About Default Access Control Policy Rules

Specialized Administration > Ensuring Data Security > Access Control > About Default Access Control Policy Rules

When a Windchill solution is installed, a set of access control policy rules are created for the initial domains in the site context. These rules are described in the Context Policies section in the Windchill Help Center.

Similarly, additional access control rules are created when an organization context or an application context is created. For more information on the organization rules, see Context Access Control Policies.

For the details on the product and library rules, see Out-of-the-box Context Access Control Policies.

The access control rules set for the domains in the site context should not be modified without considering the full consequences of the modification. For example, changing the rule that grants Administrators Full Control (All) on the WTObject object type in All states should not be modified. If this rule is removed by mistake, you may not be able to administer your Windchill solution.

PTC does not recommend creating rules that deny permissions for the pseudo role ALL. Denying access to ALL includes denying access to users in the administrative groups unless there is a rule granting access to an individual user that is in those groups. PTC does not recommend creating rules that deny permissions for all users except members of a team or team role. Denying access to all users except members of a team role includes denying access to users in administrative groups that are not members of the team unless there is a rule granting access to an individual user that is in those groups. Creating rules that absolutely deny permissions for the pseudo role ALL is not allowed as there is no way to supersede such a rule.

To repair the removal of the Administrators rule described above or to remove rules such as a rule that denies access to all participants, complete the following steps:

1. Using the xconfmanager from within the windchill shell, set the wt.access.enforce property in the wt.properties file to false:

xconfmanager -s wt.access.enforce=false
-t <Windchill>/codebase/wt.properties -p

Setting this property to false turns off access control. This means that none of the access control rules are enforced.

2. Restart Windchill so that the new property value is used.

3. Recreate the rule that was deleted or remove the rule that denies access using the Policy Administration utility.

4. Set the wt.access.enforce property back to true and restart Windchill.

For additional information about using the xconfmanager utility, see About the xconfmanager Utility.