cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

We are happy to announce the new Windchill Customization board! Learn more.

Problem Report Authors Configuration Question

pwilliams-3
11-Garnet

Problem Report Authors Configuration Question

10.1 M040

Hi Everyone,
Has anyone configured Windchill to allow all users the ability to create a Problem Report on objects within containers without being a member on the container team? If so, would you mind sharing how you did it?

Patrick Williams | Engineering Systems | c: 616.947.2110
[cid:image001.jpg@01D00024.147A33C0]

3 REPLIES 3

Customization via action or workflow or custom page. Easier to create a role
on the container team that allows them to only create these and then use
security labels and/or access controls to restrict access. My guess is they
at least need to know what they are creating a problem report against?






From: Williams, Patrick

Well now we're just looking for the shiny key in the tall weeds.



You need to think about this from a CISSP standpoint also. You do not want
to open any backdoors. I got butterflies in my stomach when you mentioned
WTObject - all.



Do you have error message and stacktrace from the log files? This may be
quite informative as you know. Have you turned on tracing for wt.access.*?



My recommendation is to load a role and group via load files to a container
- I do it all the time and will simplify greatly, the effort. I can provide
example if you like.



Removing or altering via load file is customization though.



Problem report authors is not on any specific role in a container team by
default is my tired brain recollects; therefore, you likely have an ACL
conflict as a deny via 'none' or a hard deny.



Are you sure no 'permission implies' association adjustments are getting in
the way?



How is the read to Released granted at Org level? Is principal on that
container team being tested?



Here's what I think is going on:



A grant and a 'none' can cancel each other out in theory as an implicit
deny. The member principal is in more than one group at same domain or
parent domain level.



Hope that helps,

Dave




Top Tags