Community Tip - Did you know you can set a signature that will be added to all your posts? Set it here! X
I am using Windchill PDMLink Release 12.0 and Datecode with CPS 12.0.2.15
We would like to know if it is possible to automatically recompute groups multiple times a day from a Third party LDAP directory. Currently we looked at this article,
https://www.ptc.com/en/support/article/CS29278?source=search,
which shows that groups are recomputed once per day automatically if that property is set.
I also found this article https://support.ptc.com/help/windchill/wc111_hc/whc_en/index.html?_gl=1*47qgm7*_ga*MTE2NTk3MDExOS4xNzA2ODA1MjQ5*_ga_CBN5QVB9VJ*MTcwNzQyOTk3My4xMi4xLjE3MDc0MzA0ODUuMC4wLjA.#page/Windchill_Help_Center/queuemgmtChp_OutBoxBackgroundQueue_CtScheduleQueue.html.
Solved! Go to Solution.
Sounds like a job for Scheduling Queue entry.
Very doable. I've done it plenty of times for customers that need whatever to happen at prescribed intervals.
In your case, whatever is recomputing your groups.
You mentioned trying to stay OOTB. You're not going to get there OOTB.
If you need the groups to be recomputed for the sake of workflows, that too can be automated to be immediate rather than waiting 4 hours.
Hello,
Yes it is possible to re-compute groups multiple times in a day.
This is language independent but you can refer below article as starting point.
https://myjeeva.com/querying-active-directory-using-java.html
Once you have report generated multiple times in a day, you can have workflow processing that report.
Regards
Ajit
Thank you Ajit. Currently I am trying to stay as close to possible to OOTB capabilities. Right now the groups in PDMLink only recompute once per day per this property:
Is there a similar property that can be set to do this multiple times a day or would we need to customize it per your recomendation?
Hello AM_10644680,
This is Charles from PTC Technical Support in Europe:
I checked Windchill implementation and do not see any easy/friendly way to achieve this requirement.
Only Group > Recompute group is available ootb.
What issue are you trying to address?
KR,
Charles.
We are synced to a third party LDAP Directory where we store groups which users can update the membership for. Those groups are used in teams in Windchill directly and since users can't "recompute" groups themselves they would have to wait 24 hours for any new users to sync to those PTC groups unless I click the "recompute" button for them. So in general I'd like all my groups in PTC to sync every 4 hours instead of just once a day.
Sounds like a job for Scheduling Queue entry.
Very doable. I've done it plenty of times for customers that need whatever to happen at prescribed intervals.
In your case, whatever is recomputing your groups.
You mentioned trying to stay OOTB. You're not going to get there OOTB.
If you need the groups to be recomputed for the sake of workflows, that too can be automated to be immediate rather than waiting 4 hours.
Yeah I figured it would probably take something custom to do so which is what I'm trying to avoid :). Thank you
Hello AM_10644680,
What issue do users encounter when getting added to a team and the recompute has not run yet?
KR,
Charles.
So users are added/removed to those LDAP groups externally all the time unfortunately and so the groups inside windchill get out of date quickly. Unfortunately a 24 hour automated recompute is not enough to keep them up to date. I'd be happy with even getting it to automatically recompute twice a day.
PTC Introducing a scheduled task to recompute would be ideal for this, or if it would update group membership at login.
Oh boy... dare I say someone wants SCIM in Windchill? I have had a few discussions with PTC's security folks about improving modernizing Windchill's Authentication / Authorization to better manage user's access.
I suggested a working group that could cover SAML, Oauth, provisioning, ACL's etc... Hasn't gone very far yet though.
OAuth would be nice :). We need to get authentication updated in Windchill.
Windchill does support Oauth, SAML etc, but mainly for authentication and whole-system authorization (which relies on ACL's etc).
Would be nice to send additional attributes (SAML) or Claims (Oauth) and let Windchill make some advanced authN/authZ decisions - hence my suggestion to PTC of a working group 🙂
Hello AM_10644680,
When saying 'groups inside windchill get out of date quickly', how are such users getting impacted here? what is the symptom?
KR,
Charles.
If you are using AD groups to drive Windchill groups to provision Access Control (team membership, authorized participants for security labels / agreements etc) and those AD groups potentially get updated many times a day in the enterprise to add or remove people to those groups... Windchill can easily become out of date during a working day.
New users end up waiting another 24 hours to get added to PTC before they can access their products/team roles.
Do you observe that users have no access to product's folders and objects right after adding them to products?
In our current environment we customized Windchill to sync internal groups to external LDAP groups every 10 minutes however we are trying to move away from too many customizations and need an OOTB solution and so we moved to using the Info*Engine adapter to manage our groups. However you can only recompute those LDAP groups once per day OOTB.
When this customization is unplugged/disabled, do you observe that users have no access to product's folders and objects right after adding them to products?