Using Dynamic Roles
Dynamic roles can be used in setting up access control policy rules. They represent the system groups that are created for the roles assigned to team members in context teams and shared teams, and the system groups created in an application context representing the organizations that have members in the context team. For information about system groups, see Groups.
Dynamic roles are available from the Roles tab of the Access Control Rule window of the Policy Administration utility and are maintained from the site and organization contexts as follows:
• In the site context, the dynamic roles consist of the following:
◦ Organization roles that represent the system groups that are created in an application context representing the organizations that have members in the context team. There will only be organization roles for the organizations to which you have access. Each role name is the name of an organization participant and is qualified by the phrase Organization Role. Organization roles are automatically created; you do not create organization roles.
◦ A context team role for each role defined in the wt.project.RoleRb.rbinfo file. Using the site context, you cannot create additional context team roles; however, as part of a customization, you can change the content of the wt.project.RoleRb.rbinfo file. For information on modifying the content of .rbinfo files, see the Windchill Customization Guide (Руководство по настройке Windchill).
• In an organization context, the dynamic roles consist of the following:
◦ Organization roles that represent the system groups that are created in an application context representing the organizations that have members in the context team.
There will only be organization roles listed for the organizations to which you have access. Each role name is the name of an organization participant and is qualified by the phrase Organization Role. Organization roles are automatically created; you do not create organization roles.
◦ The context team roles for the roles that are set as visible in the Roles table from a given organization context.
The initial set of roles that are visible in the Roles table from a given organization context is inherited from the site context. In an organization context, organization administrators can add, delete, show, and hide the context team roles displayed in the Roles table. Therefore, they can manage the set of context team roles that display in the Roles tab on the Access Control Rule window when the Policy Administration utility is launched from the organization context.
Policy rules that use dynamic roles can be set at the site and organization level. These rules are then inherited by domains that are children of the domain specified in the policy rule. This allows the administration of these roles and their access control policy rules to be at the organization (or site) level instead of at the application level. Setting rules at the organization (or site) level provides simplified administration for sites where many projects, programs, products, or libraries exist. If you set policy rules for dynamic roles in an application context, the rules only apply to that context.
Dynamic roles can be used by editing the existing access control policy rules through the Policy Administration utility or by creating organization and application templates that use dynamic roles as participants. For more information about dynamic roles and examples of their use, see
Using Dynamic Roles in Access Control Rules.
Out-of-the-box, the following dynamic roles can be created from a template:
• Package Creator
• Received Delivery Manager
PTC provides sample XML files that you can use to create a set of new templates that specify dynamic roles in the access control policy rules for an organization context. The sample files are located in the <Windchill>/LoadXMLFiles/dynamicRole directory, where <Windchill> is the location where Windchill is installed. Using the following sample files, you can create a set of dynamic role templates and then use the templates when creating your organization context and child application contexts:
• generalOrganizationTemplate.xml
• generalLibraryTemplate.xml
• generalProductTemplate.xml
• generalProjectTemplate.xml
In the sample organization template XML file, dynamic roles are identified in WTPrincipalReference elements using the groupName and groupType subelements. Dynamic roles have the same names as the system group that they represent. To identify the participant in an access control policy rule as a dynamic role, the value of the groupType element must be DynamicRole. For example, the following WTPrincipalReference element is used to identify the Team Members dynamic role:
<WTPrincipalReference isInternal="true">
<groupName>teamMembersgroupName>teamMembers>
<groupType>DynamicRoleDynamicRole>
</WTPrincipalReference>
When the sample organization context template is used to create an organization context, the set of access control policy rules defined in the template establishes the policy rules that are in place in the context. Then the rules are inherited in the child application contexts that are created. When creating the child application contexts, the sample dynamic role product, library, and project templates should be used. The access control policy rules that are set in the organization context have been removed from these templates.
Using Dynamic Roles in a New Organization
To use dynamic roles in access control policy rules for a new organization, perform the following actions:
2. Set the view to Organization Templates.
3. Click the create template icon
.
The New Organization Template wizard opens.
4. Browse to the location of the generalOrganizationTemplate.xml sample file that contains access control policy rules for dynamic roles. Select only the file that pertains to the organization context.
5. Supply a unique Organization Template Name.
6. (Optional) Provide a description of the template.
7. Click OK.
9. Create a new organization using the organization template you just created.
For the new templates to be used, the product, library, project, and program creators must select the appropriate application template when creating their application context. To ensure that the appropriate templates are chosen, complete the following actions:
1. Navigate to the > page for the new organization that you created in the previous procedure.
2. Set the view to the appropriate context. For example, select Product Templates.
3. Create a new context template using the appropriate sample template content file that is in dynamicRole directory described earlier (for example, generalProductTemplate.xml).
4. In the same view, hide the out-of-the-box templates so that the people creating new application contexts do not see them when they create new contexts. For example, select Hide from the actions list for the General Product template.
5. Repeat steps 2 through 4 for each application context template type: product, library, and project. To create a program template that uses the access control rules for dynamic roles, modify the sample project template so that it works for programs.
Using Dynamic Roles in an Existing Organization
If your site already has an organization context and would like to update the organization context to set up policy rules that use dynamic roles, the access control policy rules for the existing organization and child contexts can be modified using the Policy Administration utility found on > .
After setting new access control policy rules in an organization context that uses dynamic roles, you need to create new application context templates that do not duplicate the rules set at the organization level. To accomplish this you can use the sample templates provided by PTC as described in the previous section. The rules set at the organization level will then be inherited by the child application contexts.