Controlling Login Access
The mks:aa ACL controls login access linked to managing the ACLs through the Authorization Administration application. Login access to specific functionality (workflows and documents, and configuration management) is controlled through individual ACLs (mks:im and mks:si, respectively).
If you have concurrent licenses, you may want to limit login access to the specific principals who need to use those licenses. In an environment with concurrent licenses where no login restrictions exist, anyone in the security realm can use those licenses.
The following procedures detail the steps required to revise the Login permission.
Keep in mind the important distinction between clearing and denying a permission. Based on inheritance, an explicitly denied permission takes precedence, even if that permission is allowed through another principal. When you clear a permission, that permission can still be explicitly allowed through another principal.
When changing a permission, click the indicator box and toggle through the condition indicators until the box displays a green plus sign indicating an allowed condition.
|
In controlling login access, the sequence of operations is extremely important. First, you must first ensure that, as administrator, you assigned yourself the Login permission and that you retain this permission after any other changes to the ACL system. Only then can you clear that permission for the everyone group.
To revise the mks:aa Login permission using the PTC RV&S Administration Client
|
1. From the PTC RV&S Administration Client, open the > view, and click Global. The display pane shows the global permission information for the mks:aa ACL.
The default ACL entry for the mks:aa ACL is a group named everyone. Remember, ACL entries consist of principals and permissions. In this case, the assigned permission is Login.
2. You should first add a new ACL entry that gives you, or your administrator group, full login access. To add a new ACL entry, highlight the Global mks:aa ACL and right click to choose New from the shortcut menu. The Select Principal dialog box displays.
3. From the Principal list, select the administrative group or user you want to add the new ACL entry for.
For information on filtering data and selecting a principal, see the Filtering Data topic in the Getting Started documentation. When you are finished selecting a principle, click OK. The Change Permissions dialog box displays.
4. To change the mks:aa Login permission, click the indicator box and toggle through the condition indicators until the box displays a green plus sign indicating an allowed condition.
|
Once you add a principal, you can edit the associated permissions at any time by selecting the required option from the ACL menu or by right clicking and choosing the required option from the shortcut menu. Menu options include Allow Permission, Deny Permission, and Clear Permission.
|
5. To accept the changes, click OK. The display pane shows the new ACL entry for the administrator and the Login permission is enabled for the selected principal.
The next step is to clear the Login permission for the everyone group.
|
When setting mks:aa ACL permissions for the everyone group, be careful that you only clear the Login permission.
Do not deny the Login permission to the everyone group—this effectively denies login permission to all users, including any administrator included in that group. Denial of login access to the administrator means that you cannot log in to the ACL database.
|
6. To clear the Login permission, highlight everyone and then select > . The Change Permissions dialog box displays the default permissions for the mks:aa ACL.
|
You can also click to expand the everyone section, highlight the Login permission, and then right click to choose Clear Permission from the shortcut menu.
|
7. In the Permissions area, change the mks:aa Login permission by clicking the indicator box and toggling through the condition indicators until the box is blank indicating a cleared condition.
8. To accept the changes, click OK. The Login permission is cleared for the everyone group and explicitly allowed only for the administrator.