Skip to main content
N
NT_101910421-Visitor
1-Visitor
September 12, 2022
Question

Restricting access

  • September 12, 2022
  • 3 replies
  • 1667 views

We have support level staff that at the moment that has Site Admin rights to WC. Their main priorities are to add users to the system and ensure that the users are in their designated roles/licenses.

 

I need to find a way to ensure they dont have the ability to delete anything on the system. Is that an option?

Ive given them site admin access so they can view Participation Administration and assign users to their designated groups which for the most part is in Organization. 

3 replies

HelesicPetr
22-Sapphire II
HelesicPetr22-Sapphire II
22-Sapphire II
September 12, 2022

Hi @NT_10191042 

Create a group for that admins and set ACL rules for that group to deny delete operation for the objects you need.

CAD Document, WTDocument, WTPart, Change objects, WorkItems and so on...

 

It can help to solve what you need.

 

PetrH

B
23-Emerald III
BenLoosli23-Emerald III
23-Emerald III
September 12, 2022

Give them only Organization Admin rights, not site.

J
jlecoz15-Moonstone
15-Moonstone
September 12, 2022

To manage license without being site admin. You can do the following setup:

  1. As site admin, create a group at org level. For example “Manufacturing Eng” group
  2. As site admin, being at org level open the PTC license group you need to manage and add as a member the group you just created. For example, set “Manufacturing Eng group as a member of PTC Quality license

From now you can assign license to users without be site administrator. To assign license group to user do as following:

  1. As an organization admin, add the user you want to assign a license to the group you created. For example, add jsmith to Manufacturing Eng group will grant him PTC quality license entitlement.

Overall the trick is to create a group at proper level.

M
22-Sapphire I
MikeLockwood22-Sapphire I
22-Sapphire I
September 12, 2022

It's tricky for sure.

If you assign them Org Admin as suggested above, this takes care of having permissions in all Products / Libraries, but need to remove the Delete permission.

Would be ok to assign a DENY Delete to them, but much better to assign user to a Group, then assign permissions to the Group so if users come and go, the system still works.  But, you can't assign a Group as Org Admin (as far as I know).  Always assume that people come and go and change responsibilities, so it has to be simple and foolproof to change users but not change the assigned permissions to the current user.

 

Could create an org-level regular (non-license) Profile that has minimal things checked for these users (and make sure no other Profile assigned); this will greatly simplify the UI for these users.  One problem is that they see all Utilities at Org level because this is only one Profile item.

 

 

HelesicPetr
22-Sapphire II
HelesicPetr22-Sapphire II
22-Sapphire II
September 13, 2022

Hi @MikeLockwood 

 

One additional comment with profiles.

It is a good idea to use profiles to minimalize the UI functions. I used it in the past a lot, but with PTC License groups it is problem because license groups use the profiles and I do not find any way how to minimalize check boxes in that license profiles. 

 

or do you have different experience?

 

PetrH

 

 

Terms & ConditionsCookie settingsAccessibility statement