Dynamically populate Windchill Groups

jbailey · ‎Apr 12, 2022

1. Describe your environment: What is your industry? What is your role in your organization? Describe your stakeholders.
Federal Government (Aerospace)

Systems Analyst (Strategic Planning & Implementation) Windchill & Creo

Stakeholders:

Engineering

Configuration Management

Export Control

IT Security

2. What version of Windchill are you currently running?
11.2.1.x (Currently upgrade planning for 12.0.2.x

3. Describe the problem you are trying to solve. Please include detailed documentation such as screenshots, images or video.
Need to be able to dynamically populate group membership based on AD attributes, groups or SAML assertion attributes. Currently Security Labels can control access to items based on two paradigms 1) Windchill Group Membership 2) Custom evaluator. Currently, Windchill groups must be manually managed effectively implementing discretionary access control, a tedious and time consuming effort for administrators. For a custom evaluator, we can program for WC to query an external system - but because label access is evaluated on an object by object basis, constant queries to external systems adds extreme network traffic for large folders with many labeled objects.

We need a way to use either SAML assertion attributes or LDAP attributes to dynamically populate selected groups to provide better data security. This should be enforced at either every login, or on a scheduled basis with an LDAP call, and we should be able to select which attributes or AD groups are used to determine membership.

4. What is the use case for your organization?
Automated management of access to data that is security labeled (or group mapping to context teams). This is especially true of CUI data, ITAR, EAR and Proprietary information that is either controlled contractually, or codified in law.

5. What business value would your suggestion represent for your organization?
This would extremely reduce the effort and complexity of managing access to data. Ideally, this would help us implement Mandatory Access Control based on defined attributes to ensure only the right people see the data they are supposed to.

TomU · ‎Apr 12, 2022

I've wondered if this could be done at the LDAP (AD) level with dynamic groups that are automatically populated based on multiple criteria. For example, a group membership rule that includes all users who are members of group A and group B, but not members of group C. It would be really powerful if Windchill groups could do something like this.

olivierlp · ‎Apr 13, 2022

Hello @jbailey ,
Thank you for your idea and the information provided.

jbailey · ‎Nov 07, 2022

@TomU That depends, on an extent, to how your LDAP is configured and what the backend is. I was playing around a little bit with PingFederate taking an IdP SAML assertion, and provisioning Open LDAP groups (or AD) based on the SAML assertion, and recomputing at every login.

The tech is out there - however with SAML, OpenID Connect, Oauth, & JiT Provisioning being increasingly relied upon in industry for Authentication and Authroization, PTC should be looking at how to leverage those to better process information about a user and what they can do. Bottom line, this is due to PTC to an extent relying on basic authentication with a bolted on SP (Shibboleth) to pass just the username to Apache. Like it took PTC a while to fully support other-than-basic Authentication, this will take time too. But that time is gonna be forced to come sooner than PTC will plan for, and they'll need to solve it if they want customers with complex authentication/authorization requirements to even consider to moving to things like Windchill+

Just my $.02