• Do not bypass access control or allow any escalation of privilege. If required for system calls, use a defined coding pattern to ensure permissions are reestablished as required.

• Server-side authorization checks are always performed for every action or object access.

◦ It is not sufficient to check authorization in action validators. The services performing the actions must enforce the required authorization. Authorization requirements could include access permission, membership to certain groups, ownership, and so on.

◦ If an object’s access is derived from another object (for example, link objects, workspaces, preferences), authorization is verified on the server side before performing actions on the object.

• Access controls should fail securely using generic error messages. Do not disclose sensitive information to the user.

• All access control decisions including failed decisions, are logged.

• Security audient events are called to capture failed authorization for any Windchill business object

• Cross-Site Request Forgery (CSRF): Actions that perform operations such as creating, modifying, or deleting Windchill business objects, modifying team memberships, modifying access controls, and so on, use CSRFProtector APIs to protect from CSRF attacks. Actions that use JCA and GWT infrastructures should already have CSRF protection in place.

• Allowed integrations must use secure connections established by the Windchill configuration. No alternate communications are allowed.