Managing User Access to Data
All Windchill installations establish an initial organization participant and organization context for the initial organization (as described in Working With the Initial Organization Context). To belong to the initial organization that is established, each user must have an entry in the user directory service that was set up as part of the installation process and the organization attribute of the entry (usually “o”) must be set to the organization name. By being a member of the initial organization, users can be given access to the data stored in the organization context or its child contexts (depending on the access control rules that are in place). Users who are not members of the initial organization usually do not have access to the data stored in the initial organization context or its child contexts (unless they are invited to participate by someone in the organization). Again, this is dependent on the access control rules that are in place.
* 
If your site does not use the organization attribute in the directory service entries for users, all users can be assigned to an organization using the usersOrganizationName property. For more information on using this property, see Configuring Additional Enterprise Directories.
After analyzing the users who need access to data, the site administrator determines whether additional organization contexts are needed. Data access can be limited to members of an organization context using access control rules. For example, if your Windchill solution will be used by multiple companies where each company has a different set of data and rules that will be used from within the solution, then setting up an organization context for each company would be the best approach. However, if only one company will actively use the solution and other companies will just provide data that is managed by the initial organization, then one organization context is sufficient.
After determining the organization structure that is needed, the site administrator or organization administrator should determine if there are one or more sets of users who will need to have access to data in multiple application contexts that are created under one organization context. If there are sets of users who will be accessing multiple application contexts under one organization, shared teams can be created at the organization context level. A shared team identifies a set of users who will be working together in multiple application contexts and therefore, can be assigned together as a unit in the organization context rather than added individually to each application context.
Members of the appropriate application context creators groups can then create product, library, project, or program application contexts under an organization, depending on the contexts available from your Windchill solution. Using application contexts further separates the access of data. In each context, unique policy rules can be set.
To use a shared team in an application context, it must be created before the application context is created.
For more information about policies, see Administering Domains and Policies.
Was this helpful?