Replication Package Administrator Group
Out-of-the-box, the Replication Package Administrator group is available for users who work with replication packages. Replication packages provide the ability to replicate the design data contents of one or more products or libraries from one Windchill installation to another within the same company. As the users responsible for this replication are different from those responsible for external collaboration using packages, a separate group is available. Only users in the Replication Package Administrator group are able to view and complete actions on a replication package object. Policy access control rules are in place for the group to prevent users outside the group from working with replication packages.
By default policy access control rules for the Replication Package Administrators group are defined in each organization context in the /Default domain. As a result, users in the Replication Package Administrators group are able to create or manage replication packages in all contexts that are under the organization. To restrict users in Replication Package Administrators from creating a replication package in some contexts, additional access control rules can be set on the replication package object at the product or library level.
The Replication Package Administrators group separates the users that can interact with these different types of packages. Each company also may have different practices around the authorization to create or even have knowledge of what information is being replicated into another internal system. These practices can range from opening authorization to any user to limiting authorization where context administrators are not authorized to grant the authority.
There are two primary approaches to restrict access to replication packages and its associated deliveries:
• Creating specialized context or set of contexts containing only replication packages and their associated deliveries.
• Maintaining replication packages and their deliveries in the same context as other objects, but establishing a specialized domain in which the replication packages and their associated deliveries reside.
Specialized Context for Replication Packages
An option for managing replication packages is to create a special purpose context that holds all replication packages and associated deliveries but no other object data. Only the Replication Package Administrators group is a team member in this context. Depending on the needs of the company, more than one specialized replication package context may be necessary.
1. Add users to the site-level Replication Package Administrators group.
3. Add the Replication Package Administrator group to a role on the context team. For more information, see
Adding Members.
4. In all other product or library contexts, establish the following policy access control rule:
Domain
|
Object
|
State
|
Permission
|
Participant
|
/Default
|
Replication Package
|
All
|
!Full Control (All)
|
Replication Package Administrators group
|
|
Failure to complete this step will allow users in the Replication Package Administrators group to view, create, and work with replication packages in all contexts. This step only addresses access to the replication package object and does not address restricted access through search to the associated delivery.
|
Specialized Domain for Replication Packages
Another option for managing replication packages is to allow replication packages and their associated deliveries to co-exist within the same context as other Windchill objects. Replication packages and their deliveries would reside in a different domain within the context from other objects. Additional configuration is required to restrict access to the deliveries associated with the replication packages. It may be necessary to repeat a portion of the following configuration process for each context that holds both replication packages and other Windchill objects.
|
The use of special domains and contexts can be combined where the special domain is only created in the context where replication packages should be managed.
|
1. Add users to the site-level Replication Package Administrators group.
2. Using the
Policy Administration utility, create a new domain in the desired context. For more information, see
Creating a Domain.
|
The new domain must be created in each context where replication packages and their associated deliveries are expected to reside. If the domain does not exist in a context, then the replication package type will not be available for selection when creating a new package.
|
3. Update the type-based properties for the replication package type to specify the new domain. For more information, see
Package Type-Based Properties.
4. [Optional] Set the Display Package Domains preference to No. Setting the preference to No prevents users from changing the domain of a package and possibly creating a security issue.
5. [Optional] Establish the following policy access control rule in any product and library contexts for which replication package maintenance should be prohibited. Complete this step only if you are restricting the number of contexts in which replication packages are managed.
Domain
|
Object
|
State
|
Permission
|
Participant
|
/Default
|
Replication Package
|
All
|
!Full Control (All)
|
Replication Package Administrators group
|
|
Failure to complete this step will allow users in the Replication Package Administrators group to view, create, and work with replication packages in all contexts.
|