, you will need to provide a number of permissions to be able to perform the various functions (create, update, etc.) but there is no simple answer that would provide a solution.  You will need to rely on the log output to address each of the permissions issues as they occur.

 

We recommend going through the previous link that was provided for setting up the permissions and then working through each error as they occur.  After doing so, if you still have issues, a case would be the best approach for assisting you further.

 

Regards.

 

--Sharon

slangley
23-Emerald II
(To:slangley)

Hi @Malior.

 

If one of the previous responses answered your question, please mark the appropriate one as the Accepted Solution for the benefit of others with the same question.

 

Regards.

 

--Sharon

Top Tags