cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

how to repair ACL in Windchill

Mat
12-Amethyst
12-Amethyst

how to repair ACL in Windchill

Hi there,

i made a mistake, when I assigned new ACL to an old windchill product.

My intention was, that a product could only be seen by the admin but not by "normal" users (Viewer, CAD-author, etc.). But this went terribly wrong.

Everyone can still see the product, but not its content. As an admin I can see the "policy administration", but I cannot add or edit rules.

 

I did run the ACL - Report tool.

Compared to a working product those lines are missing in the broken product.

 

in section 
Domain: Site, Organization, Product /System

wt.admin.AdministrativeDomain:6236270, wt.fc.WTObject

      + Participant: wt.org.WTRolePrincipal:47985: [Read]

wt.admin.AdministrativeDomain:6236270, wt.workflow.engine.WfExecutionObject

      + Participant: wt.org.WTRolePrincipal:47985: [Read]

in section 
Domain: Site, Organization, Product /System

wt.admin.AdministrativeDomain:6236271, wt.fc.WTObject

      + Participant: wt.org.WTGroup:6236287: [Full Control (All)]
      + Participant: wt.org.WTGroup:47909: [Full Control (All)]

 

 

Is there a way to add those permissions by windchill-shell?

Or can I "reset" the project's permissions by e.g. reassigning permissions from the template product?

1 ACCEPTED SOLUTION

Accepted Solutions
Mat
12-Amethyst
12-Amethyst
(To:Mat)

There is a workaround. With CS78689 https://www.ptc.com/en/support/article/cs78689  I was able to disable ALL ACL temporarily.

With that, I could repair all ACL using the GUI.

But do not forget to re-enable ACL when You are done.

 

View solution in original post

6 REPLIES 6

Hi @Mat .

I would advice you to be sure that you stand on the correct context if you change the ACL. 

 

Actually system does not support any reset ACL in general. by a OOTB function.

 

In the pass I'd found custom utility developed by inneo to manage ACL rules from a excel sheet template and it was very useful. I can't find it now unfortunately.

 

I use another way how to update/copy ACL from one context to another. 

The main idea is described on a CS57440 page,

Just create loadfromfile xml source for specific context.

There is very important point to delete all ACLs from context because the loadfromfile can not delete existing ACLRules. 

 

Hope this can help

 

PetrH

Mat
12-Amethyst
12-Amethyst
(To:HelesicPetr)

Thanks @HelesicPetr for Your reply.

 

Since there are ACL only missing, I tried to add those ACL, but failed.

I went through CS232115, CS57440 and CS6776, but no luck.

 

<?xml version="1.0"?> <!DOCTYPE NmLoader SYSTEM "standardX20.dtd">
<NmLoader>
 
<csvAccessRule handler="wt.load.LoadUser.createAccessRule" >
    <csvuser></csvuser>
    <csvdomain>[/wt.inf.container.OrgContainer=my organisation/wt.pdmlink.PDMLinkProduct=my product]/Default</csvdomain>
    <csvtypeId>wt.epm.WTObject</csvtypeId>
    <csvpermission>+</csvpermission>
    <csvprincipal>ALL</csvprincipal>
    <csvpermissionList>-1</csvpermissionList>
    <csvstate></csvstate>
    <csvallExceptPrincipal></csvallExceptPrincipal>
</csvAccessRule>
 
 
</NmLoader>

 

I tried to load this with:

windchill wt.load.LoadFromFile -d correction.xml

 

But I get this error / output:

 

wt.epm.WTObject type is invalid
Loader method wt.load.LoadUser.createAccessRule reported a failure
No objects were imported due to the error.
Problem in export/import process.
Nested exception is: wt.util.WTException: Loader method wt.load.LoadUser.createAccessRule reported a failure Error loading data from file.
data file = <correction.xml,C:\Users\...\Desktop\correction.xml>
map file = <null,null>
token separator = <null,null>
method = <null,create>
user = <null>
Command line = <{}>
Problem in export/import process.
Nested exception is: wt.util.WTException: Loader method wt.load.LoadUser.createAccessRule reported a failure

Hello @Mat 

First the xml tag values are not well formatted.

 

csvdomain should contains just /Default value

csvtypeId is not correct. wt.epm.CADDocument exist, wt.epm.EPMDocument exist, but wt.epm.WTObject doesn't. wt.fc.WTObject is the highest object in a hierarchy

also the value has to contains WCTYPE|

 

<csvtypeId>WCTYPE|wt.epm.EPMDocument</csvtypeId>

 

 

The domain is defined in the cmd command by -CONT_PATH. 

example:

 

windchill wt.load.LoadFromFile -u user -p pass -d D:\ACL/AV_ACL_IMPORT.xml -CONT_PATH \"//wt.inf.container.OrgContainer=ORGANSIATIONNAME/wt.pdmlink.PDMLinkProduct=PRODUCT NAME\"

 

 

finall example

 

<csvAccessRule handler="wt.load.LoadUser.createAccessRule" >
    <csvuser></csvuser>
    <csvdomain>/Default</csvdomain>
    <csvtypeId>WCTYPE|wt.epm.EPMDocument</csvtypeId>
    <csvpermission>+</csvpermission>
    <csvprincipal>VIEWER</csvprincipal>
    <csvpermissionList>0/10</csvpermissionList>
    <csvstate>RELEASED</csvstate>
    <csvallExceptPrincipal></csvallExceptPrincipal>
</csvAccessRule>

Hope this can help

PetrH

Mat
12-Amethyst
12-Amethyst
(To:HelesicPetr)

Thanks.

I tried is as described, but I now get this error:

 

ATTENTION: Secured Action. You do not have the necessary authorization for this operation. Contact your administrator if you believe you have received this message in error.

 

Looks like a dead end to me, because missing privileges (missing ACLs) was my problem in the first place.

 

@Mat Do you use site admin account? 

It is weird to me.

Try to add ACL rule to site default domain for you to WTObject with all permissions and then try to add ACL to lower domain. 

 

PetrH

Mat
12-Amethyst
12-Amethyst
(To:Mat)

There is a workaround. With CS78689 https://www.ptc.com/en/support/article/cs78689  I was able to disable ALL ACL temporarily.

With that, I could repair all ACL using the GUI.

But do not forget to re-enable ACL when You are done.

 

Announcements