User and Policy Administration

Robert-Altman · ‎Oct 23, 2012

I have all users and data migrated from Intralink 3.4 to
Windchill\Intralink 10.0

Can someone help by confirming the basic sequence of steps for now
getting the users the access to the content? I have been looking through
the PTC University "User and Policy Administration" class but it is
somewhat vague on the actual steps

Thanks in advance,

jzupfer · ‎Oct 23, 2012

Hello,

The Windchill administrator documentation provides procedural information for assigning access permissions to users;the topics included in Ensuring Data Security in the Windchill 10.0 M030 Help Center explain how to set access permissions for users and for specific objects. If you'd prefer to review the PDF version of information about access control policies and security labels, you can find it in the Windchill Specialized Administration Guide.

Regards,

Jane

Jane Zupfer
VP, Windchill Publications

T 763.957.8299
E -

MikeLockwood · ‎Oct 23, 2012

Difficult to dig out from PTC doc's. Products and Libraries have to be created from template - all templates include a very large number of ACLs.

Recommendation (on a test Windchill system):

* Create two test products, one unchanged to refer to and one to test with. For the test one, delete ALL of the ACLs.

* Create a test user and assign to the Members Role of the test product. Log on as this user and see that they have access to no Products.

* Add back the read ACL for cabinet; refresh the test user - they can now see the Product

* Add back the read ACL for subfolder; refresh the test user - they can now see any Folders in the Product

* Continue to add back ACL's and refresh the test user - see the effect of each ACL

* Focus on product data (CAD Doc / WTDoc / WTPart if you use), leaving all the other types until later.

* Focus on direct user actions on product data first: Read, Download Create, Modify, Modify Content, Revise

* Once you're happy with that, then focus on how state changes are made, etc.: Promotion Requests, Change Objects

* Then - other stuff such as Managed Baselines, etc.

* Once you've got a handle on this, put the test user in a group and map the group to the Role in the Product. Get comfortable with this concept. In general, apply all permissions to groups (or maybe Roles - more on this) and control the process for group membership.

(To:Robert-Altman) · ‎Oct 23, 2012

Bob,

I agree with removing ACL's from the Product/Library level when
possible. If you do so, I also suggest you create a product template
that has no ACL's in it (create product, remove ACL's, make other
changes as desired, export as template). Use that template to make your
products. You can do the same for Libraries if you have more than one.

I do suggest that all (when possible) ACLs be set to roles. This goes
with the strategy that I employ (generally, there are ALWAYS
exceptions!).

Roles define access control and workflow task assignments. All contexts
have the same set of roles.

Groups are defined at the Org level and are used to de3fine the context
teams (see below)

At each context, various groups are assigned to the various roles so
that permissions and functions are mapped for each Product/Library
uniquely (or can be).

This allows for the access to be defined in a single place, the Org
level ACLs. Same with workflow behavior (get rid of the workflows and
other admin templates at product/library level)

User access to various products and what they can do is all controlled
at the Org/Group level rather than in each individual product.

You can also use the site level rather than org level, but that makes it
difficult to differentiate between system admin and business admin.
(though types screw up this approach anyway...)

Dan Harlan
Mechanical Engineer / CAD Administrator
480.940.0036 x178 Office
480.940.0039 Facsimile

481 N. Dean Avenue
Chandler, AZ 85226
dharlan@aitint.com
www.aitint.com

From: Lockwood,Mike,IRVINE,R&D [

DamianCastillo · ‎Oct 24, 2012

ACL's

What is an ACL?

I am new to Windchill 10.1 and sometimes I think you speak in code on these forums. 🙂

It's scary to read what is shared here sometimes. It seems you are creating a Flex Capacitor or something.

"Too many people walk around like Clark Kent, because they don't realize they can Fly like Superman"

Lohbauer · ‎Oct 24, 2012

Damian,

Isn’t that part of the knee joint? I recall an NFL running back Tearing an ACL last Sunday.

I am with you Damian, as a new admin I struggle to keep up with the Acronyms and verbal shorthand.

Bob

DamianCastillo · ‎Oct 24, 2012

Robert,

The really scary part is when Java developers are on here talking about
custom code tweaking and things I clearly don't understand. These type of
discussions make a new Windchill Administrator feel like it take rocket
science to use Windchill.

I am told this is not the case but it sure feels like it at times. 🙂

Damian Castillo
CAD & Administration Manager
Engineering Department
Hensley Industries

Lohbauer · ‎Oct 24, 2012

Damian,

That feels so true. But luckily I have this talented group of Rocket scientists to talk me off the ledge from time to time.

Bob

jzupfer · ‎Oct 24, 2012

Damien and Bob,

I can help a little bit. An ACL is an access control list; the documentation I linked to below describeshow administrators work with ACLs and security labels.

Regards,

Jane

BenLoosli · ‎Oct 24, 2012

ACL is Access Control List

The ability of your users to see or modify data in PDMLink is controlled by the ACL. In most cases, you are setting ACLs without knowing it because it is handled by the system.
Add a user to be a member of a product, modifies the ACL for the product.

For complex situations, you can set ACLs directly as a secondary permission at a folder or even file level.

Access control is covered in the Business Administration Guide and training for Windchill/PDMLink.

Thank you,

Ben H. Loosli
USEC, INC.

DamianCastillo · ‎Oct 24, 2012

Ben,

Thanks again for your help.

We covered so much stuff in the Business Admin. class and System Admin.
class that it's hard to remember it all afterward.

I hope not to do any complex custom configurations for our setup so maybe
it won't matter on my end. I do enjoy reading all the topics and learn
what I can as I embark on this new journey called PDMLink.

Thanks again

Damian Castillo
CAD & Administration Manager
Engineering Department
Hensley Industries

MikeLockwood · ‎Oct 24, 2012

I remember reading and re-reading how all this stuff works, then feeling really dumb because I didn’t understanding, then repeating (lots of times). Lots of documentation but not at all clear in my opinion. Written very much for Java programmers, not for someone who is a CAD guru who gets thrust into a Windchill admin role.

But – It’s essential to really understand this area for effective planning and admin of the system. And – it helps a lot for understanding to actually build good Flux Capacitors in your spare time. ☺

Each statement in the Policy Admin, Access Control is an “ACL.” In general, use the Manage Security UI from an object (e.g. a Document) to confirm the actual permissions applied to a specific object at a specific state – to a group or role or specific user.

jzupfer · ‎Oct 24, 2012

I agree that the documentation could be improved, and we work to make it better with each update.

Several of you have indicated that you are new Windchill administrators; if you consult the documentation I've called out in this thread, I'd really appreciate your feedback. Was it helpful? Which of your questions were not answered? What would improve the doc, based on your experience. Please feel free to contact me directly; if it would be more efficient for you, I'm happy to set up a phone meeting.

Thanks,

Jane

bbailey · ‎Oct 24, 2012

bbailey · ‎Oct 24, 2012

bbailey · ‎Oct 24, 2012

Hi Jane,

Would it be possible to re-post the docs or links to them?

Thanks,

Ben

jzupfer · ‎Oct 24, 2012

Hi, Ben,

I'd be glad to:

The Windchill administrator documentation provides procedural information for assigning access permissions to users;the topics included in Ensuring Data Security in the Windchill 10.0 M030 Help Center explain how to set access permissions for users and for specific objects. If you'd prefer to review the PDF version of information about access control policies and security labels, you can find it in the Windchill Specialized Administration Guide.

Regards,

Jane