Skip to main content
M
Mat16-Pearl
16-Pearl
January 26, 2022
Solved

how to repair ACL in Windchill

  • January 26, 2022
  • 2 replies
  • 3276 views

Hi there,

i made a mistake, when I assigned new ACL to an old windchill product.

My intention was, that a product could only be seen by the admin but not by "normal" users (Viewer, CAD-author, etc.). But this went terribly wrong.

Everyone can still see the product, but not its content. As an admin I can see the "policy administration", but I cannot add or edit rules.

 

I did run the ACL - Report tool.

Compared to a working product those lines are missing in the broken product.

 

in section 
Domain: Site, Organization, Product /System

wt.admin.AdministrativeDomain:6236270, wt.fc.WTObject

 + Participant: wt.org.WTRolePrincipal:47985: [Read]

wt.admin.AdministrativeDomain:6236270, wt.workflow.engine.WfExecutionObject

 + Participant: wt.org.WTRolePrincipal:47985: [Read]

in section 
Domain: Site, Organization, Product /System

wt.admin.AdministrativeDomain:6236271, wt.fc.WTObject

 + Participant: wt.org.WTGroup:6236287: [Full Control (All)]
 + Participant: wt.org.WTGroup:47909: [Full Control (All)]

 

 

Is there a way to add those permissions by windchill-shell?

Or can I "reset" the project's permissions by e.g. reassigning permissions from the template product?

    Best answer by Mat

    There is a workaround. With CS78689 https://www.ptc.com/en/support/article/cs78689  I was able to disable ALL ACL temporarily.

    With that, I could repair all ACL using the GUI.

    But do not forget to re-enable ACL when You are done.

     

    2 replies

    HelesicPetr
    22-Sapphire II
    HelesicPetr22-Sapphire II
    22-Sapphire II
    January 27, 2022

    Hi @Mat .

    I would advice you to be sure that you stand on the correct context if you change the ACL. 

     

    Actually system does not support any reset ACL in general. by a OOTB function.

     

    In the pass I'd found custom utility developed by inneo to manage ACL rules from a excel sheet template and it was very useful. I can't find it now unfortunately.

     

    I use another way how to update/copy ACL from one context to another. 

    The main idea is described on a CS57440 page,

    Just create loadfromfile xml source for specific context.

    There is very important point to delete all ACLs from context because the loadfromfile can not delete existing ACLRules. 

     

    Hope this can help

     

    PetrH

      M
      Mat16-PearlAuthor
      16-Pearl
      February 3, 2022

      Thanks @HelesicPetr for Your reply.

       

      Since there are ACL only missing, I tried to add those ACL, but failed.

      I went through CS232115, CS57440 and CS6776, but no luck.

       

      <?xml version="1.0"?> <!DOCTYPE NmLoader SYSTEM "standardX20.dtd">
<NmLoader>
 
<csvAccessRule handler="wt.load.LoadUser.createAccessRule" >
 <csvuser></csvuser>
 <csvdomain>[/wt.inf.container.OrgContainer=my organisation/wt.pdmlink.PDMLinkProduct=my product]/Default</csvdomain>
 <csvtypeId>wt.epm.WTObject</csvtypeId>
 <csvpermission>+</csvpermission>
 <csvprincipal>ALL</csvprincipal>
 <csvpermissionList>-1</csvpermissionList>
 <csvstate></csvstate>
 <csvallExceptPrincipal></csvallExceptPrincipal>
</csvAccessRule>
 
 
</NmLoader>

       

      I tried to load this with:

      windchill wt.load.LoadFromFile -d correction.xml

       

      But I get this error / output:

       

      wt.epm.WTObject type is invalid
Loader method wt.load.LoadUser.createAccessRule reported a failure
No objects were imported due to the error.
Problem in export/import process.
Nested exception is: wt.util.WTException: Loader method wt.load.LoadUser.createAccessRule reported a failure Error loading data from file.
data file = <correction.xml,C:\Users\...\Desktop\correction.xml>
map file = <null,null>
token separator = <null,null>
method = <null,create>
user = <null>
Command line = <{}>
Problem in export/import process.
Nested exception is: wt.util.WTException: Loader method wt.load.LoadUser.createAccessRule reported a failure
        HelesicPetr
        22-Sapphire II
        HelesicPetr22-Sapphire II
        22-Sapphire II
        February 3, 2022

        Hello @Mat 

        First the xml tag values are not well formatted.

         

        csvdomain should contains just /Default value

        csvtypeId is not correct. wt.epm.CADDocument exist, wt.epm.EPMDocument exist, but wt.epm.WTObject doesn't. wt.fc.WTObject is the highest object in a hierarchy

        also the value has to contains WCTYPE|

         

        <csvtypeId>WCTYPE|wt.epm.EPMDocument</csvtypeId>

         

         

        The domain is defined in the cmd command by -CONT_PATH. 

        example:

         

        windchill wt.load.LoadFromFile -u user -p pass -d D:\ACL/AV_ACL_IMPORT.xml -CONT_PATH \"//wt.inf.container.OrgContainer=ORGANSIATIONNAME/wt.pdmlink.PDMLinkProduct=PRODUCT NAME\"

         

         

        finall example

         

        <csvAccessRule handler="wt.load.LoadUser.createAccessRule" >
 <csvuser></csvuser>
 <csvdomain>/Default</csvdomain>
 <csvtypeId>WCTYPE|wt.epm.EPMDocument</csvtypeId>
 <csvpermission>+</csvpermission>
 <csvprincipal>VIEWER</csvprincipal>
 <csvpermissionList>0/10</csvpermissionList>
 <csvstate>RELEASED</csvstate>
 <csvallExceptPrincipal></csvallExceptPrincipal>
</csvAccessRule>

        Hope this can help

        PetrH

          M
          Mat16-PearlAuthorAnswer
          16-Pearl
          March 22, 2022

          There is a workaround. With CS78689 https://www.ptc.com/en/support/article/cs78689  I was able to disable ALL ACL temporarily.

          With that, I could repair all ACL using the GUI.

          But do not forget to re-enable ACL when You are done.

           

            Terms & ConditionsAccessibility statement