Solved: OOB Access Policy issue. Do I need to create multi...

lgrant · ‎Jun 19, 2013

I'm working on an o.o.b version of 10.1.

I have a group "View Released" who I want to only see Released objects and download.

The group has a Profile that stops all modifications available via the profile.

At the Default PDM Library I created a policy to allow that group to Read wtobjects at Released. Works great.

Problem is they can see In Work and they could check out In Work!

I then created a policy to deny everything but read on all objects for that group. That stops the Check out at In Work.

I don't want to create a policy to deny Read at each object state as that would get complicated.

Anyone know what is allowing visibility

lgrant · ‎Jun 20, 2013

OK - there are some OOB Policy that allow all "Team Members" access to all WTDocuments, EPMDocuments and Parts. Once I deleted those I was good.

View solution in original post

TomU · ‎Jun 19, 2013

Take a look at the permissions for your specific domain (context). It very likely that you are inheriting permissions from the site level and organization level. If you are using out of the box roles then you very well may have permissions affecting that role that are propagating down from a higher level domain. If you've created a new role, you will still inherit any permissions that apply to "All" principals. You're will probably need to remove some of these broad permissions at the upper levels and then re-grant them to the appropriate roles as necessary.

lgrant · ‎Jun 20, 2013

I had remvoed an Unafilliated role at the site level and I did not see any WTObject for All participants.

lgrant · ‎Jun 20, 2013

OK - there are some OOB Policy that allow all "Team Members" access to all WTDocuments, EPMDocuments and Parts. Once I deleted those I was good.

OOB Access Policy issue. Do I need to create multiple Deny for each state?

OOB Access Policy issue. Do I need to create multiple Deny for each state?