RE: Deleting Policy Administrator Rules

srector · ‎May 17, 2010

Thanks to previous posts in this forum, I learned how to use the "Load From File" utility to bulk-add additional rules in the Policy Administrator. I also noted (again, as described here), that I can't over-write or revise existing rules already in the system.

My question this morning is; Is there a utility or method available to bulk-delete all of the existing rules that I want to change?

If not, then I am faced with deleting themmanually on each of our Products before bulk-loading the new rules, and at that point, I sort of lose the advantage a bulk-loading script offers in the first place.

Thanks in advance for any advice you might share,

Steve

srector · ‎May 24, 2010

It seems I may have stumped the forum, so I'll try a different question.

If a policy is undefined (i.e.: Permissions are neither granted or denied), how does PDMLink respond?

Does the system default to "Grant" or "Deny"?

Thanks for any light you might shed on this for me!

Steve

ddemay · ‎May 24, 2010

Stumped? I don't think you can stump this group. We all just get busy, but
I could not resist replying when you said that. (Perhaps that's what you
wanted.)

If you grant at one level. Then deny in another place (same level etc.) .
You go back to None. There are many places where none is used. It is one
way of inverting previously defined ACL's.

Were you the one asking for the load file to bulk load deletions? Your
question today would effectively be able to invert rules previously
established vs. deleting existing ones.

A custom loader for your situation might be write a admin workflow that has
no PBO and run some code that uses the ACL Helper Java API to change
permissions. If I knew the object rules I wanted to change, this is fairly
straightforward though not the solution you originally sought.

HTH,

JSchrader · ‎May 24, 2010

Steve,

Missed your previous question, so let me answer both. First, no there
is nothing out of the box to do what you want to do. Even the OOTB
loads have issues dealing with "common" roles (like PRODUCT MANAGER)
that are available in various product containers. So we developed a
loader (attached along with an InfoEngine task that needs to be placed
under the tasks folder) that allows you to load across containers as
well as remove them. This was developed for Windchill 8.0 so may need
some updating for 9.0/9.1. The following line needs to be added to the
csvmapfile.txt under %WT_HOME%\loadFiles:

LoadProductACL~create~com.kalypso.load.
LoadProductACL.createAccessControlRule~user~domain~typeId~permission~pri
ncipal~permissionList~state~remove

For your other question, if you do not define a rule, then no permission
is given. Typically, that would be the recommended method to deny
access rather than explicitly denying the access (only use the deny if
you don't have a choice...typically).

Thanks,

Jason Schrader

srector · ‎May 25, 2010

Thanks Dave and Jason!

I'm going to try to wade through Jason's code, since it appears to be the cleaner solution. However given my nascent java skills, I may fall back on Dave's solution since I understand it better.

Thanks again!