Enabling Enumeration Access for Non-Administrative Users
Non-administrative users can be granted access to edit enumerations without having permissions to manage types. These users can manage global enumerations and enumeration organizers in the Type and Attribute Management utility.
• In the PTC FlexPLM user interface, non-administrator enumeration managers only see the Manage Attribute Value Lists link under the Administrative section of the left navigation pane. They can click that link to launch the Type and Attribute Management utility in the site context.
• In the Type and Attribute Management utility, they only have access to the Manage Global Enumerations tab where they can create, modify, and delete enumerations and enumeration organizers. They do not have access to the Manage Types tab.
• They can see all enumeration organizers in the system. They might or might not have permission to create, modify, or delete enumeration organizers, depending on their access.
• They have permission to create, modify, change the domain, and delete global enumerations belonging to a domain in which they have been given permission to do so.
For enumeration managers to see the Manage Global Enumerations tab, they must belong to a profile that gives access to the Manage Global Enumerations action. To perform operations on enumeration organizers and enumerations, enumeration managers must be given certain access control permissions.
Setting Up a Non-Administrative User as an Enumeration Manager
Follow these steps to set up a non-administrative user to be an enumeration manager.
1. If the Enumeration Managers group does not exist already, create a group for enumeration managers. It is easier to add and remove people to and from a group to control their access, rather than defining the access on a domain for each person.
In PTC FlexPLM, the Enumeration Managers group is available out-of-the-box.
|
|
If you have only one enumeration manager, you do not need to create a group. Continue to the next step.
|
a. Under Administrative, click Manage Users, and then click Site Users to launch the Participant Administration utility.
b. Click the create new group icon
.
c. In the New Group window, in the Name field, type Enumeration Managers.
d. Complete the other fields in the Set Attributes step as needed and click Next.
e. Add users or groups to the Enumeration Managers group on the Add Members step.
f. Click Finish.
| You can edit the Enumeration Managers group later to add or remove users as needed. |
For more information, see “Creating a New Group” in the Windchill Help Center.
2. If the Enumeration Managers profile does not exist already, create a profile for enumeration managers and grant visibility to the Manage Global Enumerations action.
In PTC FlexPLM, the Enumeration Managers profile is available out-of-the-box.
a. Under Administrative, click Manage User/Group Profiles.
b. Click the new profile icon
.
c. In the New Profile window, in the Name field, enter Enumeration Managers as the name for your profile.
d. In the Description field, enter a description of your profile.
e. In the Set Action Visibility step, select the Global checkbox next to the Manage Global Enumerations action.
f. In the
Select Members step, add the
Enumeration Managers group to the profile. Click the add members to profile icon
, search for the group, add it to the participant list, and click
OK.
g. Click Finish.
For more information, see “Creating a New Profile” in the Windchill Help Center.
3. Grant the Enumeration Managers group permissions on the LWCOrganizer object type.
a. Launch the Policy Administration utility:
a. Under Administrative, click Manage User/Group Profiles.
b. Under the Context column for the Enumeration Managers group, click Site.
c. Under Business Administration, click Policy Administration.
b. Select the System (Site) domain and click Update.
| All enumeration organizers are associated with the System (Site) domain, so the permissions you give apply to all enumeration organizers, no matter what their owning organization is. |
c. In the Administrative Domain client, click the Access Control tab and then click Create to create a new access control rule.
d. In the Access Control Rule window, select the LWCOrganizer type.
e. Under the Groups tab, select the Enumeration Managers group and click Add. The Enumeration Managers group appears in the Selected Principal field.
f. In the Permissions field, under the Grant column, select Read to give the Enumeration Managers group the ability to view enumeration organizers. If you want to allow members of the Enumeration Managers group to perform additional operations on enumeration organizers, you can give them additional permissions on the LWCOrganizer type. For examples of permissions, see Access Control Permissions Needed for Enumeration Organizer Actions.
| Any users who need access to enumerations need Read, Modify, and Create permissions on the LWCOrganizer in the System (Site) domain. |
g. Click Apply.
For more information, see “Creating and Updating Access Control Rules” in the Windchill Help Center.
4. Grant the Enumeration Managers group permissions on the LWCLocalizablePropertyValue object type.
a. In the Access Control Rule window, select the LWCLocalizablePropertyValue type.
b. In the Selected Principal field, select the Enumeration Managers group.
c. Under the Grant column, select the appropriate permissions required by the group. For examples, see Access Control Permissions Needed for Enumeration Actions.
d. Click Apply.
5. Grant the Enumeration Managers group permissions on the LWCEnumerationDefinition object type.
◦ If all the enumeration managers are responsible for the same set of domains, do the following:
1. Launch the Administrative Domain client for each domain to which you want to give access.
2. Give the Enumeration Managers group the appropriate permissions for the actions required on the LWCEnumerationDefinition object type. For examples of permissions, see Access Control Permissions Needed for Enumeration Actions.
3. Assign each enumeration manager to the group by editing the group or user in the Participant Administration client.
◦ If different users are responsible for the enumerations in different domains, and more than one user is responsible for a given set of domains, do the following:
1. Set up one or more additional groups for enumeration managers. Each group is responsible for managing the enumerations in one set of domains.
2. Set up each of the additional groups as members of the parent Enumeration Managers group.
3. Using the Administrative Domain client for each domain, give each group the permissions for the LWCEnumerationDefinition object type. For examples of permissions, see Access Control Permissions Needed for Enumeration Actions.
4. Assign individual users to the appropriate group.
◦ If different users are responsible for the enumerations in different domains, but only one user is responsible for a given set of domains, do the following:
1. Assign each user who is to be a manager to the Enumeration Managers group.
2. Give each user the appropriate permissions for the LWCEnumerationDefinition object type in the domains for which they are responsible. For examples of permissions, see Access Control Permissions Needed for Enumeration Actions.
Access Control Permissions Needed for Enumeration Actions
Action | Domain | Object Type | Permission to Grant |
New Enumeration | Domain assigned to new enumeration | LWCEnumerationDefinition | Read and Create |
System (Site) | LWCLocalizablePropertyValue | Read and Create |
Edit | Domain assigned to new enumeration | LWCEnumerationDefinition | Read and Modify |
System (Site) | LWCLocalizablePropertyValue | Read, Create, and Modify |
Delete | Domain assigned to new enumeration | LWCEnumerationDefinition | Read and Delete |
System (Site) | LWCLocalizablePropertyValue | Delete |
Change Domain | Source domain (existing domain of enumeration) | LWCEnumerationDefinition | Read, Modify, and Change Domain |
Target domain (new domain assigned to enumeration) | LWCEnumerationDefinition | Read, Modify, and Create By Move |
Access Control Permissions Needed for Enumeration Organizer Actions
Action | Domain | Object Type | Permission to Grant |
New Enumeration Organizer | System (Site) | LWCOrganizer | Read and Create |
System (Site) | LWCLocalizablePropertyValue | Read and Create |
Edit | System (Site) | LWCOrganizer | Read and Modify |
System (Site) | LWCLocalizablePropertyValue | Read, Create, and Modify |
Delete | System (Site) | LWCOrganizer | Read and Delete |
Troubleshooting
If an enumeration manager is able to see the actions on the toolbar of the Type and Attribute Management utility, make sure that they do not have Read, Modify, Create, or Delete access permission to the following object types in the System (Site) domain:
• AbstractAttributeDefinition
• WTTypeDefinition
• Measurement System
• QuantityOfMeasure
| Typically, non-administrator users do not have such permissions by default. |
If an enumeration manager is able to see the Manage Types tab of the Type and Attribute Management utility, make sure that they do not have Read, Modify, or Create access permission for the LWCTypeDefinition object type in the System (Site) domain.
