cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

We are happy to announce the new Windchill Customization board! Learn more.

How to block user access in windchill

madami
10-Marble

How to block user access in windchill

Hello

the goal is to avoid user access in Windchill (or a list of users) without deleting or damaging the user itself (considering he/she can be reactivated in the future).

Some articles provided by PTC support did not work in our environment

https://www.ptc.com/en/support/article?n=CS145660

https://www.ptc.com/en/support/article?n=CS71201

 

The next one didn't work because the Windchill user credentials are synchronized with Active Directory / LDAP:

https://www.ptc.com/en/support/article/CS102243 

 

Because all of this, now I'm asking to the ptc Community.

Thanks and Reg

 

 

 

5 REPLIES 5
JHall
16-Pearl
(To:madami)

@madami 

I created a Group that isn't a member of any Product (context), restricted that Group's access.  I move folks in and out of that.  If Windchill DS is used, I change their password also. Active directory, I can't do that.

It looks like you tried that, but with no success?

James
Windchill 11.0

madami
10-Marble
(To:JHall)

Hi,

in fact I didn't do that exactly, but user credentials are synchronized with LDAP / Active Directory.

I was trying to find a solution inside Windchill application, without changing any other network configuration.
Some people from internal IT Infrastructure suggested to create a particular Group at AD and somehow saying to Windchill that only this group sync access credentials with AD; the issue for that is to understand the configuration to do that in Windchill.

Thanks anyway for your response.

Miguel

JHall
16-Pearl
(To:madami)

@madami 

Actually I do use this method with Active Directory.   The "Deactivated Users" Group restricts access and when/if the IT dept removes members of them from the network Active Directory group, they are disconnected from Windchill. 

So it looks like this.  Our old Windchill DS users remain as xxx[Deactivated].  No access and a name change.

Active Directory Users are placed in this group (restricting their access to all Products/contexts) then over time the IT Dept removes them from the Active Directory group in Outlook.  This can take a few days, but until then, even if they got into Windchill, they have no access.   - James

AC.jpg




mmeadows-3
13-Aquamarine
(To:madami)

If this is Windchill 11.1+, just remove these users from all license profiles.  If they aren't associated with a profile, they can't access anything in Windchill.

 

To disable login of a group of users prior to Windchill licensing, use the deactivated users group technique to exclude them from license audits.  https://www.ptc.com/en/support/article/CS167448

 

Since the users are managed in ADS, use an LDAP filter group on your Apache ADS provider.  https://www.ptc.com/en/support/article/CS152247 (steps #2 and #3 only, not #1 or #4)

 

To 'disable' a user, add them to the deactivated users group in Windchill and remove them from the 'Windchill Users' group in ADS.  This will exclude them from license audits and prevent them from logging into Windchill.  When they come back, add them to the filter group again and remove them from the disabled users group.

 

Note: They will still be available for participant searches, role membership, etc.  Additional steps are necessary for account cleanup.

These directions will be evaluated, thanks

Top Tags