Restricting access

NT_10191042 · ‎Sep 12, 2022

We have support level staff that at the moment that has Site Admin rights to WC. Their main priorities are to add users to the system and ensure that the users are in their designated roles/licenses.

I need to find a way to ensure they dont have the ability to delete anything on the system. Is that an option?

Ive given them site admin access so they can view Participation Administration and assign users to their designated groups which for the most part is in Organization.

HelesicPetr · ‎Sep 12, 2022

Hi @NT_10191042

Create a group for that admins and set ACL rules for that group to deny delete operation for the objects you need.

CAD Document, WTDocument, WTPart, Change objects, WorkItems and so on...

It can help to solve what you need.

PetrH

BenLoosli · ‎Sep 12, 2022

Give them only Organization Admin rights, not site.

jlecoz · ‎Sep 12, 2022

To manage license without being site admin. You can do the following setup:

As site admin, create a group at org level. For example “Manufacturing Eng” group
As site admin, being at org level open the PTC license group you need to manage and add as a member the group you just created. For example, set “Manufacturing Eng group as a member of PTC Quality license

From now you can assign license to users without be site administrator. To assign license group to user do as following:

As an organization admin, add the user you want to assign a license to the group you created. For example, add jsmith to Manufacturing Eng group will grant him PTC quality license entitlement.

Overall the trick is to create a group at proper level.

MikeLockwood · ‎Sep 12, 2022

It's tricky for sure.

If you assign them Org Admin as suggested above, this takes care of having permissions in all Products / Libraries, but need to remove the Delete permission.

Would be ok to assign a DENY Delete to them, but much better to assign user to a Group, then assign permissions to the Group so if users come and go, the system still works. But, you can't assign a Group as Org Admin (as far as I know). Always assume that people come and go and change responsibilities, so it has to be simple and foolproof to change users but not change the assigned permissions to the current user.

Could create an org-level regular (non-license) Profile that has minimal things checked for these users (and make sure no other Profile assigned); this will greatly simplify the UI for these users. One problem is that they see all Utilities at Org level because this is only one Profile item.

HelesicPetr · ‎Sep 13, 2022

Hi @MikeLockwood

One additional comment with profiles.

It is a good idea to use profiles to minimalize the UI functions. I used it in the past a lot, but with PTC License groups it is problem because license groups use the profiles and I do not find any way how to minimalize check boxes in that license profiles.

or do you have different experience?

PetrH

MikeLockwood · ‎Sep 13, 2022

Agree that with license profiles, we're stuck.

Profiles add; no way to subtract.

Restricting access

Restricting access

Registered User Restrictions

Impossible to access Windchill Server

restrict access to Context Manager Role

Restrict access to windchill

restrict change of lifecycle state through Importa...