12-Amethyst

Question

How to logout of Windchill?

Forum|Forum|16 years ago
February 12, 2010
33 replies
14727 views

Wouldn't it be nice to have a Logout button in Windchill?

Especially when switching between user and administrator accounts this
could be very usefull in my opinion.
As a newbie user maybe I'm missing something, but I can't imagine
nobody else ever asked for this functionality.
Shouldn't be that hard to implement.

Olaf Corten
CAD/PLM Manager, Besi Competence Center - Other Business Applications
Fico BV, Ratio 6, 6921 RW Duiven, The Netherlands
Tel.: +31 26 3196215
Fax: +31 26 3196200
Mobile: +31 644548554
www.fico.nl

Other

Show previous replies

M

MikeLockwood

22-Sapphire I

We agree that it is "wrong" but the fact is there is no realistic way that we have found to do this "predictively" with confidence. We'll be delighted when better tools come along for the purpose.

The user permissions that result from the complex combination of configurable elements is the single biggest chess game in Windchill that we're aware of.

First, there is no tool to simply report what exists in the system in a concise way (there is a report but it's not convenient). It takes many hundreds of mouse clicks to even examine what exists.

Second, the OTB product/library templates include all the needed ACR's - resulting in repeating everything that is common in all contexts. A change requires many hundreds of mouse clicks - so the desire always is to factor out all that are common and put them one or maybe two domain levels up.

Third, the actual permissions don't align with user menu picks very well (example: Modify is the permission: Check out is the actual user menu pick). See attached spreadsheet on this.

Fourth, you have to address a five-dimensional inheritance puzzle if you want to avoid repeating every statement brute force: Domain inheritance (site, org, etc), Object type inheritance (WTObj, WTDoc, RefDoc, etc._, State (All, Released) inheritance, Principal inheritance (group, sub-group), Permission prerequisites (read required for Revise).

Fifth, the implies properties (we immediately blank these properties on every install) select idiotic combinations of permissions - and you can't see ahead of time very easily what is being selected. The prerequisites are not consistently applied by these properties (example: Read is prerequisite for many other actions but is not applied to all where it is prerequisite). As provided, if you select Delete the system also selects Modify - assuming that the only way someone can delete something is if they have Modify permission for it.

wt.access.permissionImplies.1=
wt.access.permissionImplies.2=
wt.access.permissionImplies.5=
wt.access.permissionImplies.7=
wt.access.permissionImplies.8=
wt.access.permissionImplies.10=
wt.access.permissionImplies.11=
wt.access.permissionImplies.13=

Sixth, there are subtle hidden combinations of permissions needed. Examples:
- Need Create at the resulting state in addition to Revise at the current state
- Need both Modify and Modify Identity to rename a Folder
- Need both Modify for a cabinet and Create for a document to create a document
- Set State requires both a Set State transition in the LC at the current state and the Set State permission
- The OTB context templates all use the TeamMembers pseudo-role; many unpredictable results from this
- The Guest Role OTB can see absolutely everything in the system
- Many OTB ACR's in the templates are redundant
- For Project, the local Manage Security tools are combined in some strange ways with ACR's
- It goes on and on...

1_Windchill-ACL-analysis-attempt.zip

J

jessh

12-Amethyst

I accidentally hit send. Redoing response below.

A

AL_ANDERSON

12-Amethyst

"- It goes on and on..."

Mike,

This is the best list of access control related issues that I have seen.

Do you have a comprehensive list of what goes on and on that you could
mail out? Or was this simply off the top of your head, and you don't have
a document or more complete list.

This is really good information.

Al Anderson
Solar Turbines Incorporated

"Lockwood,Mike,IRVINE,R&D" <mike.lockwood@alconlabs.com>
02/12/2010 01:17 PM
Please respond to
"Lockwood,Mike,IRVINE,R&D" <mike.lockwood@alconlabs.com>

To
"Jess Holle" <->, "Moore, Matt M" <matt.m.moore@intel.com>
cc
"-" <->
Subject
[solutions] - RE: How to logout of Windchill?

J

jessh

12-Amethyst

Thanks for the detailed explanation of what's wrong. That's helpful.

I'd like to see us (PTC) focus on this issue, i.e. our application --
and leave the issue of browser credential clearing to the browsers. As
some have noted, Firefox's built-in Tools -> Clear Recent History does
the trick out-of-the-box. In most browsers there are a variety of
plug-ins to choose from that provide similar functionality as well.

--
Jess Holle

On 2/12/2010 3:17 PM, Lockwood,Mike,IRVINE,R&D wrote:
> We agree that it is "wrong" but the fact is there is no realistic way that we have found to do this "predictively" with confidence. We'll be delighted when better tools come along for the purpose.
>
> The user permissions that result from the complex combination of configurable elements is the single biggest chess game in Windchill that we're aware of.
>
> First, there is no tool to simply report what exists in the system in a concise way (there is a report but it's not convenient). It takes many hundreds of mouse clicks to even examine what exists.
>
> Second, the OTB product/library templates include all the needed ACR's - resulting in repeating everything that is common in all contexts. A change requires many hundreds of mouse clicks - so the desire always is to factor out all that are common and put them one or maybe two domain levels up.
>
> Third, the actual permissions don't align with user menu picks very well (example: Modify is the permission: Check out is the actual user menu pick). See attached spreadsheet on this.
>
> Fourth, you have to address a five-dimensional inheritance puzzle if you want to avoid repeating every statement brute force: Domain inheritance (site, org, etc), Object type inheritance (WTObj, WTDoc, RefDoc, etc._, State (All, Released) inheritance, Principal inheritance (group, sub-group), Permission prerequisites (read required for Revise).
>
> Fifth, the implies properties (we immediately blank these properties on every install) select idiotic combinations of permissions - and you can't see ahead of time very easily what is being selected. The prerequisites are not consistently applied by these properties (example: Read is prerequisite for many other actions but is not applied to all where it is prerequisite). As provided, if you select Delete the system also selects Modify - assuming that the only way someone can delete something is if they have Modify permission for it.
>
> wt.access.permissionImplies.1=
> wt.access.permissionImplies.2=
> wt.access.permissionImplies.5=
> wt.access.permissionImplies.7=
> wt.access.permissionImplies.8=
> wt.access.permissionImplies.10=
> wt.access.permissionImplies.11=
> wt.access.permissionImplies.13=
>
> Sixth, there are subtle hidden combinations of permissions needed. Examples:
> - Need Create at the resulting state in addition to Revise at the current state
> - Need both Modify and Modify Identity to rename a Folder
> - Need both Modify for a cabinet and Create for a document to create a document
> - Set State requires both a Set State transition in the LC at the current state and the Set State permission
> - The OTB context templates all use the TeamMembers pseudo-role; many unpredictable results from this
> - The Guest Role OTB can see absolutely everything in the system
> - Many OTB ACR's in the templates are redundant
> - For Project, the local Manage Security tools are combined in some strange ways with ACR's
> - It goes on and on...
>

J

jessh

12-Amethyst

Agreed. This should be fed to PTC product management.

D

dtkach1

1-Visitor

I tried several times to get answer from PTC Tech support how they
assume that customer should manage ACL/Security/Permissions in Windchill
and so far did not have any luck. Seems different companies are doing
permission/security/acl management using own way. Have not seen any
standard techniques how to do it so far that will be easy and good
enough. May be I missed something....?

Thanks,
Dmitry

C

cc-2

1-Visitor

Hi

we find it would be a useful functionality. However, PTC seem relunctant to implement it. However here is our workaround

Use Internet Explorer, Firefox, Chrome etc.. at the same time to log as different users. Certain functionalities are not compatible with Firefox or Chrome but depending what you are doing this is OK. Also if you start IE several time (at least with IE 7) you can log in as with different users for each session. The problem is that you need to remember which window is for which user.

Anyone else with a different workaround ?

Cheers

J

JoePriest

10-Marble

We have to toggle back and forth all the time as well and simply opening a second browser session (not a new tab) works wonderfully for us. (FYI - we are using IE7) We utilize this in our training sessions too.

Joe

C

CadMan

1-Visitor

We purchased the Medical Device Template for PDMLink 8.0 and it includes a
Logout button...so PTC knows how to do this. The first thing we asked is
why they don't include it in PDMLink. They had no answer. It is there in
the MDT because of FDA requirements and access to the system.

If they can include it in the MDT, it would be pretty easy to put it in all
of PDMLink. I guess we have to beg.

Pete

_____

J

jessh

12-Amethyst

It's *not* easy to add if we're to support the breadth of clients that
are supported with Windchill.

Forms-based authentication is an application convention that works great
when the only client is an interactive browser session. Unfortunately,
it does not work well at all when you have numerous other types of
clients that don't and can't reasonably understand this convention.

Protocol-based authentiation mechanisms like HTTP basic authentication
are based on clear protocol standards and thus work with a huge range of
clients. Browsers hold on to HTTP basic credentials for the duration of
your browser session, though -- and the server cannot reliably influence
this. Thus this is not a problem that is well addressed by server
products -- it is better addressed by browser features.

All that is missing is a browser control to clear these credentials from
its cache. Of course, that's not really missing as decent browsers
provide such a menu item to do this, e.g. Firefox has a "Clear Recent
History" button for this. There are plugins for many browsers for this
purpose.

As for how MDT does this, I can't say, but I suspect this does not
reliably work with all our supported browsers.

--
Jess Holle

Show more replies

Sign up

Please use your PTC eSupport account.

Welcome to the PTC Community

Please use your PTC eSupport account.

Scanning file for viruses.

This file cannot be downloaded