Limit access at part level based on IP address

Jdorecae · ‎Oct 25, 2019

Hello,

This is my first article in this community as I just started supporting PTC Windchill in our company. We are facing a new challenge where we are segregating our activities in two network areas to enhance the security on our projects using controlled data.

I would like to check with the community if it is possible to limit the access to specific parts based on the IP address of the client. Basically, I want users to be able to see controlled parts into an assembly only if they are in the right network area.

Thanks in advance for your support!

MichaelChatel · ‎Oct 25, 2019

There is no such configuration or option within Windchill itself, that would allow permissions/policy access to parts/context to be granted or denied, based on user's IP address. Sounds like a product idea (I'm actually surprised I could not find an existing one for this).

BenLoosli · ‎Oct 25, 2019

Can you explain the reasoning for this?

The way I see it, if I have User ABC. From his desk in the office, he can see anything. But if he goes to the shop floor and logins into Restricted IP computer, he can only see a limited set of data? What protection does that buy you as a company?

I would think limiting user access by ACLs and profiles would be sufficient to limit access but still allow access for those who need it.

mmeadows-3 · ‎Oct 25, 2019

What you ask is possible but probably not practical. At least Windchill PDMLink was not written to function this way. For discussion purposes, let's assume you have internal and external access.

When a user logs in, Windchill calculates their access based on their login username. So, each user would need two logins to Windchill (internal and external) to have different access permissions. Licensing can be configured to allow this but it feels like a lot of administrative overhead for little to no value.

To complete this scenario, login restrictions are implemented via Apache. Windchill's internal Apache instance can be configured to restrict access to an 'internal users' LDAP filter group. We can limit Apache by IP address but it won't define permissions by internal/external access. Only place internal usernames in the 'internal users' group.

Implement a reverse proxy and configure Apache with an 'external users' LDAP filter group for external access. Again, only include external usernames in the 'external users' filter group.

Is your request to limit access to explicit components ("controlled parts")? PDMLink is designed to limit access to entire classes of components (e.g. Documents, CAD Documents, WTParts). To limit access at the individual object level, consider implementing security labels or ProjectLink.

ivan_feofilov · ‎Oct 25, 2019

The direct answer to your question yes, you can update Apache configuration like this:

<Directory Windchill/app/#ptc1/tcomp/infoPage>
Order allow,deny
Allow from 192.168.1.0/24
Allow from 127
</Directory>

You can use regexp for certain WTParts http://httpd.apache.org/docs/current/mod/core.html#directory

But as mention BenLoosli better to use ACL. Can you put users from a specific subnet to restricted the LDAP group and restrict access?