Re: ACL Issue

RRAKOTOV · ‎Apr 19, 2024

I am using Windchill PDMLink Release 12.0 and Datecode with CPS 12.0.2.7

Rehost from production server to Qualification server in order to validate some ACL functionality
Custom Role "PartDoc Author" in production is granted to create Part
Same Custom Role "PartDoc Author" in Qualification server does not have same behavior

When click or launch "Part creation" > Error is raised.

Here are the errors that I faced
Attention : Action Unavailable

You do not have create permission for this object. Please contact your system administrator.

Hari_Vara · ‎Apr 22, 2024

Hi,

Please check the ACL for the custom Role, there may be some "Deny" permission. Check MS logs.

Rgds

Hari

RRAKOTOV · ‎Apr 22, 2024

Hi @Hari_Vara,
Thanks for your answer but we've made some check on policy administration and we do not found any "Deny" permission on "PartDoc Auhtor" Role.
See extract log from MS regarding ACL (no "Deny" permission) during Part creation process with user "rrakotov" member of this Role.

DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - => getPolicyAcl - IN: = wt.admin.AdministrativeDomain:6325995, wt.part.WTPart|1071177, INCREATION
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - <= getPolicyAcl - OUT - acl from cache: wt.admin.AdministrativeDomain:6325995, wt.part.WTPart|1071177, INCREATION
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Sharing Manager (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:70576678): [Change Permissions]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Guest_Plus (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:103050606): [Read, Download]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Product Manager (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:6325996): [Full Control (All)]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Organization Administrator (ASN_Org) (wt.org.WTGroup:1061725): [Full Control (All)]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Team Members (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:6325997): [Read, Download]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Supplier Administrators (ASN_Org) (wt.org.WTGroup:1061886): [Read]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Administrators (Site) (wt.org.WTGroup:15): [Full Control (All)]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Guest (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:6327103): [Read, Download]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - ! Participant: Doc Author (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:90687681): [Modify, Create, Delete, Administrative, Revise, New View Version, Change Permissions, Modify Content, Change Domain, Create By Move, Change Context, Set State, Modify Identity, Modify Security Labels]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - => getPolicyAcl - IN: = wt.admin.AdministrativeDomain:1061719, wt.pdmlink.PDMLinkProduct
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - <= getPolicyAcl - OUT - acl from cache: wt.admin.AdministrativeDomain:1061719, wt.pdmlink.PDMLinkProduct
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Product Creator (ASN_Org) (wt.org.WTGroup:1061729): [Create]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: EMS - GROUP (ASN_Org) (wt.org.WTGroup:5436899): [Read]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Organization Administrator (ASN_Org) (wt.org.WTGroup:1061725): [Full Control (All)]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Administrators (Site) (wt.org.WTGroup:15): [Full Control (All)]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - => getPolicyAcl - IN: = wt.admin.AdministrativeDomain:6325995, wt.folder.SubFolder
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - <= getPolicyAcl - OUT - acl from cache: wt.admin.AdministrativeDomain:6325995, wt.folder.SubFolder
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Sharing Manager (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:70576678): [Change Permissions]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Guest_Plus (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:103050606): [Read, Download]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Product Manager (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:6325996): [Full Control (All)]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Organization Administrator (ASN_Org) (wt.org.WTGroup:1061725): [Full Control (All)]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Team Members (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:6325997): [Read, Modify, Modify Security Labels]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Administrators (Site) (wt.org.WTGroup:15): [Full Control (All)]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Guest (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:6327103): [Read, Download]
DEBUG [ajp-nio-127.0.0.1-8010-exec-10] wt.access.evaluation.policyACL rrakotov - => getPolicyAcl - IN: = wt.admin.AdministrativeDomain:1061709, wt.org.WTOrganization
DEBUG [ajp-nio-127.0.0.1-8010-exec-10] wt.access.evaluation.policyACL rrakotov - <= getPolicyAcl - OUT - acl from cache: wt.admin.AdministrativeDomain:1061709, wt.org.WTOrganization
DEBUG [ajp-nio-127.0.0.1-8010-exec-10] wt.access.evaluation.policyACL rrakotov - + Participant: Unrestricted Organizations (Site) (wt.org.WTGroup:250): [Read]
DEBUG [ajp-nio-127.0.0.1-8010-exec-10] wt.access.evaluation.policyACL rrakotov - + Participant: All Participating Members (ASN_Org) (wt.org.WTGroup:1061754): [Read]
DEBUG [ajp-nio-127.0.0.1-8010-exec-10] wt.access.evaluation.policyACL rrakotov - + Participant: Unrestricted Supplier Administrators (Site) (wt.org.WTGroup:53453): [Create]
DEBUG [ajp-nio-127.0.0.1-8010-exec-10] wt.access.evaluation.policyACL rrakotov - + Participant: Organization Administrator (ASN_Org) (wt.org.WTGroup:1061725): [Full Control (All)]
DEBUG [ajp-nio-127.0.0.1-8010-exec-10] wt.access.evaluation.policyACL rrakotov - + Participant: Administrators (Site) (wt.org.WTGroup:15): [Full Control (All)]
DEBUG [ajp-nio-127.0.0.1-8010-exec-10] wt.access.evaluation.policyACL rrakotov - + Participant: ASN_Org (Site) (wt.org.WTOrganization:1061710): [Read]
DEBUG [ajp-nio-127.0.0.1-8010-exec-10] wt.access.evaluation.policyACL rrakotov - + Participant: Owner (Pseudo Role): [Full Control (All)]

MikeLockwood · ‎Apr 22, 2024

Logged on as admin, from an object (e.g. a Part), select Edit Access Control. This is not to edit / change the access but to investigate. It lists all sources of permissions here, allowing selection of groups / roles / individual users.

Best tool for investigating.

RRAKOTOV · ‎Apr 23, 2024

Actions on "PartDoc Author" role are set as-expected. -->

I will continue to investigate !

cgautier · ‎May 10, 2024

Hello RRAKOTOV,

Did you check the MethodServer log when the issue occurs? Any relevant outputs?

KR,

Charles.

RRAKOTOV · ‎May 12, 2024

Hi @cgautier
nothing specific !!
I've already shared MS output when answering to @Hari_Vara.
I'll try to add a specific ACL for this role (in team members with right LC) and see if it will help to investigate.
Keep you in touch.

joe_morton · ‎Apr 22, 2024

Check also the license applied to the test user.

RRAKOTOV · ‎Apr 23, 2024

Licensing is OK

--> "PTC Windchill advanced" is not fully used

joe_morton · ‎May 13, 2024

Have you tested in multiple Products/Libraries? Have you tested with multiple test users? Is it the same in all cases? A lot of times with access the easiest way is to find a case that works and then try to determine what is different between working case and non-working case.

There can be a lot to check for an access issue (and probably more than what I can think of):

License(s) applied to the user
Profile(s) applied to the user
ACLs at the Org-level
ACLs at the Product/Library level
Role(s) that the user is in within the Product/Library
"Configure Actions for Roles" set within the Product/Library
folder-level Access Control (if set)

Also be sure to consider the type of part being created and the OIR for the part at the Org level and the Product/Library level. The ACL granting create must grant create for the type/subtype and correct state.

Also if you have any customizations, these can impact as well.