Installation and Upgrade > Upgrade Guide > The Windchill Upgrade Procedure > Execute Final Upgrade Steps > Post Upgrade Steps for Windchill Policy Access Control Rules
  
Post Upgrade Steps for Windchill Policy Access Control Rules
Recommended Post Upgrade Steps for CAPA and Customer Experience Management Policy Access Control Rules
If you enabled either of the following migrators in the Upgrade Manager, in order to fully enable the corresponding functionality in Windchill, you must perform manual steps in Policy Administration:
Loads Policy Access Control rules for CAPAActionPlan and CAPAChangeActivity
In Windchill Policy Administration, ensure the following permissions are granted to enable functionality that allows all team members to create a CAPA request if they add an action to the Action table in the New CAPA Request window (some permissions may already exist for the listed group):
Object
Domain
State
Group
Permission
CAPAActionPlan
Default
All
Team Members
Create, Modify, Modify Content, Read, Download
Loads Policy Access Control Rules for CEDecontamination
In Windchill Policy Administration, ensure the following permissions are granted to enable functionality that allows the customer experience creator to edit the intake node from the customer experience structure (some permissions may already exist for the listed group):
Object
Domain
State
Group
Permission
CustomerExperience
Default
All
Customer Experience Creator (COMPLAINT_CREATOR)
Create, Modify, Modify Content
* 
For a source system of Windchill 10.2 M030, containers created in Windchill 10.2 M030 from the out-of-the-box templates already have some of these permissions specified in the policy access control rules. However, with changes made to existing container templates at Windchill 11.0 by the migrator “Updates container templates to remove all entity references to QMS external entities,” containers created at 11.0 (and containers created prior to 10.2 M030) may not have the same permissions unless the manual steps above are performed.
In addition to the manual Policy Administration post-upgrade steps, in order to enable functionality related to the optional migrator “Loads Policy Access Control rules for CAPAActionPlan and CAPAChangeActivity”, ensure that the following preferences are set in Windchill Preference Management:
Preference
Value
CAPA – Allow Containment Action
Yes
CAPA – Verify Effectiveness
Yes
CAPA – Reinvestigate After Failed Effectiveness Verification
Yes
CAPA – Action Plan Team Source
Quality Team
For more information about the optional migrators, see Options.
For more information about the policy access control rules, see “PTC Windchill CAPA: Access Control Rules” and “PTC Windchill Customer Experience Management: Access Control Rules” topics in the Windchill What’s New documentation for Windchill 11.0 F000.
Post Upgrade Steps for View and Print Only License Group
Members of the View and Print Only license group should be absolutely denied all permissions other than Read and Download for WTObject. A new Modify Security Labels permission was introduced in Windchill 11.0. If you select No for the "Enable Modify Security Labels permission migrators" option during upgrade, the Modify Security Labels permission will not be added to the policy rule that absolutely denies the Modify Security Labels permission to the license group. As a result, you need to update the out-of-the-box policy access control rule defined in the Site’s Root (/) domain to add Modify Security Labels to the list of absolutely denied permissions. Updating this policy access control rule is recommended to ensure license compliance.
For more information, see the topic “About the View and Print Only License Group” in the Windchill Help Center.