cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - You can change your system assigned username to something more personal in your community settings. X

Access control question - hard or soft deny

davehaigh
12-Amethyst

Access control question - hard or soft deny

When our system was first put together by PTC, the guy created a lot of hard deny permissions at the org domain.
In our products we have a folder for ProE CAD objects, that folder has its own domain permissions.

At the org level he denied modify for released objects.
In the CAD domain he granted modify for all release levels, depending on the org level deny to keep users from modifying released objects.

I come along years later and am trying to fix some permissions that are preventing users from moving files. Not seeing any reason to keep all these deny permissions at the org level I removed them. After all if the permission isn't granted they don't have it.

The easy fix would be to just go back to the org level and restore the deny permission. But I kind of wanted to get away from an explicit deny.

Any suggestions?

David Haigh
Phone: 925-424-3931
Fax: 925-423-7496
Lawrence Livermore National Lab
7000 East Ave, L-362
Livermore, CA 94550

2 REPLIES 2

Absolutely - avoid Deny if at all possible; use only as an exception.

I got so confused (and fed up) with all the permissions that I literally spent a whole week (a years ago) on a test system doing the following:

- OTB install (9.1)

- Created a product and library from each OTB product / library template; recorded all the ACL's in each, then removed every single one

- Created a few test users

- Added the test users to the Product / Library Team

- One by one, added back each ACL and observed the effect on all the Actions available to the users (including Read access to Data)

Conclusions
- This is one of the world's best puzzles, worthy of an international challenge (and good T-shirts for those who participate)

- Watch out a lot for "Team Members" which is different from "Members"

- Watch out for all the ACL's that come along with a product / library created from the OTB templates; create your own templates and carefully manage them

- Put all possible ACL's at Org level and remove from product / library where they are common. Note: For those Products / libraries that need to be different, make them "Private" and create all needed ACL's in that context.

- Use each ACL only once where possible and work hard to have the fewest possible total statements (e.g. use "ALL" states where possible instead of a separate statement for each state)

- Watch out for what seems like inconsistent behavior by object type but in fact is not. Example: Modify Content requires Modify as a prerequisite for Documents, so you can freely give everyone Modify Content without allowing them to do anything, and just control where you provide Modify. But - For Change Objects (e.g. Change Requests), Modify Content is all that is needed to change an attachment; Modify does not apply for Change objects.

- Use Deny only where needed.


Mike,
I was trying to avoid deny, but I'm not sure how to address the situation where folders in the product have their own domain permissions to control team member access.

At the org level, I have these permissions set for the various release levels.
[cid:image005.jpg@01CCE4B2.92914F90]

Inside the product, the CAD folder has these permissions where designer is a team role in the product.
[cid:image006.jpg@01CCE4B2.92914F90]

I could move the permissions from the Org down to the folder domain. But that seems a little painful. (lots of products to fix, but it might be worth it if the result is easier to manage.)

David Haigh
Phone: 925-424-3931
Fax: 925-423-7496
Lawrence Livermore National Lab
7000 East Ave, L-362
Livermore, CA 94550

From: Lockwood,Mike,IRVINE,R&D [
Announcements


Top Tags