In Reply to Mike Lockwood:

We have the same need - formalized by corporate recently to require:


· At least every 6 months verify:

1. Accounts for all users who have left the company are disabled / non-functional

2. All remaining users have appropriate permissions (for us this means appropriate Group membership, which has to be ok'd by their supervisor)

3. Identify any users who have not logged on for at least 90 days and request that they confirm need to continue having an account

#2 above is the main challenge. It requires:

- Concise "cheat sheet" in user language for how permissions are applied (a user in this group can do xxx and cannot do yyy)

- Routing a verification of some type to each user's supervisor (Windchill does not "know" who each user's supervisor is, so this is outside Windchill)

In our case we apply permissions strictly using Groups. There is no OTB report for listing the members of each Group (unbelievable!!). We paid a consultant to create such a report - run from a Windchill shell.

Haven't yet worked out an elegant way to do this twice a year.

Ah, that's a bit different than what we do, we tie our access levels/permissions based off of the context team roles, as we have quite a few product line contexts with different engineer groups working on them so we can't really put a full user group in most of the key roles. That would make a mess of our engineering changes. We do havea small handful ofuser groups but they're primarily for general auditing, read-only Guest access and a couple of groups for the designer "grunts" that do the main CAD work, often co-op students that we cycle through regularly. Sounds like I may not be able to help you very much.

In Reply to Mike Lockwood:

Membership in context teams could also be very important depending on how you set things up.

For us, we use context team membership only for routing workflow tasks, not for user permissions - and the vast majority of these are done thru org-level team templates. We have good reports on the team templates so they are easy.

I did not find a simple solution. I'll ask the question I think others probably have, but may not want to ask publically given that PTC does take part in the forums. If it is so difficult to get the data to manage our licenses, can PTC evendo it? My intent was to audit the number of active users and match that numberagainst our number of licenses. It appears others have this same issue. I have “x” total users. I have “y” users in active groups and “z” users in obsolete groups, and x = y + z. I can jump through (manual) hoops to show that I have “y” licenses that match my “y” active users, but is there any point to doing this? If it is so compicated that I can'tdo it through the system, can PTC do it? If they can, then why won’t they share?

Thanks Al,

I think that's a good gross indicator but it really doesnt help with compliance. For instance, in your Feb numbers, if you have 450 licenses, but have created 700 users, and your graph shows only414 have acessed the system itgives you a false sense of compliance. As I understand it, any user who accesses the system must have an individual login (=license). So tracking the number of unique logins doesnt really help with the licensing issue. At least this is how the licensing hasbeen explained to me by PTC and several consultants. It's almost an honor system, with the possibility of a PTC audit helping keep people honest.

Thanks Al, that explanation is very helpful and we already do what you outlined. What I naively had hoped for was the ability to run a report that would show, for example, the master View and Print group with all its sub-groups and the users contained in those groups. The response from PTC was that WC can’t produce a report dealing with Groups because that is handled outside by the LDAP. I can maintain a user listing like this outside the system, but then it’s not a real time picture of what WC contains. It just seemed that a system with the power of WC should be able to handle this. Do you have such a report? Thanks for your help here.