cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Stay updated on what is happening on the PTC Community by subscribing to PTC Community Announcements. X

General Questions as Admin, Old Users?

jtruitt
7-Bedrock

General Questions as Admin, Old Users?

We used to have an admin who knew a lot more about WindChill than the current people including myself, I just have some general questions I can't really figure out. We are going through and trying to removing old users. The first method thought of is to add the old users to an admin group, change their password, log in as them and then remove all their workspaces. One of our confusions is that we have probably 8, 9 different groups set up from years ago and don't understand why some have visibility to certain product libraries and contexts. We had to test everyone to find which ones had visibility of all library so that we could see their workspaces by logging into them so we could delete them.

The other method I'm thinking of trying is actually deleting the user using windchill's delete function and then removing their personal cabinet. Is there any issue with doing thing? Does that blow everything away? I know it asks about undoing checked out objects so I'd think it is deleting everything. The current admin who kind of fell in to the position said the old admin (who knew what he was doing) said not to do that so I'm a bit weary. Mind you these people will never be returning.

The next thing I've stumbled on is that as admin's we should be able to view other peoples workspaces under each context, however, we can't...with my limited knowledge we must need to alter the access control policies to give our admin group that ability? This is another grey area we haven't been able to get to work, how do we alter this? A while back we tried at the org level to change access but it didn't appear to work, do we have to be at the site level or something?

19 REPLIES 19
BenLoosli
23-Emerald II
(To:jtruitt)

You do not need to add the old users to an admin group, just change their password after they leave. We also change their full name field so you can see that they are not here. We put their first and last names as their first name and make their last name NLH (No Longer Here). This preserves the history of what they did. If that does not matter, then you can delete the user after you clean up their workspaces.

Deleting a user with a workspace will delete the workspace and remove the check-out of any items they were last working on. Unless you know what changes they were doing and IF those changes were ready for release, you will lose any work they did. This will also remove their name from the history of who did what to an object.

The only way to really see what was in someone else's workspace is to get IT to change their password and give it to you AND login on their old workstation. Barring that,I hope you have automatic upload when a file is saved enabled so at least all of their work is stored in their server side workspace and not their local workspace. If you have the auto upload enabled, then you can log into Windchill on any workstation as them and see what they have.

We have asked PTC to enable an admin function that will allow admins to look into other workspaces but it is not in the software yet.

TomU
23-Emerald IV
(To:BenLoosli)

Deleting a user ... will also remove their name from the history of who did what to an object.

Ben Loosli‌, deleting a user will not remove their name for the history.  It will just append "(Deleted)" to their name.  (For sure on 10.2 and later.)  See Re: How do you manage users account who have left the company

MikeLockwood
22-Sapphire I
(To:jtruitt)

In general, never delete a user.  The user account gets deleted from Windchill DS but not from the database (Oracle or SQL Server).

Better to simply make sure that the users who have left are removed from any Groups (Org level) from which they get access granted.  From Participant Admin, one by one edit the user account to belong to no groups.  May want to create a Group named "De-Activated Users" or something similar and add to that - for the purpose of just being able to have a list.  Assign no permissions to this Group.

You can implement a simple query builder report to find all the workspaces, with the person who created, last modified, etc.  We recently went thru a Windchill update and used it to force cleaning up all old workspaces - the report helps greatly.

It's hard coded that admin has access to see / delete other user's workspaces but can't see inside them.  An additional query builder report can easily be implemented to list the contents of individual workspaces - we have that in place.

There should be a simple admin procedure for handling things when a user leaves.

TomU
23-Emerald IV
(To:MikeLockwood)

It's hard coded that admin has access to see / delete other user's workspaces but can't see inside them.  An additional query builder report can easily be implemented to list the contents of individual workspaces - we have that in place.

Mike Lockwood‌, something has changed.  I just noticed yesterday (by accident) that I can now see the entire contents of other user's workspaces (everything uploaded.)  The trick seems to be finding an object that is in one of their workspaces, viewing that object, and then following the bread crumb link back to their workspace itself.  I'm betting if I followed the step in CS199288, I could probably browse directly into any of them without first needing to find an object in each workspace.

Just to prove that this is not one of my workspaces.  I don't even have any workspaces in this context.

By the way, this is with 10.2 M030 CPS18.

MikeLockwood
22-Sapphire I
(To:TomU)

Thanks Tom - great to know. We will likely implement the property change to take advantage of this.

thanks!

TomU
23-Emerald IV
(To:MikeLockwood)

Mike Lockwood‌, it's not a useful as I hoped.  While you can search for workspaces by name, there is no way to search for workspaces by owner, display the owner, or actually take actions on the individual objects (delete, check in, etc.).  Trying to take actions on objects from the workspace listing just throws method server errors.  Seems like this has not been fully implemented yet.

BenPerry
15-Moonstone
(To:TomU)

Mike Lockwood‌‌ & Tom Uminn‌,

I saw you 2 discussing getting into others' workspaces.

I'm having no problem (even with my own user account - but Site Admin permissions) getting into others' workspaces.  I've been able to do it in 10.2 M020 & M030.  It is via Report Manager.  All you need to do is have the EPMWorkspace table in the FROM section, and then have the top level EPMWorkspace in the SELECT clause.  This will provide an information button that can be clicked on to navigate into the workspace.

In the example below, I have a report that returns which workspace(s) an object belongs to.  But you could of course create your own report with your own parameters.  For example - just tie together EPMWorkspace and WTUser to get a user's workspace.

Am I missing something?  Is it just this easy to do?  Is there some security issue here?  We've talked about it a lot at TC meetings and it is talked about in the forums.  It seems like this is pretty easy to do (although admittedly it is the "backdoor" option).  Prefer to have a different and less complex door into someone's workspace.

2016-12-29_15-44-55.jpg

TomU
23-Emerald IV
(To:BenPerry)

Ben Perry‌,

Were you able to take actions on the objects in the workspace?

Getting into the workspace wasn't the problem for me, it was being able to actually do something once I was in.

BenPerry
15-Moonstone
(To:TomU)

I understand now.  No, I got an error message when trying to remove an object from the workspace.

2017-01-03 09:52:40,236 ERROR [ajp-bio-8011-exec-46] com.ptc.windchill.uwgm.proesrv.cache.WorkspaceRequestCacheAdapter ben.perry - WorkspaceRequestCacheAdapter.validateWorkspace :: The Workspace(oid) : ECOs (OR:wt.epm.workspaces.EPMWorkspace:780083413) belongs to the user : XXXX.

MikeLockwood
22-Sapphire I
(To:BenPerry)

Ben, using the link from this report is a great idea.  I have multiple workspace-related reports in place but have just updated each to use the root EPMDoc item - works like a charm.  The OTB admin functionality to list and delete others workspaces could easily be updated using this technique by PTC - hope they do so.

thanks!

HJ1
15-Moonstone
15-Moonstone
(To:BenPerry)

I came across this topic as something similar might be needed. Still on 10.2 M030.

I'm fairly new to Report Management, how exactly would you do what you say

"For example - just tie together EPMWorkspace and WTUser to get a user's workspace."

 

I see from the database tables that the link could be

EPMWorkspace.idA3M5 - WTUser.idA2A2

but how to realize this in Report Manager join?

Marco_Tosin
21-Topaz I
(To:HJ1)

Working with Report Manager in Windchill 11 is quite simple, because you can select to show only the join that fit.

 

In your case the join is only one (see below).

 

<qml bypassAccessControl="false" caseInsensitive="true" addTimeToDateFields="false" mainType="Utente" joinModel="false" xsi:noNamespaceSchemaLocation="qml.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<query>
<selectOrConstrain distinct="false" group="false">
<reportAttribute heading="Nome completo" reportAttributeId="Nome_completo" userCanSelect="true" userCanConstrain="true" alwaysSelect="false" defaultValue="" constantValue="" isMacro="false">
<column alias="Utente" isExternal="false" type="java.lang.String" propertyName="fullName">fullName</column>
</reportAttribute>
</selectOrConstrain>
<from>
<table alias="Workspace EPM" isExternal="false" xposition="0px" yposition="40px">wt.epm.workspaces.EPMWorkspace</table>
<table alias="Utente" isExternal="false" xposition="203px" yposition="234px">wt.org.WTUser</table>
</from>
<referenceJoin>
<join name="principalReference">
<fromAliasTarget alias="Workspace EPM"/>
<toAliasTarget alias="Utente"/>
</join>
</referenceJoin>
</query>
</qml>

Marco

For reference see this previous discussion:  How best to mark users inactive or disabled?

What I am currently doing:

Steps to disable a User Account:

  1. Change user password from orgadmin account.
  2. Log in as user.
    1. Reassign any open tasks.
    2. Deal with any checked out work.
    3. Remove all workspaces
    4. Set calendar to delegate indefinitely to another user.
    5. Delete any subscriptions created by the user.
    6. Unsubscribe from other subscriptions
  3. As orgadmin:
    1. Remove user from all groups.
    2. Add user to disabled group. (ZZZ_Disabled)
    3. Rename user by adding a zz prefix and a (Disabled) suffix
      1. For example: zz Marc DeBower (Disabled)
  4. As disabled user:
    1. check for project, product, or library memberships
      1. Project: Make sure view shows ALL projects not just active ones.
  5. As orgadmin:
    1. run report: tmc-Context Membership
    2. remove user from contexts found in preceding step.
    3. repeat these two steps as necessary until all team memberships have been removed.

Thank you for your response.


By being a member of a context do you mean being in a team or role?


Quick question about the report...is the query building ability an additional product? I've seen it come up a number of times for useful tasks but I absolutely can't find it.

Hi Jordan,

query builder it's not a PTC product, but a tool to manage information stored in Windchill DB.

If you have interest in query builder, you can join this community group Reporting and also take a look at this document Resource for reporting

I wrote this document to collect resources about reporting from different sources.

It's VERY long, but in the document you can find useful suggestion about reporting and lots of query builder report ready to use.

You can look also at query builder help page inside Windchill, but it isn't very intuitive.

I think could be better to look first at presentations attached in the document I wrote.

This are direct link to presentations:

https://www.ptcusercommunity.com/servlet/JiveServlet/download/6348-82-73173/_Reporting6.2.pptx

https://www.ptcusercommunity.com/servlet/JiveServlet/download/6348-82-80037/091130_Reporting_QueryBuilder.ppt

Marco

I'm having an issue where I can't view a report, my browser just pulls up blank. We have issues using certain features as JavaScript is blocked, IT has to go through some process to roll back java to a previous version and its a huge pain, I'm not sure if its related.

I've been trying to find anywhere to find an option to build a query and I can't anywhere. I've seen people mention going to utilities>report management and that doesn't exist for me at site level.

MikeLockwood
22-Sapphire I
(To:jtruitt)

It's there at Site (and Org), Utilities.  If not shown, possibly you're using Intralink or Windchill Essentials?

You are absolutely right about what product we actually have. I see "Windchill" everywhere so I didn't think anything of it but its Pro/Intralink and not PDMLink. Is there any way that I can get a complete list of users on our system?

MikeLockwood
22-Sapphire I
(To:jtruitt)

May be able to get them by exporting Windchill DS and then applying text filters.

Pretty amazing that getting a list of users (by group) is not a fundamental, easy and quick thing to do in Windchill.

Announcements


Top Tags