Create all access control list (ACL) rules in the RFA library domain.

If rules are created in any parent domain to the RFA domain, then the access control list is applied to all instances of the given object or type within PTC FlexPLM, as well as all type trees that are rendered (library searches, create, and so on). To provide the best organization and ease of maintenance, create the rules at the RFA library domain. Rules created in parent domains are supported, but not recommended.

Rules created in a domain below the RFA domain are applied to instances, but not type access checks.

Rules created in subdomains can cause potential conflicts in end user screens. The type access checks (library search, create type selection, and so on) are not aware of rules in the subdomains. This can lead to situations such as the search returning results a user does not have access to, but attempts to view the instances returned in that search would result in access exceptions. Rules created in these domains are not supported and are not recommended as proper access control configuration.