I will provide simple troubleshooting techniques that will assist you in identifying potential access related issues in your Windchill system. Have you ever wondered:
- Why am I facing a NotAuthorizedException?
- Why are some Windchill objects not findable or accessible for me even I think I am having appropriate access permissions?
Let’s get started.
Understanding Domains and Access Control
Windchill system behavior is based on a context or container model. The site context represents the system as a whole, whereas an Organization is a component of the Site and Products, Libraries, Projects and Programs are part of the Organization.
Each of these contexts uses a cabinet to store data and system objects.
Cabinets are associated with Windchill objects called Domain which store policies and access rules.
The chart below illustrates the default Domain Architecture; for a more detailed description please view article CS212423 in our PTC Support Knowledge Base.
Domain structuring in conjunction with inheritance enables general policies to be applied at higher domains and more specific policies to be applied at a lower level.
When debugging Access Control you not only have to consider inherited policies from higher contexts, but also keep in mind how Windchill will evaluate Security Labels, Access Permissions on Groups and individuals as well as Ad-Hoc Permissions.
The following algorithm is generally applied:
- Security Labels:
- Windchill will always check first if a user gets cleared by Security Labels
- System Policy Rules apply in the following order:
- Group Grant is overridden by
- Group Deny is overridden by
- User Grant is overridden by
- User Deny is overridden by
- Group and User Absolute Deny
- Ad-Hoc Rules:
- Ad-Hoc access can only grant permissions
- Ad-Hoc overrides a deny rule that is set by domain policy but not an absolute deny.
If you are interested in more details, please check in the Windchill Help Center in chapter “How ACLs work:” there you will find additional examples for a better understanding.
Debugging Access Control Issues
Now that you have a clear understanding on how Windchill calculates access permissions, I will concentrate troubleshooting ACL related issue. In Technical Support, most cases that are opened by customers fall into three categories:
- Users can’t open an object or perform a specific action which results in Access Permission related error messages
- Users can’t find object in their Windchill System by Search or they are not visible to them
- Dedicated actions are not visible in the Windchill User interface for some users
We will concentrate in this post on the first category.
Troubleshooting Access Permission related error messages
Access related error messages come in many flavors. See below the most common ones that show up in the Windchill user interface or in the Method Server logs:
If you see one of these error messages, it is the time when you have to answer the question:
Is this intentional or should this user have access to the object?
To help you answer this question PTC provides you help with 3 tools:
- Manage Security functionality in the Actions menu:
Refer to Windchill Help Center chapter Manage Security for an Existing Object for additional information
- Policy Administrator on Site > Utilities > Policy Administrator or [Context] >Utilities > Policy Administrator:
For additional information please refer to article CS26785 - How to troubleshoot the message "You do not have access to this object or it does not exist" in Windchill
- Various Access loggers that help to understand how Windchill calculated the Access Permission and why this particular user was denied access:
Technical Support prepared a set of articles that explain the various loggers available and helps to understand their results:
Thanks for your attention and any questions or feedback is welcome.
