Context Access Control Policies
Users who are members of the site Administrators group are granted Full Control to all object types at the site root domain. Users who are members of the Organization Administrator group (ORG ADMIN) are granted Full Control to all object types at the root domains of the organization (Default, System, Private, and the child of the site context /User domain with the same name as the organization).
During the creation of an organization, additional domain-based access control rules are automatically created as follows:
• In the organization context System domain, the organization’s All Participating Members group is granted read access to templates (such as document templates, life cycle templates, and workflow templates), objects, and initialization rules. For the complete list, see
System Domain Rules.
• In the organization-specific domain that is a child of the site context /User domain, the organization’s All Participating Members group is granted read access to the organization context and organization content.
Additional domain-based access control rules can be defined within an organization template. The following is a list of the access control rules defined in the out-of-the-box organization templates:
• In the General (PDM) organization template, organization members (all users) are granted read access to all Released objects in the organization’s /Default/PDM domain. Only product and library contexts are affected by this rule.
• In the Enterprise organization template, project type groups are granted read access to projects contained in the project type domains. For example, a project of type Engineering has a corresponding group and organization domain. An access control rule is defined granting read access to the Engineering user-defined group in the Engineering domain. When a project of type Engineering is created, the project is put in the Engineering domain. A user who is added to the Engineering group is able to see all projects of type Engineering.
PTC recommends that you do not modify or delete the default set of access control rules automatically created during the creation of organization, product, library, project, or program contexts. It is acceptable to modify access control rules created from a template.
To adjust access control rules, use the Policy Administration utility. To launch the Policy Administration utility in the context of the organization, navigate to > , and click Policy Administration. By launching the Policy Administration utility from > , the context is set to the organization context. In this context, only the domains and subdomains of the organization, plus any ancestor domains from the site are visible. Members of the Organization Administrators group can create and modify rules within the organization’s domains. Below is a list of some of the automatically created organization domains with some basic rules:
• /Default – Rules created at this level are inherited by the default domains of all public products, libraries, projects, and programs contained within the organization and contexts created that have a shared team. Typically, only business objects belong to this domain.
• /Default/PDM – Rules created at this level are inherited by the default domains of all public products and libraries contained within the organization. Typically, only business objects belong to this domain.
• /Default/Project – Rules created at this level are inherited by the default domains of all public projects contained within the organization. Typically, only business objects belong to this domain.
• /Private – Rules created at this level are inherited by the system domains of products, libraries, projects, and programs contained within the organization. The default domain of private products, libraries, projects, and programs also inherit these rules. PTC recommends that no additional access control rules be created within this domain.
• /System – Typically, only administrative objects (such as document templates, team templates, and life cycle templates) are in this domain.
For information about updating the access control rules for an organization domain, see
Creating and Editing Access Control Rules.