Using Dynamic Roles
Dynamic roles can be used in setting up access control policy rules. They represent the system groups that are created for the roles assigned to team members in context teams and shared teams, and the system groups created in an application context representing the organizations that have members in the context team. For information about system groups, see Groups.
Dynamic roles are available from the Roles tab of the Access Control Rule window of the Policy Administration utility and are maintained from the site and organization contexts as follows:
• In the site context, the dynamic roles consist of the following:
◦ Organization roles that represent the system groups that are created in an application context representing the organizations that have members in the context team. There will only be organization roles for the organizations to which you have access. Each role name is the name of an organization participant and is qualified by the phrase Organization Role. Organization roles are automatically created; you do not create organization roles.
◦ A context team role for each role defined in the wt.project.RoleRb.rbinfo file. Using the site context, you cannot create additional context team roles; however, as part of a customization, you can change the content of the wt.project.RoleRb.rbinfo file. For information on modifying the content of .rbinfo files, see the Windchill Customization Guide.
• In an organization context, the dynamic roles consist of the following:
◦ Organization roles that represent the system groups that are created in an application context representing the organizations that have members in the context team.
There will only be organization roles listed for the organizations to which you have access. Each role name is the name of an organization participant and is qualified by the phrase Organization Role. Organization roles are automatically created; you do not create organization roles.
◦ The context team roles for the roles that are set as visible in the Roles table from a given organization context.
The initial set of roles that are visible in the Roles table from a given organization context is inherited from the site context. In an organization context, organization administrators can add, delete, show, and hide the context team roles displayed in the Roles table. Therefore, they can manage the set of context team roles that display in the Roles tab on the Access Control Rule window when the Policy Administration utility is launched from the organization context.
Policy rules that use dynamic roles can be set at the site and organization level. These rules are then inherited by domains that are children of the domain specified in the policy rule. This allows the administration of these roles and their access control policy rules to be at the organization (or site) level instead of at the application level. Setting rules at the organization (or site) level provides simplified administration for sites where many projects, programs, products, or libraries exist. If you set policy rules for dynamic roles in an application context, the rules only apply to that context.
Dynamic roles can be used by editing the existing access control policy rules through the Policy Administration utility or by creating organization and application templates that use dynamic roles as participants. For more information about dynamic roles and examples of their use, see
Using Dynamic Roles in Access Control Rules.
Out-of-the-box, the following dynamic roles can be created from a template:
• Package Creator
• Received Delivery Manager
PTC provides sample XML files that you can use to create a set of new templates that specify dynamic roles in the access control policy rules for an organization context. The sample files are located in the <Windchill>/LoadXMLFiles/dynamicRole directory, where <Windchill> is the location where Windchill is installed. Using the following sample files, you can create a set of dynamic role templates and then use the templates when creating your organization context and child application contexts:
• generalOrganizationTemplate.xml
• generalLibraryTemplate.xml
• generalProductTemplate.xml
• generalProjectTemplate.xml
In the sample organization template XML file, dynamic roles are identified in WTPrincipalReference elements using the groupName and groupType subelements. Dynamic roles have the same names as the system group that they represent. To identify the participant in an access control policy rule as a dynamic role, the value of the groupType element must be DynamicRole. For example, the following WTPrincipalReference element is used to identify the Team Members dynamic role:
<WTPrincipalReference isInternal="true">
<groupName>teamMembersgroupName>teamMembers>
<groupType>DynamicRoleDynamicRole>
</WTPrincipalReference>
When the sample organization context template is used to create an organization context, the set of access control policy rules defined in the template establishes the policy rules that are in place in the context. Then the rules are inherited in the child application contexts that are created. When creating the child application contexts, the sample dynamic role product, library, and project templates should be used. The access control policy rules that are set in the organization context have been removed from these templates.