Last week, I encountered two separate instances where hard coded restrictions were developed into Windchill 10.1 roles in regards to some permissions that were previously available to provide to these roles via the Policy Administrator in ACLs in 9.1. The two examples are:
1. Guest Role - We can no longer simply provide someone with guest access if that user needs to read / download Creo data to view. The Guest role now has a hard coded restriction preventing the user from creating a workspace within the respective context. Users that already existed in a previous Windchill version that have already created workspaces within these contexts are still able to use those existing workspaces. New users provided with this access cannot create workspaces and thus encounter an error when attempting to register Creo to Windchill. A custom role has to be designed as a work-around.
2. Product Manager / Administrators - A user must be a Product Manager or an Org / Site Admin to be able to view task details within the respective context's task page. No matter what permissions are supplied to other roles / groups / users through ACLs (even full control to WTObjects at all states), only specific roles can click on the name of a task to enter the task details and view related information (Notebook, etc.).
I'm sure I will encounter more security nuances as I go, but the product idea here is simple: Remove all hard coded restrictions related to roles and allow business and system administrators the ability to structure the security according to their business needs. Make all permissions run through ACL entries. I don't think the application should be dictating how the customer functions. The application should be flexible enough to allow the customer to mold it to fit the needs of the business.
At a very minimum, warn us and document the hard coded restrictions so that customers can plan accordingly and not have to stumble across these in a Production environment. Work-arounds for these types of issues are difficult to implement and make the system much less user-friendly, which was one of the goals of the new 10.x interface, right?