Basic Administration > Administering Windchill > Contexts – Distributed and Hierarchical Administration > Context Administrative Items > Context Policies
  
Context Policies
Context policy items can include the following domain-based rules:
Access control rules that establish the access control against specific participant, object type, life cycle state, and domain combinations.
For example, there can be an access control rule for objects with the wt.doc.WTDocument object type in the /Default domain that gives read permission to the Engineers system group.
Indexing rules that define which collections an object is included in when the object of a specified object type and domain combination moves to a specific life cycle state. Collections are used to create indexing lists which help improve performance when searching for objects.
Notification rules that define which participants get notified when a specified event occurs for an object type and domain combination.
Contexts provide a means for controlling access to the contained information. In application contexts, access is controlled through context team membership, policy rules, and ad hoc rules. Context contents can be restricted so that access is limited to the members of a context team, or so that the context information can be made more broadly available to the enterprise through policies that grant additional participants (such as users, groups, or organizations) access to specific object types.
The policies that are in effect in a context are determined by the policies set in the domains that are in the current context, as well as those set in the parent domains. For details, see Administering Domains and Policies.
Installed Site Context Policies
The site context policies that are set consist of the domain-based access control rules and one indexing rule. No notification rules are set in the site context domains, and no policy rules are set in the site context /SessionIterationDomain domain.
* 
Your solution may vary from the following description, as the name of the Administrators group, and the names of the some initial domains are configurable from the wt.properties.xconf file prior to the installation.
The following sections describe the rules that are set in the site context.
Access Control Rules for / (Root) Domain
The following domain-based access control rules are set when the data is loaded during the installation. The rules are in the site context / (root) domain for all life cycle states. Permissions granted are indicated with a plus sign (+), permissions denied are indicated with a minus sign (-), and permissions absolutely denied are indicated with an exclamation mark (!).
For more information, see About Access Control Rules.
* 
These rules ensure that users can operate within the Windchill solution and should not be changed without fully understanding the reason for the change.
Object Type
Participant
Permissions
Comment
AccessPolicyRule
ALL
+Read
Allows organization and application context administrators to see inherited access rules.
AdministrativeDomain
ALL
+Read
Allows all users to view domains.
DeliverableDefinition
ALL
+Read and +Create
Allows all users to create and read deliverable definitions.
EPMDocConfigSpec
ALL
+Full Control (All)
Allows all users to perform configuration management of business objects within their workspace when using Creo Parametric or other workgroup managers.
ExchangeContainer
ALL
+Read
Allows all users to complete a variety of general actions.
Meeting
OWNER
+Full Control (All)
Grants owners full access to meetings that they own.
For information about setting up meetings with WebEx, see Setting Up Meetings.
NotificationSubscription
Administrators
+Full Control (All)
Grants administrators full access.
NotificationSubscription
ALL
+Read and +Create
Grants all users read and create access.
NotificationSubscription
OWNER
+Full Control (All)
Grants the owner full access.
Team
OWNER
Read
Grants the team owner read access.
WTDocumentConfigSpec
ALL
+Full Control (All)
Grants full control to all users.
WTMarkup
ALL
+Read, +Download, and +Create
Allows all users to create and read markups. These permissions are required because view markups are not life cycle managed.
WTMarkup
OWNER
+Modify, +Modify Content, and +Delete
Allows the owner of a markup the ability to modify and delete it.
WTObject
Administrators
+Full Control (All)
Grants full control to all site administrators.
WTObject
View and Print Only
!Modify, !Modify Content, !Modify Identity, !Create By Move, !Create, !Set State, !Revise, !New View Version, !Change Domain, !Change Context, !Change Permissions, !Delete, and !Administrative
Absolutely denies users in the View and Print Only license group all permissions except those required to view and download objects.
WTPartConfigSpec
ALL
+Full Control (All)
Allows all users to perform configuration management of business objects within their workspace when using Creo Parametric or other workgroup managers.
WTRolePrincipal
ALL
+Read
Grants all users read access.
FvPolicyRule
ALL
+Read
Grants all users read access.
FvFolder
ALL
+Read
Grants all users read access.
FvHost
ALL
+Read
Grants all users read access.
FvVault
ALL
+Read
Grants all users read access.
ReplicaFolder
ALL
+Read
Grants all users read access.
ReplicaVault
ALL
+Read
Grants all users read access.
RootFolder
ALL
+Read
Grants all users read access.
Site
ALL
+Read
Grants all users read access.
DerivedImage
ALL
+Read, +Create, and +Download.
Allows all users to create, read, and download derived images.
DerivedImage
Team Members
+Full Control (All)
Grants full control to all team members.
Access Control Rules for /User Domain
The following domain-based access control rules are set in the site context /User domain for all life cycle states:
Object Type
Participant
Permissions
Comment
WTGroup
Unrestricted Organizations
+Read
Allows read access to groups for the organizations that are in this group.
WTObject
OWNER
+Full Control (All)
Grants full control to the owner of an object.
WTUser
Unrestricted Organizations
+Read and +Download
Allows read and download access to users for the organizations that are in this group.
Access Control Rule for /User/Unaffiliated Domain
The following domain-based access control rule is set in the site context /Unaffiliated domain (which is a child of the /User domain) for all life cycle states:
Object Type
Participant
Permissions
Comment
WTPrincipal
ALL
+Read
Allows read access to participants for all users.
Access Control Rules for /Default Domain
The following domain-based access control rules are set in the site context /Default domain for all life cycle states:
Object Type
Participant
Permissions
Comment
Meeting
ALL
+Read
Allows read access to meetings for all users. This rule is used to provide visibility of WebEx meetings for all users.
For information about setting up meetings with WebEx, see Setting Up Meetings.
RelationshipMap
ALL
+Read
This object type is used for collecting dependent objects when archiving objects.
NavigationFilterTemplate
All
+Read
Allows read access to all users.
Access Control Rules for /System Domain
The domain-based access control rules set in the site context /System domain are used to control access to administrative objects. For normal operations, you should not modify these rules.
To view the rules, access the Policy Administration utility from the site context. For information about accessing the Policy Administration utility, see Administering Domains and Policies.
Indexing Rule for / (Root) Domain
The following indexing rule is set in the site context / (root) domain for all life cycle states:
Object Type
State
Collections
Comment
WTObject
All
Wblib
Indexes all objects in all states and puts the indexes into the Wblib collection.
Updating Context Policies
Use the Policy Administration utility to update context policies. For information about using the Policy Administration utility, see Administering Domains and Policies.