We are retiring Windchill Intralink 9.1 soon, and migrating to a different PDM.
However, we want to keep Windchill running as read-only for a few months in case we discover any files that were not migrated.
My first thought was to make all vaults read-only. But is that enough?
Will users still be able to revise, check-out, or promote?
All we want is for users to be able to "Add to Workspace" in Pro/E so they can export afterward.
I'm hoping to avoid using the Policy Administrator to change Domain permissions.
(It's been years since I've created/changed those.)
Not sure this would work, but could you add everyone to a group that has restricted access?
Or create a Profile with all of the create, revise, checkout, and promote commands removed?
Use the Guest role?
Just some off the top of my head thoughts...
Policy Administrator is not so bad for a single Rule.
At Org / PDM create a Rule that Denies everything but Read and Download to the Organization (not to a Role or Group).
Confirm by accessing some data object and running Manage Security.
Would I be correct in assuming that in this scenario, the administrator (wcadmin) would still have full access (not restricted to read/download)?
How many products/libraries are there in migrated PDM?
Though we can use different options like Profile and access control, I would go with read, download etc permissions defined at organization level which applies to all users except Administrator (It is very important to exclude Administrators).
Let me know if you have any difficulties in setting access control.
Manipulating domain policies can be a lot of 'fun'. Mike's solution is great as long as the Windchill system follows domain policy best practices. But there is a good chance these recommendations won't work. It just depends on the nuances of your current business configuration.
Unfortunately there are many ways to accidentally limit site admin's permissions while trying to limit access to everyone else. So always configure and validate in a test environment first.
FYI: In case you discover your site admin suddenly has read-only permissions to the system, there is a Windchill property that will bypass/disable all access controls (CS20793).