Question re. Policy rules for ProE files

davehaigh · ‎Jan 04, 2013

Looking at our existing system I see that all the policies for our ProE cad files are written on the type WTObject.

Is there a compelling reason to do it that way instead of on the type EPMDocument?

Is there a best practice?

David Haigh
Phone: 925-424-3931
Fax: 925-423-7496
Lawrence Livermore National Lab
7000 East Ave, L-362
Livermore, CA 94550

ZacharyAlexande · ‎Jan 04, 2013

Hi David,

It's easier to manage policies if they are applied on WTObject. There is
less of them to have to deal with and it is easier to see all permissions
at once. This also saves you the trouble of having to apply rules to any
objects that you may not have policies applied to already.

However, if you ever want to apply different policies to EPMDocument,
WTDocument, WTPart, etc., they will inherit the policies from WTObject. If
there is a policy applied on WTObject that you don't want applied to one of
these types, you will have to deny it at the EPMDocument level. Typically,
it's a best practice not to deny privileges whenever possible. It is easier
to manage permissions if they are all grant.

Also, setting policies at the EPMDocument level gives you more control when
applying lifecycle-state-specific permissions.

My advice would be if you plan to ever apply different policies to
different object types or lifecycle states, then keep policies applied to
WTObject to a minimum, or remove later when needed.

Thanks,
Zack

Zachary D. Alexander
Operations Manager - RAPiDS
ProductSpace Solutions Inc.
Phone: 630-495-2999 Ex. 8104
Cell: 630-460-4905

davehaigh · ‎Jan 04, 2013

So what I was wondering was... could I only grant permissions to the ProE files to the users of ProE, and prevent others from changing those files. Instead of trying to control this through the lifecycle & OIR.

David Haigh

ZacharyAlexande · ‎Jan 04, 2013

Yes. The easiest way would be to create a Group with all the ProE users in
it. Then, apply the EPMDocument grant permissions to that Group.

If other users still have permissions to EPMDocument through inheritance
from WTObject, then you will be better off removing those privileges on
WTObject and applying them to the specific objects rather than denying
privileges. This will require a little bit more work up front, but it will
make the policies easier to manage in the future.

One important thing to note: removing privileges to WTObject could
potentially remove users access to a variety of objects depending on how
your permissions are configured. Make sure to test any potential changes on
a test server if possible and have users validate that they have the
required access.

Zachary D. Alexander
Operations Manager - RAPiDS
ProductSpace Solutions Inc.
Phone: 630-495-2999 Ex. 8104
Cell: 630-460-4905

ScottPearson · ‎Jan 04, 2013

Fellas,

Since we are on the topic, how do you handle this sort of situation if
some individual Users fall into more than one category (which would
translate to being in more than one Group)?

For instance, what if -- to parallel David's situation -- some Users use
ProE (and thus would be members of a proposed "ProE" Group) but those
same users also use, say, Solidworks (and thus would be members of a
proposed "Solidworks" Group).

If the "ProE" Group has permissions for ProE files only..., and the
"Solidworks" Group has permissions for Solidworks files only..., how
would you go about granting permissions to a User who needs permissions
for both ProE a-n-d Solidworks files?

Would it be necessary to create yet a third Group (e.g. named
"ProWorks") which has permissions for both ProE and Solidworks files?

The tricky part there is that an Admin would always have to check two
Groups to determine who ultimately has permissions for ProE files (i.e.
the "ProE" Group and the "ProWorks" Group). Likewise when determining
who has permissions for Solidworks files.

My memory may be faulty but I believe that when the permissions of two
Groups conflict, the most restrictive rules are applied (please correct
me if I am mistaken). That's what makes this whole topic of "users who
fall into two categories" so tricky for me.

Any tips on how you handle that will be appreciated

Happy New Year.

Scott Pearson
Senior Designer

CAD System Administrator

S O U T H W E S T R E S E A R C H I N S T I T U T E(r)
Space Science and Engineering Division
Department of Space Systems
6220 Culebra Road, San Antonio, TX 78238

ZacharyAlexande · ‎Jan 04, 2013

Hi Scott,

In Windchill 9.1, SolidWorks files and ProE files are both mapped to the
EPMDocument (or Workgroup Manager CAD Document) type. Therefore, if you are
looking to apply different access controls to SolidWorks and ProE files,
this will need to be done in a different way. Windchill 10 also offers more
options when it comes to EPMDocument soft-typing and permissions.

To answer your hypothetical, when a user is a member of 2 or more groups,
they combine the grant and deny permissions. If you only use grant
permissions, the users will inherit all grant permissions from each group.
If you use deny permissions, they will inherit all of both grant and deny
but the deny will overrule the grant permissions.

Thanks,
Zack

Zachary D. Alexander
Operations Manager - RAPiDS
ProductSpace Solutions Inc.
Phone: 630-495-2999 Ex. 8104
Cell: 630-460-4905