Skip to main content
14-Alexandrite
January 22, 2020
Solved

Why is it unable to access mashup after users group is removed from ComposerUsers group?

  • January 22, 2020
  • 3 replies
  • 7242 views

My Thingworx platform version is 8.4.0-b2013. I was trying to restrict access to Thingworx composer by removing users group from ComposerUsers group. But I was not able to access any mashup after that. How should I do?

Best answer by Constantine

Hello @eyli,

 

I've just tried to reproduce this issue in my 8.5.1 and managed to make it work. I removed Users from ComposerUsers group and added the following permissions:

  1. On the "Mashups" collection permissions > Design time > Read for all Users
  2. The same on the "Style Themes"
  3. Added some run-time permissions on PlatformSubsystem to allow my users to execute GetAllStateDefinitions, etc.

(obviously you might need to add more).

 

After doing that my user can see the mashups rendered correctly, but sees a "Not authorized" error when trying to access the Composer.

 

Regards,
Constantine

3 replies

17-Peridot
January 22, 2020

Hi,

 

You are trying to access mashup in runtime with the users removed from Composer users? What access rights and visibility have the mashup?

 

Thanks,

Raluca Edu

eyli14-AlexandriteAuthor
14-Alexandrite
January 22, 2020

I added full privilege to that mashup for both visibility and run time. It works if I add this user back to ComposerUsers group. Seems user must be in ComposerUsers group to access the mashup run-time.

17-Peridot
January 22, 2020

Hi,

 

For accessing only a mashup in runtime, users should not be necessarily in Composer Group. Are there any errors in Application log? And it would be helpful also to attach screenshots to see the access rights.

 

Thank you,

Raluca Edu

16-Pearl
January 23, 2020

actually it depends how user is accessing the mashup 

if user is accessing the mashup through formlogin page then i think there is no requirement for users group to be there in composerUser group . the explicit permissions (visibility, runtime) and collection permissions will come into picture here

 

And if user is trying to access the mashup by login to composer and copying the mashup url from view Mashup -then i believe users group or user been there in composerGroup comes into picture. because that url would be like /Thingworx/Runtime/index.html#master=xxxxxx&mashup=yyyyyy this format and that might have implicit access to composer

eyli14-AlexandriteAuthor
14-Alexandrite
January 24, 2020

I did tried accessing the mashup via FormLogin and met this issue.

eyli14-AlexandriteAuthor
14-Alexandrite
January 26, 2020

Does anyone has other ideas to fix this issue?

16-Pearl
January 26, 2020

hi,

 

i tried again reproducing this issue.

 

in both scenarios whether login through formlogin or by copying the url - users group or user has to be there in composerUsers group to access the mashup. removing users group or user from composerUser group don't allow user to access the mashup. ( as said earlier the url has implicit permissions to composer)

 

now even users group or user is there in composerUser group and still user is not able to access the mashup

then probably first verify if design time permissions are also provided to Mashups ( through collection ) considering the visibility and run time permissions are already there. 

eyli14-AlexandriteAuthor
14-Alexandrite
February 3, 2020

So it means the functionality to limit specifics users from accessing the design time environment does not work because it also limits the run time access which is NOT what I wanted. This should be an anomaly as the help file says it should be able to deny deign time access from users.  It means the end user can access the design time environment which the system integrator / developer doesn't want.

 

Thanks for your help.