Re: restrict access to Context Manager Role

LG_10096154 · ‎Jul 25, 2024

Currently, a context manager (Product, Library or Project) can use Configure Actions for Roles to allow other roles to Modify the Team.

The problem is that whatever role is allowed to modify the team can then add themselves to the context manager role.

On a lesser concern, they could also add users to Roles that they are not qualified to complete tasks assigned to that Role in a workflow.

Does anyone know if it is possible to restrict users from being added to a given role (Product manager, Library Manager)?

Hari_Vara · ‎Jul 26, 2024

Hi,

If I understand your situation correctly, your non-context manager users end up in adding more team members and also accidentally adding themselves as context managers. Is that right?

Can you show a screen shot of the behaviour? To help us understand if we are talking the same thing?

I think the action can be hidden in UI by profiles.

Take a look at the help article.

https://support.ptc.com/help/windchill/r12.1.2.0/en/index.html#page/Windchill_Help_Center/team/TeamActionVisibilityConfigure.html#

Let us know...

Best Regards

Hari

HelesicPetr · ‎Jul 26, 2024

Hi @LG_10096154

I would recommend to use the profile to hide the Configure Action to a managers.

btw it is responsibility of the Manger if he allows some users to modify team and then the responsibility is moved to the person who got the option to modify the team.

PetrH

LG_10096154 · ‎Jul 26, 2024

@Hari_Vara @HelesicPetr That is how we are getting into this problem 🙂

Our context managers are out of control with some context having more than ten users in them. Typically you would expect to only see PLM admin users in that role but we have allowed normal business users of the system to be in that role so they can force/break functionality. We are slowly working on removing all the extra users from the context manager role down to just two people but we are getting push-back from the business to provide a doc control type role with more powers. We have given them the ability to create and modify Team Templates and a few other actions that OOB are only context manager actions. They also want the ability to add users to Roles and that makes business sense as they have an Engineer that is joining the team or another quality person etc in those Engineer or Quality Role. We do have an access request process but as you can image they feel that is slow and cumbersome. We are considering showing the context owners that they can use Action on Roles to provide another role like Doc Control the ability to modify the team but that opens the gate for Doc Control to also add themselves to the context manager role when they need advanced actions (permissions).

So what I am looking for is a way to allow a role to modify the team but not a specific role (Product Manager, Library Manager). The context manager does need the ability to modify the team as they are charged with completing the approved access request to that context.

If we could hide just context manager role from the Team page that would help?

joe_morton · ‎Jul 29, 2024

In each of our Contexts, we have a Product/Library Manager that is just from our Windchill admin team. We don't let any other users in that role.

We made a separate role (where needed) that we call a Team Administrator. I forgot how we set it up, but I think we used Configure Actions for Roles to allow that Role to Modify Team.

Something to consider to see if it works for you

LG_10096154 · ‎Jul 29, 2024

That would be the local answer but.... if you use Action for Roles and select another role to be able to Modify the Team they could also modify the Product Manager role or any context manager role and add themselves.

So even if we did remove all the business users from the context manager role and copy them into another they could just add themselves back in,

It would be great if that context manager role could be isolated so a designed role could not modify it, a bit like a profile but it hides only that context role.

Hari_Vara · ‎Jul 30, 2024

Hi,

In general, what I have experienced in Windchill implementations is that, the administrative activity like "Configure Actions to Role" are overwhelming to the Realworld product managers.

Thats why they have started allowing users to go into the wild west.

Have a simple workflow that is initiated by the context manager to add an user to a role., It should come to your Windchill Admin Team.

In fact, for the above to work precisely, you may disable the ability to add Team members to a Role even for the Context manager.

This would relieve them from a lot of windchill administrative that we are used to, not them. Thats not their full time job, where as for us, it is in the larger scheme of things.

Cheers

Hari

jbailey · ‎Aug 14, 2024

Ten users, Oh the humanity! We have contexts with dozens of people in them 🙂 That being said, I like Peter's idea. Configure actions for roles. But SOMEONE needs to be responsible to manage the team.

LG_10096154 · ‎Jul 30, 2024

One thing I should note is that we have over 200 product contexts and more than 100 libraries not to mention close to 500 Project contexts so having a small PLM team add users to Roles would not be manageable plus the PLM team does not know what Roles the users should be in (that's a different issue).

The result is we need a responsible person from that context to manage users in Roles but we don't want them to have the ability to add other users to the context manager role (snowball).

We have a utility that allows a Role in the context (like Doc Control) the ability to create and modify Team Templates for workflows. We have another utility that lets them Reassign tasks for others. So we do have the ability to give them most of what they need but not all they want 🙂

The "sticky wicket" is context team management. How do we allow a Role to manager access to all the Roles in a given context without having context manager access. And if that is not possible, can we stop someone in the context manager role from modifying just that context manager role so they can't add others to it (snowball)?

Seems like PTC is missing this critical feature for large companies with many contexts to manage.

Here is a post form 2014 about the same issue.

https://community.ptc.com/t5/Windchill/How-to-grant-an-Owner-the-ability-to-edit-context-teams/td-p/431324

So far, PTC just points to the Actions For Roles. CS19432

HelesicPetr · ‎Aug 12, 2024

Hi @LG_10096154

Create an Idea to implement that functionality. May be in 2035 it could be available.

Or rearrange your team responsibility and use the system the way how it can be used (create own role and add the option to modify team and test it.).

Or crate an customization to do what you need.

PetrH

rhart · ‎Jul 30, 2024

You can create a custom role which can modify members of any role in the same team except manager roles.

Create a new custom role with enumcustomize, we called it PLM Team Manager. Add PLM Team Manager to existing context teams and configure the action, modify team. The PLM Team Manager can’t add themselves or anyone else to the Product Manager role.