cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Community Tip - When posting, your subject should be specific and summarize your question. Here are some additional tips on asking a great question. X

Translate the entire conversation x

Managing Users

PreetiGupta
15-Moonstone
15-Moonstone
‎Sep 15, 2014 02:25 PM
‎Sep 15, 2014 02:25 PM

Managing Users

Hi,

For last 7+ years in Windchill Production at Alcon, we stored Users & Groups information in Windchill Active Directory. Since June 2014, we have moved to our Corporate Active Directory. I would like to know how other companies handled users who have left the company. There are few things we have discussed internally, but would like to know more from the user community.

Process 1:

1) User ABC left the company.

2) It becomes disconnected principal in Windchill

3) Delete user ABC from Windchill

Process 2:

1) User ABC left the company

2) Associate user ABC to a new local user something like ABC - Deactivated which is only existing in Windchill Active directory.

I prefer process 1 stated above. Only issue with that I can foresee is we cannot search on what all activity user ABC has done in Windchill before leaving.

Process 2 gives advantages on searching on this user, because it is not disconnected anymore. However we are altering history here. Everywhere the user is replaced with ABC - Deactivated.

Let me know how it is handled at your end.

Thanks,

Preeti

Labels:
0 Kudos
Notify Moderator
16 REPLIES 16
jessh
12-Amethyst
12-Amethyst
(To:PreetiGupta)
‎Sep 15, 2014 02:35 PM
‎Sep 15, 2014 02:35 PM

Some clarity would be good here.

I know what "Microsoft / Windows Active Directory" is and what
"Windchill DS (Directory Services)" is.

I don't have any idea what "Windchill Active Directory" is.
0 Kudos
Notify Moderator
PreetiGupta
15-Moonstone
15-Moonstone
(To:PreetiGupta)
‎Sep 15, 2014 02:39 PM
‎Sep 15, 2014 02:39 PM

Jess, yes my bad, replace Windchill Active Directory with Windchill DS 🙂

What is your recommendation on handling users who have left the company?

Thanks.
0 Kudos
Notify Moderator
jessh
12-Amethyst
12-Amethyst
(To:PreetiGupta)
‎Sep 15, 2014 02:45 PM
‎Sep 15, 2014 02:45 PM

I'm a developer, not a system administrator or deployment expert, so I
don't feel I have sufficient experience to be recommending approaches here.

I just wanted to be sure that we were all just clear enough on
terminology to be sure we're talking about the same thing 🙂

0 Kudos
Notify Moderator
SteveVinyard
1-Visitor
1-Visitor
(To:PreetiGupta)
‎Sep 15, 2014 03:47 PM
‎Sep 15, 2014 03:47 PM

In my experience, people who leave the company do not get their user account deleted in AD. It gets disabled or has the password changed etc. This is due to various reasons that are external of Windchill. In Windchill, the user typically gets removed from groups and deleted.


Regards,
[cid:image001.gif@01CFCB30.A000F600]

Stephen Vinyard
Director of Customer Success
0 Kudos
Notify Moderator
bellj
1-Visitor
1-Visitor
(To:PreetiGupta)
‎Sep 15, 2014 04:01 PM
‎Sep 15, 2014 04:01 PM

This issue is covered very well in this forum.
Bottom line is you don't delete users.
History, which is or can be very important in a CM system, is preserved.


- Disable in corporate LDAP

- Remove from all groups/roles/permissions.

- Add to site-context group "Deactivated Users". This was suggested to me by PTC. For licensing auditing, these users won't be counted.

joe bell
GSIMS Administrator
GPS Sustainment Information Management System
719-572-2890
bellj@gpssims.com<">mailto:bellj@gpssims.com>
0 Kudos
Notify Moderator
RandyJones
20-Turquoise
20-Turquoise
(To:PreetiGupta)
‎Sep 15, 2014 04:03 PM
‎Sep 15, 2014 04:03 PM

Preeti: Similar situation here except we went from WindchillDS to OpenLDAP (for the users). We keep old users forever in order to preserve the history. Not only in Windchill but in "conventional" filesystems also. We have attributes in OpenLDAP that we can filter on to prevent logging in however let
Windchill still see the old users.

The following describes these attributes:

* gpRoleDN
o Does the user have an active Windchill Role?
o In other words can they login to their windchill account?
o apache uses this as a filter to determine if the user can login to Windchill
* gpWindchillUser
o Is the user a "Windchill" user?
o in other words has the user ever had or currently has an active Windchill role?
o OpenLDAP Windchill InfoEngine adapter uses this as a filter for finding users

In apache we filter on the gpRoleDNattribute to determine if users can login to Windchill. In the OpenLDAP adapter definition for Info*Engine Administration we filter on the gpWindchillUser attribute. This can prevent users from logging in however Windchill it's self can still "see" the users.This
also gives us the flexibility of locking a current user out of Windchill for whatever reason.

0 Kudos
Notify Moderator
SteveVinyard
1-Visitor
1-Visitor
(To:PreetiGupta)
‎Sep 15, 2014 04:03 PM
‎Sep 15, 2014 04:03 PM

History isn't lost if Windchill user is deleted. I don't disagree with any of these points though. If you delete a user and then review a signoff or historical record of something they did it will say "Steve Vinyard (deleted)"


Regards,
[cid:image001.gif@01CFCB30.A000F600]

Stephen Vinyard
Director of Customer Success
0 Kudos
Notify Moderator
bellj
1-Visitor
1-Visitor
(To:PreetiGupta)
‎Sep 15, 2014 04:11 PM
‎Sep 15, 2014 04:11 PM

Ah. Yes you are right.
I was thinking of the other reason we don't delete users:
We have had many instances of users leaving and coming back years later. Their history, documents checked out, and even unfinished assignments are intact!

joe bell
GSIMS Administrator
GPS Sustainment Information Management System
719-572-2890
bellj@gpssims.com<">mailto:bellj@gpssims.com>
0 Kudos
Notify Moderator
BenPerry
15-Moonstone
15-Moonstone
(To:PreetiGupta)
‎Sep 15, 2014 04:43 PM
‎Sep 15, 2014 04:43 PM

I also don't think you can execute searches based on deleted users too. So, for example, I cannot search for "CAD files" created by "Steve Vinyard" between "date1" and "date2". Isn't that true?

Ben
0 Kudos
Notify Moderator
TomU
23-Emerald IV
23-Emerald IV
(To:PreetiGupta)
‎Sep 15, 2014 05:06 PM
‎Sep 15, 2014 05:06 PM

Searching by deleted user works just fine. (10.2 M020)

[cid:image002.jpg@01CFD107.61AA7110]
[cid:image003.jpg@01CFD107.61AA7110]
[cid:image004.jpg@01CFD107.61AA7110]
[cid:image013.jpg@01CFD107.61AA7110]

image002.jpg
Preview file
9 KB
image003.jpg
Preview file
14 KB
image013.jpg
Preview file
40 KB
0 Kudos
Notify Moderator
PreetiGupta
15-Moonstone
15-Moonstone
(To:PreetiGupta)
‎Sep 15, 2014 05:31 PM
‎Sep 15, 2014 05:31 PM

This search does not work on 10.1 M040. Thanks Tom for getting screenshot. I agree that history will show Preeti Gupta(deleted), however in our system I cannot search for what Preeti Gupta did in Windchill . We have to go to Individual documents/parts to see history. There is no way I can get a list of everything the user worked on in last 2 months for example.


image004.jpg
Preview file
40 KB
image001.jpg
Preview file
9 KB
image002.jpg
Preview file
14 KB
0 Kudos
Notify Moderator
PreetiGupta
15-Moonstone
15-Moonstone
(To:PreetiGupta)
‎Sep 15, 2014 05:58 PM
‎Sep 15, 2014 05:58 PM

Ok, I take it back, This is funny the way this works after user is deleted from Windchill. The Full Name search is case sensitive now ...wow, I cannot believe the way it is doing it. I almost declared that I cannot search for the user once deleted 🙂
I am so glad that I posted it here, glad to have support from you guys.
[cid:image001.png@01CFD0F5.869FD3A0]
[cid:image002.png@01CFD0F5.869FD3A0]

[cid:image006.png@01CFD0F4.26054170]
image002.png
Preview file
40 KB
image006.png
Preview file
54 KB
image007.jpg
Preview file
9 KB
image010.jpg
Preview file
40 KB
image008.jpg
Preview file
14 KB
image001.png
Preview file
44 KB
0 Kudos
Notify Moderator
MikeLockwood
22-Sapphire I
22-Sapphire I
(To:PreetiGupta)
‎Sep 15, 2014 10:01 PM
‎Sep 15, 2014 10:01 PM

A while back I got very curious about this and created a document with a
bunch of screen captures - showing Windchill UI, the database and LDAP after
each action on some test users. Can't find a copy now, but maybe Preeti or
JP can dig up.


The word "Delete" is used in the Participant / Principle Administrator, but
the user is not actually deleted from the database (WTUSER table). This
allows every action that the user ever took to be presented forever. Don't
recall, but "delete" may actually remove the user from Windchill DS if
active directory integration is not used.



Would be nice if PTC clarified what the "delete" action did in the
Participant / Principle Administrator.



Best practices and standard procedures for handling users who have left have
been posted at least a dozen times that I can recall, but there always seem
to be differences and nuances to consider.


image004.jpg
Preview file
9 KB
image007.jpg
Preview file
40 KB
image001.png
Preview file
44 KB
image002.png
Preview file
40 KB
image005.jpg
Preview file
14 KB
image003.png
Preview file
54 KB
0 Kudos
Notify Moderator
hvaradharajan
1-Visitor
1-Visitor
(To:PreetiGupta)
‎Sep 16, 2014 05:49 AM
‎Sep 16, 2014 05:49 AM

Hi all,


When a user leaves the company, in my opinion, the Windchill user can be deleted.


I have done thie before, and good thing is that the foot print o th user remains in Windchill.


For example, "Created by :ABC (Deleted) " will be shown.


Regarding handling that user from LDAP, like Windows Active Directory, the best practice is that


that user will probably deleted by the Windows Admin.


Moving the deleted Windchill user to a "Deleted Users" group may be messy. you will never


know to which actual groups th user belonged to.


By and large this process is good enough.


If there is a sytem migration to a latr release of Windchill is planned, still I think that the deleted


users too can be migrated.


Foot prints of a user who has left can be very useful down the years during a design review or CRB



Thanks & Regards


Hari Varadharajan


Tata Consultancy Services

0 Kudos
Notify Moderator
atre.shreyas
1-Visitor
1-Visitor
(To:PreetiGupta)
‎Sep 16, 2014 08:40 AM
‎Sep 16, 2014 08:40 AM


Instead of deleting or disabling user I would prefer creating one group in Windchill called deletedUsers and then add all user deleted uses in this group.



If users are from AD and as per company’s corporate policy users’ needs to be deleted from AD when they left organization then let IT delete user from AD. Now, deleted user will be disconnected user in Windchill. Create dummy user in WindchillDS and reconnected disconnected user with dummy user created in Windchill DS. Also remove users from all other groups (groups create for workflow or for manage ACL’s)



Since, user is neither deleted nor disconnected so everything should work fine i.e. Searching of users, Disconnected/ Deleted will also not appear in the user name.




Thanks,


Shreyas

0 Kudos
Notify Moderator
LiuLiang
4-Participant
4-Participant
(To:PreetiGupta)
‎Sep 16, 2014 11:50 AM
‎Sep 16, 2014 11:50 AM

In our company, we don't delete Windchill users, we disable a Windchill user by renaming <username> to X-<username>,changing <full name="> to <full name="> (Deleted), making user's email field empty. Also we remove all groups/roles from user and change password.


We have many interns/contractors/consultants coming back time to time,this makes re-activating returning users pretty simple.

0 Kudos
Notify Moderator
Announcements



Contact Community Management
Top Tags
Top