Specialized Administration > Ensuring Data Security > Security Labels and Agreements > Configuring Security Labels > Additional Security Label Configuration Concerns > Setting Access Control Permissions for Agreement Managers
  
Setting Access Control Permissions for Agreement Managers
Out of the box, there are no permissions set for the AuthorizationAgreement object type. For agreement managers to access and modify agreements, the appropriate access control rules must be set. You can set permissions using the Policy Administration utility or by creating or updating context templates.
For more information on using the Policy Administration utility to create access control rules, see About the Policy Administration Utility. For more information on creating context templates, see About Context Templates.
Permissions should be set in the domain in which agreements reside as well as in the domain in which a user's checked-out work resides. When an object is checked out, a working copy of the object is created in a checked-out work folder. Out of the box, the checked-out work folder resides in the user's personal cabinet and the user has full control over all objects in the cabinet. By default, users have the necessary permissions on their checked-out work folder to perform all actions.
When agreements are enabled, permissions should be set on the following object types:
AuthorizationAgreement
Cabinet
SubFolder
Some permissions may already exist on the Cabinet and SubFolder object types and on their parent type, WTObject.
Not all agreement managers are required to have full control over agreements. Permissions can be set for an individual agreement manager, a group of agreement managers, or the entire agreement manager group. Additionally, not all agreement managers need permissions in all contexts. You can set the rules so that some agreement managers can only create or modify agreements, while others have additional permissions, such as Delete.
Only agreement managers with Read access to the agreements cabinet for a particular context can see the Agreements page in that context. For example, an agreement manager has permission to access the agreements cabinet in a project context, but the same agreement manager does not have permission to access the agreements cabinet in the organization context. As a result, this agreement manager is only able to see the Agreements page in a project context.
Read permission is required to access any object and view its information page. The following table illustrates additional access control permissions required for actions often completed by an agreement manager. The object location column has the following values. Use these values to determine the domain in which to grant access control permissions.
Target Location - the location where the agreement will reside when the action is complete.
Source Location - the current location of the agreement.
Checked-out Location - the location where the working copy of the agreement resides.
* 
In addition to being a part of the Agreement Manager group, you will also require at least one of the following license profiles to be able to create, edit, or delete an agreement:
IP Protection License Profile
PTC Windchill Advanced License
PTC Windchill Premium License
Action
Object Type
Object Location
Permissions
New Agreement
AuthorizationAgreement
Target Location
Create
Subfolder
or
Cabinet
Target Location
Modify
Check Out
AuthorizationAgreement
Source Location
Modify
AuthorizationAgreement
Checked-out Location
Create
Subfolder
Checked-out Location
Modify
Edit
AuthorizationAgreement
Checked-out Location
Modify
Check In
AuthorizationAgreement
Source Location
Modify
Subfolder
Checked-out Location
Modify
or (if not owner of checkout)
AuthorizationAgreement
Source Location
Administrative
Undo Checkout
AuthorizationAgreement
Checked-out Location
Delete
Subfolder
Checked-out Location
Modify
or (if not owner of checkout)
AuthorizationAgreement
Source Location
or
Checked-out Location
Administrative
View Information
AuthorizationAgreement
Source Location
Read
Rename
AuthorizationAgreement
Source Location
Modify (change name)
Modify Identity (change number)
New Revision
AuthorizationAgreement (existing revision)
Source Location
Revise
AuthorizationAgreement (new revision)
Target Location
Create
Set State
AuthorizationAgreement
Source Location
Set State1
or
Administrative
Cut/Paste
AuthorizationAgreement
Source Location
Change Domain2
Change Context3
AuthorizationAgreement
Target Location
Create By Move4
Subfolder
or
Cabinet
Source Location
Modify
Subfolder
or
Cabinet
Target Location
Modify
Copy/Paste
AuthorizationAgreement
Target Location
Create
Subfolder
or
Cabinet
Target Location
Modify
Delete
AuthorizationAgreement
Source Location
Delete
Subfolder
or
Cabinet
Source Location
Modify
Subscribe
AuthorizationAgreement
Source Location
Read
Edit Access Control
AuthorizationAgreement
Source Location
Read

1 To set the state of an object, there must be a valid state transition between the current state and the target state. For information about the Set State action and the permissions required, see Planning Object State Change Policies.

2 The Change Domain permission is only required if the object is pasted in a new domain.

3 The Change Context permission is only required if the object is pasted in a new context.

4 The Create By Move permission is only required if the object is pasted in a new domain.

For example, if you want an agreement manager to be able to create an agreement, that participant must have Create permission for the agreement object and Modify permission for the folder or cabinet in which the agreement is to be created.
You can set access control permissions on the AuthorizationAgreement type for users who are not agreement managers. Any user can subscribe to an agreement as long as the user has Read access to the agreement. For more information, see Out-Of-The-Box Access Control Rules.
For more information about access control permissions, see the Access Control reference information.