I am trying to give 2 users at a remote site read-only rights to the data in Windchill.
Is there a trick to this? I have them in a group that should only have RO access to all cad files and documents. They are in the context team Viewer and the ACL for Viewer participants shows Read, Download for their rights.
When I tested by logging in as one of them, Windchill allowed me to create a new object in a folder.
Any overriding ACLs that I need to look at?
Windchill 11.0 m030 CPS16
Solved! Go to Solution.
If a Product/Library is created from an OTB context template, it includes many ACL's to the participant "Team Members" which is for all Roles.
This gives a lot of users much more permission than intended in general and may be the cause for what you are seeing.
Use Edit Access Control from an existing object. Add the user to the UI and drill down to the source of the permissions.
May need to remove a bunch of ACLs given to the Team Members participant and re-create to specific Role(s).
Alternate: Can assign these users as Guest; may need to compare the Guest ACLs on an OTB install.
Special if you are using the "Product Design" template there are a lot of ACL's and Object Initialization Rules.
One point I have notice is that you can not use role Guest for CAD, as the CAD user need to be able to add to workspace.
Settings are configured not to have Add to Workspace be exposed to a guest user: https://www.ptc.com/en/support/article/CS204059
I would create a new role and limit "Team Member" to read
These users will only have access to Windchill and CreoView. They do not have Creo on their computers.
We are doing the design here and building it a couple of hundred miles away. The drawings are very sparse with dimensions, per project decree (don't get me started) and they want to use CreoView to examine the drawings and models to get additional dimensions and information.
There isn't enough explanation in your question to provide a definitive solution. There are many reasons why these users would be able to do more than what is defined in these two permissions.
It all depends on the current access permissions configuration in your environment. Initial guess is Team Members have been assigned Create permissions somewhere in your domain structure. The expedient bad practice is to deny everything except Read and Download to the Viewers role. The recommended practice is to track down the unintended grant and rework permissions so this grant doesn't automatically include the Viewer role.
You can also use the Guest role, but it really does limit to view only (no Markups) and comes with some hard coded functional baggage. Personally, I would stick with the Viewer role.