I added full privilege to that mashup for both visibility and run time. It works if I add this user back to ComposerUsers group. Seems user must be in ComposerUsers group to access the mashup run-time.

Hi,

For accessing only a mashup in runtime, users should not be necessarily in Composer Group. Are there any errors in Application log? And it would be helpful also to attach screenshots to see the access rights.

Thank you,

Raluca Edu

I added this user "tester" to an organization and gave this organization visibility to a mashup "test". I also gave this user "tester" to full privilege to mashup "test" run-time. I attached the application log screen-shot.

Hi,

Please follow the steps below with Administrator user:

• Login to Composer
• Go to System -> Resources
• Click on CollectionFunctions Resource
• Execute AddCollectionVisibilityPermission service with below parameters

1. collectionName - ThingPackages
2. principal - <Organization or Organizational Unit Name>
3. Organizational Units are declared as <Organization Name>:<Organizational Unit Name>
4. principalType - Organization / OrganizationalUnit

• For ThingWorx 8.4 and up the following must also be performed:
  • Login to Composer
  • Go to System -> Resources
  • Click on CollectionFunctions Resource
  • Execute AddCollectionRunTimePermission service with below parameters
    • collectionName - ThingPackages
    • type - ServiceInvoke
    • resource - * (all) / <Specific Property, Service or Event Name>
    • principal - <User or Group Name>
    • principalType - User / Group
    • Allow - True

Please let me know if you can access mashup after these steps.

Regards,

Raluca Edu

I ran both services as you suggested but the same application logs were generated

I did tried accessing the mashup via FormLogin and met this issue.

hi,

i tried again reproducing this issue.

in both scenarios whether login through formlogin or by copying the url - users group or user has to be there in composerUsers group to access the mashup. removing users group or user from composerUser group don't allow user to access the mashup. ( as said earlier the url has implicit permissions to composer)

now even users group or user is there in composerUser group and still user is not able to access the mashup

then probably first verify if design time permissions are also provided to Mashups ( through collection ) considering the visibility and run time permissions are already there. 

So it means the functionality to limit specifics users from accessing the design time environment does not work because it also limits the run time access which is NOT what I wanted. This should be an anomaly as the help file says it should be able to deny deign time access from users.  It means the end user can access the design time environment which the system integrator / developer doesn't want.

Thanks for your help.

NOT necessarily .

you can include users/user group in design time permissions to only view mashups 

if you deny (cross) design time permissions on create, update & delete for user/user groups and only put allow on Read -then it will allow users to only view the mashup. the mashup will not open in edit mode.

and if you put allow for all ( create, read, update & delete) then only mashup will open in edit mode.

this way you can restrict/limit users

What I wanted is the end user can not access the design time environment, the composer, but only the run-time.

even if user is able to access the composer (because users group is there in composerUser Group) but you can restrict that user from viewing the entities.

you can restrict user by denying the visibility permissions on entities through collections.

in this way even if user is able to access the composer but won't be able to view the entities and that i think solves our purpose

The question is does the visibility apply for run time or design time or both? 

generally visibility does applies for runtime . entity has to be visible to user so that it effects runtime operations. if it is not visible than runtime will also not work

design time will only come into picture when user needs to edit those entities. if requirement of user is not to edit that entity for any of the purpose like adding properties or writing services than no need for design time. 

the same user can work through that entity(like service executions /property updates and all) only through both visibility and runtime simultaneously without any need to have design time permissions.

and if user only wants entity to be visible (no runtime operations) then user can set only visibility permissions. but for runtime permissions to take place visibility is required

All right. Hopefully the feature to limit user from accessing the design time the composer could be added in next versions. Example: URL like "http:<IP>:<Port>/Thingworx/Composer/*" is dynied. URL like "http:<IP>:<Port>/Thingworx/Runtime/*" or "http:<IP>:<Port>/Thingworx/FormLogin/*" is allowed.

This does works. Thanks very much.