Basic Administration > Managing Data Security > Security-Related Terms > Permissions
  
Permissions
Permissions represent the operations that can be performed on an object. When your Windchill system is configured, an administrator establishes the permissions a specific participant (user, group, or organization) is granted, denied, or absolutely denied for types of objects that are created within a domain. There are two types of access control rules that establish permissions: ad hoc access control rules and policy access control rules.
When using your Windchill system, you can also establish a unique set of permissions for a specific object using the Set Access Control step when you create a folder or share an object, or using the Edit Access Control action after the object has been created.
The following table lists the access permissions that are available in your system and describes the possible rights that are granted, denied, or absolutely denied.
* 
An administrator can limit the set of permissions that are available, so you may not see all of the permissions described in this table.
Access Permission Rights
Permission
Description
Full Control (All)
A participant (user, group, organization, or role) granted the Full Control (All) permission is granted all permissions currently defined and any defined in the future. Therefore, if new permission types are defined, you do not have to write rules that specifically grant them to participants with full control access.
Read
The right to know the existence of an object and to view the object and its attributes. Additionally, if the object has content, you can view an object's content information such as the file path to a local file or the location of external storage. This permission does not allow you to view the actual contents of the file.
Download
The right to download local files that are the primary content or are attachments of an object. This right is applicable to objects with content, such as documents or drawings.
Modify
The right to change the attributes of an object, as well as other characteristics that are part of the object definition but are not controlled by the Modify Content, Modify Identity, or Modify Security Labels permissions.
For versioned objects, a participant must have the Modify permission on the latest iteration of each version of a target object to update the attributes common to all versions that are not part of the object’s identity. Modify permission on a version of a target object is required to modify that version’s attributes.
Modify Content
The right to modify any local file, URL, or external storage for the primary content and attachments of an object with content. This includes modifying content information and adding, replacing, or deleting content.
Modify Identity
The right to modify a subset of the attributes that determine the identity of an object.
For a part, this subset includes the part number and the organization identifier (such as cage code) of the part, but not the part name. The part name is often treated as a short description.
For a folder, the attributes include the folder name.
The subset of attributes affected by the Modify Identity permission for a given object type is determined through the annotation of classes. For information on customizing the code to modify the set of attributes used in determining the identity of an object, see Identified Business Classes in the Windchill Customization Guide.
Modify Security Labels
The right to modify security label values on an object.
Create By Move
The right to move an object into an administrative domain.
Create
The right to create an object.
Set State
The right of a participant to perform a set state operation where a state transition has been defined to allow the transition from the current life cycle state to the new state.
* 
To perform a set state operation, a participant must have the Set State permission and there must be a valid state transition defined between the current state and the desired state. If there is no transition defined, the participant must have the Administrative permission to perform the operation.
For information about the Set State action and the permissions required, see Planning Object State Change Policies.
Revise
The right to revise an object. Revising creates a new version of the object at the same level as the original in the version tree. For example, you can create revision B from revision A.
New View Version
The right to create a new view version of an object. The New View Version action creates a new version of the object in a descendant view. The revision identifier sequences between views are independent. For example, you can create A.1 (Manufacturing) from B.1 (Design). For more information about views, see Working with Views and View Associations. For more information about new view versions, see Out-of-the-Box Default Versioning Scheme.
Change Domain
The right to move an object out of an administrative domain.
For information about administrative domains, see Managing Access to Data through Access Control Rules.
Change Context
The right to move an object out of a context.
Change Permissions
The right to change the ad hoc permissions that others have.
Participants who are granted the Change Permissions permission are allowed to change the ad hoc permissions of other participants. They can change these permissions to the permissions they themselves have or to a subset of the permissions they have.
Delete
The right to delete an object.
Administrative
The right to perform certain administrative tasks. For example, an administrator would have the right to undo another user's checkout or set an object to an arbitrary life cycle state.
* 
In addition to having the permissions required for an operation, users are required to have Read permission on any object displayed in the user interface while they are performing the operation. For example, to navigate to an object that is contained in a folder, users must have Read permission on the folder as well as the object in the folder.
Related Topics