cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - You can Bookmark boards, posts or articles that you'd like to access again easily! X

OOB Access Policy issue. Do I need to create multiple Deny for each state?

lgrant
15-Moonstone

OOB Access Policy issue. Do I need to create multiple Deny for each state?

I'm working on an o.o.b version of 10.1.

I have a group "View Released" who I want to only see Released objects and download.

The group has a Profile that stops all modifications available via the profile.

At the Default PDM Library I created a policy to allow that group to Read wtobjects at Released. Works great.

Problem is they can see In Work and they could check out In Work!

I then created a policy to deny everything but read on all objects for that group. That stops the Check out at In Work.

I don't want to create a policy to deny Read at each object state as that would get complicated.

Anyone know what is allowing visibility

ACCEPTED SOLUTION

Accepted Solutions
lgrant
15-Moonstone
(To:lgrant)

OK - there are some OOB Policy that allow all "Team Members" access to all WTDocuments, EPMDocuments and Parts. Once I deleted those I was good.

View solution in original post

3 REPLIES 3
TomU
23-Emerald IV
(To:lgrant)

Take a look at the permissions for your specific domain (context). It very likely that you are inheriting permissions from the site level and organization level. If you are using out of the box roles then you very well may have permissions affecting that role that are propagating down from a higher level domain. If you've created a new role, you will still inherit any permissions that apply to "All" principals. You're will probably need to remove some of these broad permissions at the upper levels and then re-grant them to the appropriate roles as necessary.

lgrant
15-Moonstone
(To:TomU)

I had remvoed an Unafilliated role at the site level and I did not see any WTObject for All participants.

lgrant
15-Moonstone
(To:lgrant)

OK - there are some OOB Policy that allow all "Team Members" access to all WTDocuments, EPMDocuments and Parts. Once I deleted those I was good.

Announcements


Top Tags