Thank you Ajit. Currently I am trying to stay as close to possible to OOTB capabilities. Right now the groups in PDMLink only recompute once per day per this property: 

• wt.inf.team.refreshGroupsDailyQueueTime=12:30:PM

Is there a similar property that can be set to do this multiple times a day or would we need to customize it per your recomendation?

Hi @AM_10644680 

Iam sure if the property existed it would be in the article CS29278

PetrH

Hello AM_10644680,

This is Charles from PTC Technical Support in Europe:

I checked Windchill implementation and do not see any easy/friendly way to achieve this requirement.

Only Group > Recompute group is available ootb.

What issue are you trying to address?

KR,

Charles.

We are synced to a third party LDAP Directory where we store groups which users can update the membership for. Those groups are used in teams in Windchill directly and since users can't "recompute" groups themselves they would have to wait 24 hours for any new users to sync to those PTC groups unless I click the "recompute" button for them. So in general I'd like all my groups in PTC to sync every 4 hours instead of just once a day. 

Yeah I figured it would probably take something custom to do so which is what I'm trying to avoid :). Thank you

Hello AM_10644680,

What issue do users encounter when getting added to a team and the recompute has not run yet?

KR,

Charles.

So users are added/removed to those LDAP groups externally all the time unfortunately and so the groups inside windchill get out of date quickly. Unfortunately a 24 hour automated recompute is not enough to keep them up to date. I'd be happy with even getting it to automatically recompute twice a day. 

PTC Introducing a scheduled task to recompute would be ideal for this, or if it would update group membership at login.

OAuth would be nice :). We need to get authentication updated in Windchill. 

Windchill does support Oauth, SAML etc, but mainly for authentication and whole-system authorization (which relies on ACL's etc).

Would be nice to send additional attributes (SAML) or Claims (Oauth) and let Windchill make some advanced authN/authZ decisions - hence my suggestion to PTC of a working group 🙂 

Hello AM_10644680,

When saying 'groups inside windchill get out of date quickly', how are such users getting impacted here? what is the symptom?

KR,

Charles.

If you are using AD groups to drive Windchill groups to provision Access Control (team membership, authorized participants for security labels / agreements etc) and those AD groups potentially get updated many times a day in the enterprise to add or remove people to those groups... Windchill can easily become out of date during a working day.

New users end up waiting another 24 hours to get added to PTC before they can access their products/team roles. 

Do you observe that users have no access to product's folders and objects right after adding them to products?

In our current environment we customized Windchill to sync internal groups to external LDAP groups every 10 minutes however we are trying to move away from too many customizations and need an OOTB solution and so we moved to using the Info*Engine adapter to manage our groups. However you can only recompute those LDAP groups once per day OOTB. 

When this customization is unplugged/disabled, do you observe that users have no access to product's folders and objects right after adding them to products?