cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Did you get called away in the middle of writing a post? Don't worry you can find your unfinished post later in the Drafts section of your profile page. X

How best to mark users inactive or disabled?

LewisLawrence
12-Amethyst

How best to mark users inactive or disabled?

Folks,

We have had a few TC sessions around active users in Windchill the past couple of years. In our case we do not want to delete the user, as it is not uncommon for someone to change roles temporarily beform coming back. So to mark a user account as Inactive we currently update the username in Windchill which disconnects the Windchill account from the AD and prevents them from authenticating.

Unless I imagined it I believe that here is actually a document/recommended practice for doing this. It goes something like:
1) Rename user to “xxxxusername”
2) Add user to group “yyyy”
I have been led to believe that if you use the correct group name then that prevents the users from showing up in some of the UI screens which is why I am researching this.

Assuming for the minute that I did not dream this, does anyone know where I can find that document? I have tried tech support on this, but so far I am drawing a blank.

Failing getting any documentation, can anyone tell me what should be used for xxxx and yyyy above?

Thanks in advance,


-----

Lewis

8 REPLIES 8
TomU
23-Emerald IV
(To:LewisLawrence)

Sensitive subject since many orgs have other policies and procedures layered
around this.



Use of a correct group name does not prevent them from showing up.



I personally don't mess with the userid, display name of the user at all as
the PTC documentation suggests, but then again we do not connect Windchill
to active directory the same way as PTC documentation states. We instead do
it through Apache. If the user gets assigned a task in a recent workflow
process, etc. admins can reassign or hijack the tasks.



We add them to a Deactivated Users group, which is bound to a deny all
access for domain and domain of group. We also change domains of the user
in principal administrator along with their personal cabinet. They are
removed from all groups which grant them access or role pools.



This can all be automated, whatever approach you choose, and I have
developed a means using audit records to suspend users at 90 days via
membership of one group and deactivation at 180 days. Our accounts are
never deleted and always valid. If user happens to log in due to single sign
on authentication, they see nothing in Windchill due to the deny rules in
place.



To further that a customization can be written for tomcat to filter access
completely if one so desires; personally, this is a piece that I've wanted
to pass along to PTC and make it OOTB.








Lewis,
How do you update the username if you're connected to AD? Do you set the property in the adapter as <adapter>.windchill.config.readOnly=false to make Windchill think you can update the username in the AD?

Thanks,
Ben

[cid:image001.jpg@01CFB6FA.4B390120]

Yeah and I should have said earlier it's not a group name to hide these
users but distinguished name filter / search and PTC has documented how to
filter these users out of your connection. If you cannot find this article,
I can dig it up for you.




Maybe you should have a look to this:


http://communities.ptc.com/docs/DOC-1356


Hugo.


<< ProE WF5 - PDMLink 10.1 M040>>

We are not truly integrated with AD, we actually manage the user accounts in Windchill but connect to AD to validate the password. By updating the username in Windchill it no longer matches AD and the user cannot authenticate.

In Reply to Ben Perry:


Lewis,
How do you update the username if you're connected to AD? Do you set the property in the adapter as .windchill.config.readOnly=false to make Windchill think you can update the username in the AD?

Thanks,
Ben

[cid:image001.jpg@01CFB6FA.4B390120]

Thanks this was what I was looking for.

In Reply to Tom Uminn:


Found it! "Windchill FlexPLM, and Arbortext Content Manager Usage Assessment Program Instructions" It's part of the download (or at least used to be) on this page: http://support.ptc.com/support/usageassessments/windchill. Here is the relevant section:


Deactivating Users (1) to Reduce the Number of Required Licenses
First, determine which of your Inactive Users can be deactivated. PTC provides a free downloadable tool that will analyze your web server logs to report on Windchill usage by user, so that you can identify Enabled Users that are no longer Active Users. See the instructions below for running this tool.

Second, if deactivating a user for the first time, create a group called "Deactivated Users" so that the Deactivated Users can be easily tracked. If the group already exists, skip to the third step.

Third, log into Windchill using the site administrator account (typically named wcadmin). Browse to the Site Utilities page and launch the Principal Administrator. Click on the "Users" link in the upper left corner to get to the user administration page. Click on the "Add Existing Users to Table" icon in the upper right. Search and select the user accounts that you wish to deactivate. Multiple accounts may be selected by clicking on the checkboxes to the left of each user in the search results table. Press the "OK" button on the search dialog to return to the user administration page. Click on the "Update User" icon next to the account you wish to deactivate. Change the user's full name to a string that will sort alphabetically to the end of a list, and will obviously denote a deactivated user. For example, for a user named "John Doe", we recommend using something like "xxx_Deactivated_JohnDoe". This is important so that other users will recognize that the account has been deactivated and, for example, will know not to assign tasks to that user. Change the user's password so that they can no longer access your Windchill system.

Fourth, click on the "Groups" tab at the top of the "Update User" dialog. Click on the "Add Existing Groups to Table" icon. Search for the "Deactivated Users" group. Select the group by clicking the checkbox to the left of the group in the search results table, then press the "OK" button. Press the "OK" button in the "Update User" dialog.


Note
It is also possible to delete an account in Windchill. An account may be deleted by clicking the action to "disable" or to "delete" the account from the Principal Administrator user interface.

Despite the name, "deletion" does not, in fact, completely delete the user account from the database because true deletion would cause you to lose that user's history. Good configuration management practices dictate that events are recorded and identified by actual user, regardless of whether the user currently has access to the system.

However, PTC does not recommend deletion because deleting an account makes it impossible to reactivate that account. If that user returns to your employment, having to assign such user a new account will be inefficient and could be misleading since one user would then have two identities within the system. Also, deleting a user makes it much more difficult to reassign such a user's tasks. Deletion is generally only appropriate when the administrator makes an error in creating the account in the first place, and the account has not yet been used.

I also do not like changing the name of the user.  I have a simple report that shows the user and the last time they logged in.  The report shows both the old name and the new name as separate lines.

Announcements


Top Tags