Troubleshooting Access Permission related issues in PTC Windchill
I will provide simple troubleshooting techniques that will assist you in identifying potential access related issues in your Windchill system. Have you ever wondered:
Why am I facing a NotAuthorizedException?
Why are some Windchill objects not findable or accessible for me even I think I am having appropriate access permissions?
Let’s get started.
Understanding Domains and Access Control
Windchill system behavior is based on a context or container model. The site context represents the system as a whole, whereas an Organization is a component of the Site and Products, Libraries, Projects and Programs are part of the Organization.
Each of these contexts uses a cabinet to store data and system objects.
Cabinets are associated with Windchill objects called Domain which store policies and access rules.
The chart below illustrates the default Domain Architecture; for a more detailed description please view article CS212423 in our PTC Support Knowledge Base.
Domain structuring in conjunction with inheritance enables general policies to be applied at higher domains and more specific policies to be applied at a lower level.
When debugging Access Control you not only have to consider inherited policies from higher contexts, but also keep in mind how Windchill will evaluate Security Labels, Access Permissions on Groups and individuals as well as Ad-Hoc Permissions.
The following algorithm is generally applied:
Windchill will always check first if a user gets cleared by Security Labels
System Policy Rules apply in the following order:
Group Grant is overridden by
Group Deny is overridden by
User Grant is overridden by
User Deny is overridden by
Group and User Absolute Deny
Ad-Hoc access can only grant permissions
Ad-Hoc overrides a deny rule that is set by domain policy but not an absolute deny.
If you are interested in more details, please check in the Windchill Help Center in chapter “How ACLs work:” there you will find additional examples for a better understanding.
Debugging Access Control Issues
Now that you have a clear understanding on how Windchill calculates access permissions, I will concentrate troubleshooting ACL related issue. In Technical Support, most cases that are opened by customers fall into three categories:
Users can’t open an object or perform a specific action which results in Access Permission related error messages
Users can’t find object in their Windchill System by Search or they are not visible to them
Dedicated actions are not visible in the Windchill User interface for some users
We will concentrate in this post on the first category.
Troubleshooting Access Permission related error messages
Access related error messages come in many flavors. See below the most common ones that show up in the Windchill user interface or in the Method Server logs:
If you see one of these error messages, it is the time when you have to answer the question:
Is this intentional or should this user have access to the object?
To help you answer this question PTC provides you help with 3 tools:
Various Access loggers that help to understand how Windchill calculated the Access Permission and why this particular user was denied access: Technical Support prepared a set of articles that explain the various loggers available and helps to understand their results:
The Hub article CS78689 - How to investigate Policy Access Control issues in Windchill
CS78878 - The differences between the various Access Control related Loggers in Windchill
CS78846 - How to interpret verbose Policy Access related log entries in Windchill
Thanks for your attention and any questions or feedback is welcome.