cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - You can change your system assigned username to something more personal in your community settings. X

Managing Users

PreetiGupta
15-Moonstone

Managing Users

Hi,

For last 7+ years in Windchill Production at Alcon, we stored Users & Groups information in Windchill Active Directory. Since June 2014, we have moved to our Corporate Active Directory. I would like to know how other companies handled users who have left the company. There are few things we have discussed internally, but would like to know more from the user community.

Process 1:

1) User ABC left the company.

2) It becomes disconnected principal in Windchill

3) Delete user ABC from Windchill

Process 2:

1) User ABC left the company

2) Associate user ABC to a new local user something like ABC - Deactivated which is only existing in Windchill Active directory.

I prefer process 1 stated above. Only issue with that I can foresee is we cannot search on what all activity user ABC has done in Windchill before leaving.

Process 2 gives advantages on searching on this user, because it is not disconnected anymore. However we are altering history here. Everywhere the user is replaced with ABC - Deactivated.

Let me know how it is handled at your end.

Thanks,

Preeti

16 REPLIES 16
jessh
12-Amethyst
(To:PreetiGupta)

Some clarity would be good here.

I know what "Microsoft / Windows Active Directory" is and what
"Windchill DS (Directory Services)" is.

I don't have any idea what "Windchill Active Directory" is.

Jess, yes my bad, replace Windchill Active Directory with Windchill DS 🙂

What is your recommendation on handling users who have left the company?

Thanks.
jessh
12-Amethyst
(To:PreetiGupta)

I'm a developer, not a system administrator or deployment expert, so I
don't feel I have sufficient experience to be recommending approaches here.

I just wanted to be sure that we were all just clear enough on
terminology to be sure we're talking about the same thing 🙂

In my experience, people who leave the company do not get their user account deleted in AD. It gets disabled or has the password changed etc. This is due to various reasons that are external of Windchill. In Windchill, the user typically gets removed from groups and deleted.


Regards,
[cid:image001.gif@01CFCB30.A000F600]

Stephen Vinyard
Director of Customer Success

This issue is covered very well in this forum.
Bottom line is you don't delete users.
History, which is or can be very important in a CM system, is preserved.


- Disable in corporate LDAP

- Remove from all groups/roles/permissions.

- Add to site-context group "Deactivated Users". This was suggested to me by PTC. For licensing auditing, these users won't be counted.

joe bell
GSIMS Administrator
GPS Sustainment Information Management System
719-572-2890
bellj@gpssims.com<">mailto:bellj@gpssims.com>

Preeti: Similar situation here except we went from WindchillDS to OpenLDAP (for the users). We keep old users forever in order to preserve the history. Not only in Windchill but in "conventional" filesystems also. We have attributes in OpenLDAP that we can filter on to prevent logging in however let
Windchill still see the old users.

The following describes these attributes:

* gpRoleDN
o Does the user have an active Windchill Role?
o In other words can they login to their windchill account?
o apache uses this as a filter to determine if the user can login to Windchill
* gpWindchillUser
o Is the user a "Windchill" user?
o in other words has the user ever had or currently has an active Windchill role?
o OpenLDAP Windchill InfoEngine adapter uses this as a filter for finding users

In apache we filter on the gpRoleDNattribute to determine if users can login to Windchill. In the OpenLDAP adapter definition for Info*Engine Administration we filter on the gpWindchillUser attribute. This can prevent users from logging in however Windchill it's self can still "see" the users.This
also gives us the flexibility of locking a current user out of Windchill for whatever reason.

History isn't lost if Windchill user is deleted. I don't disagree with any of these points though. If you delete a user and then review a signoff or historical record of something they did it will say "Steve Vinyard (deleted)"


Regards,
[cid:image001.gif@01CFCB30.A000F600]

Stephen Vinyard
Director of Customer Success

Ah. Yes you are right.
I was thinking of the other reason we don't delete users:
We have had many instances of users leaving and coming back years later. Their history, documents checked out, and even unfinished assignments are intact!

joe bell
GSIMS Administrator
GPS Sustainment Information Management System
719-572-2890
bellj@gpssims.com<">mailto:bellj@gpssims.com>
BenPerry
15-Moonstone
(To:PreetiGupta)

I also don't think you can execute searches based on deleted users too. So, for example, I cannot search for "CAD files" created by "Steve Vinyard" between "date1" and "date2". Isn't that true?

Ben
TomU
23-Emerald IV
(To:PreetiGupta)

Searching by deleted user works just fine. (10.2 M020)

[cid:image002.jpg@01CFD107.61AA7110]
[cid:image003.jpg@01CFD107.61AA7110]
[cid:image004.jpg@01CFD107.61AA7110]
[cid:image013.jpg@01CFD107.61AA7110]

This search does not work on 10.1 M040. Thanks Tom for getting screenshot. I agree that history will show Preeti Gupta(deleted), however in our system I cannot search for what Preeti Gupta did in Windchill . We have to go to Individual documents/parts to see history. There is no way I can get a list of everything the user worked on in last 2 months for example.


Ok, I take it back, This is funny the way this works after user is deleted from Windchill. The Full Name search is case sensitive now ...wow, I cannot believe the way it is doing it. I almost declared that I cannot search for the user once deleted 🙂
I am so glad that I posted it here, glad to have support from you guys.
[cid:image001.png@01CFD0F5.869FD3A0]
[cid:image002.png@01CFD0F5.869FD3A0]

[cid:image006.png@01CFD0F4.26054170]

A while back I got very curious about this and created a document with a
bunch of screen captures - showing Windchill UI, the database and LDAP after
each action on some test users. Can't find a copy now, but maybe Preeti or
JP can dig up.


The word "Delete" is used in the Participant / Principle Administrator, but
the user is not actually deleted from the database (WTUSER table). This
allows every action that the user ever took to be presented forever. Don't
recall, but "delete" may actually remove the user from Windchill DS if
active directory integration is not used.



Would be nice if PTC clarified what the "delete" action did in the
Participant / Principle Administrator.



Best practices and standard procedures for handling users who have left have
been posted at least a dozen times that I can recall, but there always seem
to be differences and nuances to consider.


Hi all,


When a user leaves the company, in my opinion, the Windchill user can be deleted.


I have done thie before, and good thing is that the foot print o th user remains in Windchill.


For example, "Created by :ABC (Deleted) " will be shown.


Regarding handling that user from LDAP, like Windows Active Directory, the best practice is that


that user will probably deleted by the Windows Admin.


Moving the deleted Windchill user to a "Deleted Users" group may be messy. you will never


know to which actual groups th user belonged to.


By and large this process is good enough.


If there is a sytem migration to a latr release of Windchill is planned, still I think that the deleted


users too can be migrated.


Foot prints of a user who has left can be very useful down the years during a design review or CRB



Thanks & Regards


Hari Varadharajan


Tata Consultancy Services


Instead of deleting or disabling user I would prefer creating one group in Windchill called deletedUsers and then add all user deleted uses in this group.



If users are from AD and as per company’s corporate policy users’ needs to be deleted from AD when they left organization then let IT delete user from AD. Now, deleted user will be disconnected user in Windchill. Create dummy user in WindchillDS and reconnected disconnected user with dummy user created in Windchill DS. Also remove users from all other groups (groups create for workflow or for manage ACL’s)



Since, user is neither deleted nor disconnected so everything should work fine i.e. Searching of users, Disconnected/ Deleted will also not appear in the user name.




Thanks,


Shreyas

LiuLiang
4-Participant
(To:PreetiGupta)

In our company, we don't delete Windchill users, we disable a Windchill user by renaming <username> to X-<username>,changing <full name="> to <full name="> (Deleted), making user's email field empty. Also we remove all groups/roles from user and change password.


We have many interns/contractors/consultants coming back time to time,this makes re-activating returning users pretty simple.

Announcements


Top Tags