@Hari_Vara @HelesicPetr That is how we are getting into this problem 🙂

Our context managers are out of control with some context having more than ten users in them. Typically you would expect to only see PLM admin users in that role but we have allowed normal business users of the system to be in that role so they can force/break functionality. We are slowly working on removing all the extra users from the context manager role down to just two people but we are getting push-back from the business to provide a doc control type role with more powers. We have given them the ability to create and modify Team Templates and a few other actions that OOB are only context manager actions. They also want the ability to add users to Roles and that makes business sense as they have an Engineer that is joining the team or another quality person etc in those Engineer or Quality Role. We do have an access request process but as you can image they feel that is slow and cumbersome.  We are considering showing the context owners that they can use Action on Roles to provide another role like Doc Control the ability to modify the team but that opens the gate for Doc Control to also add themselves to the context manager role when they need advanced actions (permissions). 

So what I am looking for is a way to allow a role to modify the team but not a specific role (Product Manager, Library Manager). The context manager does need the ability to modify the team as they are charged with completing the approved access request to that context.

If we could hide just context manager role from the Team page that would help?

In each of our Contexts, we have a Product/Library Manager that is just from our Windchill admin team. We don't let any other users in that role.

We made a separate role (where needed) that we call a Team Administrator. I forgot how we set it up, but I think we used Configure Actions for Roles to allow that Role to Modify Team. 

Something to consider to see if it works for you

That would be the local answer but.... if you use Action for Roles and select another role to be able to Modify the Team they could also modify the Product Manager role or any context manager role and add themselves.

So even if we did remove all the business users from the context manager role and copy them into another they could just add themselves back in,

It would be great if that context manager role could be isolated so a designed role could not modify it, a bit like a profile but it hides only that context role.

Hi,

In general, what I have experienced in Windchill implementations is that, the administrative activity like "Configure Actions to Role" are overwhelming to the Realworld product managers.

Thats why they have started allowing users to go into the wild west.

Have a simple workflow that is initiated by the context manager to add an user to a role., It should come to your Windchill Admin Team. 

In fact, for the above to work precisely, you may disable the ability to add Team members to a Role even for the Context manager.

This would relieve them from a lot of windchill administrative that we are used to, not them. Thats not their full time job, where as for us, it is in the larger scheme of things.

Cheers

Hari