Access Control Rules
An access control rule maps a domain, an object type, a life cycle state, and a participant to a set of permissions. An access control rule specifies the rights of a user, group, role, or organization to access objects of a specified type and state within a domain. In addition to setting rules for a particular participant, you can use the following methods to create rules for specific situations.
Dynamic Roles
For team roles that are common across multiple application contexts, it is useful to centralize the administration of rules. Use
dynamic roles as participants in rules created for domains that are parent to domains at the application context level. For example, use a dynamic role to write a rule in an organization domain. The rule is inherited by all application context domains within that organization that are descendants of the domain where the rule is defined.
Pseudo Roles
To create rules that apply for all participants in the system, select Pseudo Role: All. For example, use this role to write a rule that denies all users Delete permission for parts in a given domain. To create rules that apply to object owners, select Pseudo Role: Owner. When a participant checks out an object, such as a part or document, that participant becomes the owner of the checked-out object. You can use Pseudo Role: Owner to create a rule granting Full Control (All) permission to owners of a part for a given domain.
All except selected participant
To administer the rules of a large set of users, select All except selected participant when creating your rule. For example, if you have a group that has a certain security clearance, you can restrict the access of all users except those within that group.
The access control rules you create constitute the access control policy for the domain. An access control list (ACL), is derived from the set of rules for a domain and its ancestor domains. An ACL is the mechanism Windchill uses to enforce this domain policy.
