cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Have a PTC product question you need answered fast? Chances are someone has asked it before. Learn about the community search. X

Access Policy Question

pyalavarthi
1-Visitor
1-Visitor
‎Oct 28, 2011 04:47 PM
‎Oct 28, 2011 04:47 PM

Access Policy Question

I have a question regarding access policy rules on Create Privilege. I
created a FastTrackDocument subtype of Document. Users in a library have
create privileges on Document object. I want to restrict create privileges
to FastTrackDocument only to specific roles. So I denied create privileges
for all users on FastTrackDocument and gave create privileges to specific
roles on FastTrackDocument. However deny privilege is overwriting the create
privileges. Even the users in that specific role is not able to create the
FastTrackDocument. Do you know any tools that can help debugging access
control policies. Any suggestions in debugging this issue will be helpful.


Thanks,
Prathap <">http://goo.gl/LuT5>
Labels:
0 Kudos
Notify Moderator
4 REPLIES 4
AL_ANDERSON
12-Amethyst
12-Amethyst
(To:pyalavarthi)
‎Oct 28, 2011 05:02 PM
‎Oct 28, 2011 05:02 PM

At our site, we do not make the "Document" type or the "Reference
Document" type instantiable. Instead, we only let our site-specific
subtypes be instantiable. We then do not grant anyone any access
privileges on the out of the box parent types. That way we can "grant"
access to subtypes individually without having to "deny" anything.

"Deny" overrides all rules that would otherwise permit some action. So,
unless you really want to stop someone from doing something no matter what
their other privileges may be, then do not use "Deny."

We have 5 subtypes of "Document" that are instantiable.

We have 27 subtypes of "Reference Document" that are instantiable,
including one type called "Generic Document" that is intended to be a
nonspecific "Document" type.

We also set the Part to Document Association Logic preference to Yes at
the organization level to control how documents are related to parts so
that users do not have to manually pick "Described By" or "References"
links - they happen automatically based on document type.

Al




Prathap <->
10/28/2011 01:47 PM
Please respond to
Prathap <->


To
-
cc

Subject
[solutions] - Access Policy Question




Caterpillar: Confidential Green Retain Until: 11/27/2011



I have a question regarding access policy rules on Create Privilege. I
created a FastTrackDocument subtype of Document. Users in a library have
create privileges on Document object. I want to restrict create privileges
to FastTrackDocument only to specific roles. So I denied create privileges
for all users on FastTrackDocument and gave create privileges to specific
roles on FastTrackDocument. However deny privilege is overwriting the
create privileges. Even the users in that specific role is not able to
create the FastTrackDocument. Do you know any tools that can help
debugging access control policies. Any suggestions in debugging this
issue will be helpful.


Thanks,
Prathap




Site Links: View post online View mailing list online Send new post
via email Unsubscribe from this mailing list Manage your subscription

Use of this email content is governed by the terms of service at:
0 Kudos
Notify Moderator
spaul
2-Explorer
2-Explorer
(To:pyalavarthi)
‎Oct 28, 2011 06:38 PM
‎Oct 28, 2011 06:38 PM

Since you have deny and grant create access for the specific roles for
FastTrackDocument at same level, net access will be denied. You can only
override access at that level by granting access to individual users

Thanks
Sujit

0 Kudos
Notify Moderator
AL_ANDERSON
12-Amethyst
12-Amethyst
(To:pyalavarthi)
‎Oct 28, 2011 06:51 PM
‎Oct 28, 2011 06:51 PM

I actually got the preference I referred to in my last post backwards.

We did set the Part to Document Association Logic preference to Yes at the
organization level, but the effect is the opposite of what I had posted
earlier. It turns out that last year when we went from Windchill
Foundation PDM 8.0 to Windchill PDMLink 9.1, we had originally planned to
use that preference to make the system control how documents are related
to parts so that users would not have to manually pick "Described By" or
"References" links. However, after we set up all of our subtypes, during
testing our document team found that we actually needed a part to be
related to more than one version of a document, the way it had been in
Windchill Foundation PDM 8.0. As a result, we actually went live with the
preference set back to the old functionality.

Here is the details on that preference.
0 Kudos
Notify Moderator
MikeLockwood
22-Sapphire I
22-Sapphire I
(To:pyalavarthi)
‎Oct 28, 2011 06:59 PM
‎Oct 28, 2011 06:59 PM

One of the best puzzles around...
Have to diagram it - multi-dimensional tree structure (or can model as concentric circles).

Object types, User Groups, Domains (Org / Product) are all like this.
If you assign some permission to WTDocument, it applies to all sub types. In general, to make an exception, you have to remove a subset such that it stands alone - as a Private context, or a group not within a group, or an object type parallel with another object type.

[cid:image002.png@01CC958A.65C497F0]

[cid:image004.png@01CC958A.8E6D6060]

Preview file
19 KB
oledata.mso
Preview file
19 KB
0 Kudos
Notify Moderator
Announcements


Contact Community Management
Top Tags