I need to ensure the MFG Team views only Released Drawings . I modified the Lifecycle state's Access Control and unchecked all permissions for Released State for MFG team . But the policies aren't taking effect
as OOTB all team memebers has Read permission for release object, you have to overide the same by dening the permission against of MFG Role in ACL.
You can check the Access Information Table via Manage Security to find out why a group still has access to the objects:
Select Actions > Manage Security
Add the principal to the list via the "+" button
Click on the info icon to open the "Access Information" table
Update the permissions/policies listed accordingly to get the desired level of access.
Refer to Access Information Page topic in the Windchill Help Center for more information
Were you able to get what you needed working? We did this by creating a MFG role in the Product/Project. We then created a MFG group for the team members who are only suppose to view drawings at a certain lifecycle state, and added that group to the MFG role (this is defined in the template for any new products/projects as well).
In the Policy Administrator (Site -> Utilities -> Policy Administrator) we set rules to allow access to objects by their role and by lifecycle state. We edited the default rule giving read access to all, and instead only give read access to all users where the life cycle state = Released. Other roles are granted access to objects at other states as needed. For example, engineers have full access to all items at all roles except released. At released they can read and revise. Buyers have read access to all items at prototype, pre-release, release, and change pending.
Let me know if you need any help with this.
Traditionally you need to redesign the Access Controls;
PTC's out of the box Access Controls have teamMember that you need to delete.
1. Delete OOTB teamMember ACL against EPMDocuments
2. Make A New Role such as ViewReleasedCAD; Set ACLs for Read or Read/Download for State such as Released for EPMDoc
3. Add Groups to Role per COntext.
Pretty Much a standard Procedure for every customer
I'm partial but Brian is right here. Deny permissions should be used with caution and can easily be avoided in this scenario via removing 3 ACL's for the Teammembers role that come with EPMDocuments in the General Template. Then your users ACL's start from a somewhat blank slate with no granted permissions but also none denied. This is ideal.
You can achieve this by the followin steps:
1) Pool the specific MFG users to a User group.
2) Go to "Security" in Org Utilities and enable Folder domain display to YES.
3) Create a Domain and rule the policy administration for the following two conditions:
> The EPM Document object should carry "Deny" permission for all the listed actions under "In Work" State.
> The EPM Document object should be given "Read" Permissiono alone for the "Released" State.
4) Once when you had created the above policy now go to the folders where you need to apply this policy rule - Right click - Edit - Uncheck the Inherit Domain option - Click on Find and select the domain & policy rule that you had created in the above step and click "OK"
Hope this helps!
I am very interested in this topic, but @LoriSood I can't seem to find Actions > Manage Security
We need to restrict access to non Released objects to folks outside Engineering, but I'm having some difficulty.
Our set up is on the cloud and I don't have complete admin access. Could you assist and point me in the right direction?
Swisslog Healthcare (North America)
Windchill 11.0 M030 CPS09
WGM 11.0 M030
Inventor Pro 2017
SAP Version 7400.3.10.1126
In WC11, open the folder you have files in and then Actions - Edit Access Control.
You can also do this at a grander level from Utilities - Policy Administration.
@BenLoosli Thanks, I did attempt to do that, even with PTC on a webex, but I couldn't. I think it must be something to do with our cloud setup?
@JH, if you are in 11.0 it has been renamed to "Edit Access Control" in the Actions menu. If you still don't see it then it may have been removed by an administrator via a Windchill Policy or the "Configure Actions for Roles" admin action.
If this is a Cloud environment it is very possible that the action has been removed in that environment--especially if you're not an admin (product/library manager or org admin).