Access Rules Table
The Access Rules table lists each rule that is in place that is used to calculate the access control permissions for the participant on the object.
Permissions can be set through the following ways:
• Policy access control rules can be set for a specific combination of domain, object type, life cycle state, and participant.
• Ad hoc access control rules can be set to override or augment the policy permissions for specific objects through a number of methods, including the use of the Access table. Ad hoc rules cannot override policy rules absolutely denying permissions.
For additional details on the sources for these rules, see the Source column descriptions later in this topic.
It is not possible to revoke permissions specified by a policy or by an ad hoc access control rule that has a source other than Access Control or Share. For example, you cannot clear a permission granted by a rule with the Life Cycle source from the Access table.
When viewing permissions for a participant, it is not possible to revoke a permission if the permission was granted because of membership in a group or organization. For example, if Chris Taylor has Modify permission based on his membership in a group and the rules for that group include the Modify permission, then Modify permission cannot be revoked specifically for Chris Taylor; the permission can only be revoked from the group.
The Access Rules table includes the following information:
• The type of rule is displayed in the first column for the table.
The policy rule icon 
indicates that permissions are set in a domain using a policy access control rule.
indicates that permissions are set in a domain using a policy access control rule.The ad hoc rule icon 
indicates that permissions are set for the specific object using an ad hoc access control rule.
indicates that permissions are set for the specific object using an ad hoc access control rule.• Whether the permissions apply to the selected participant or all users except the selected participant. By default, the information in the table is grouped by this designation. A policy access control rule can either apply to the participant listed or all users except the listed participant. For more information about rules applying to all users except the selected participant, see Selecting All Except Participant.
• The Source column indicates the source of the rule:
◦ For policy access control rules, the source is Policy.
◦ For ad hoc access control rules, the source identifies the service that owns the rule.
The following table lists the source types, and describes how the rules are created and what can be used to change the permissions that have been set:
Source Column in Access Rules Table | |
|---|---|
Source Type | Description |
Policy | Policy rules can be created by loading data, by importing files, and by Windchill services. For example, permissions with this source designation can be set in the following ways: • When your Windchill system was installed and data is loaded, some policy rules are set. • When application contexts are created and used, the templates used can contain policy rules and the services invoked can set policy rules. • When files are imported, the files can contain policy rules. Additionally, if you are an administrator, you can create, modify, and delete policy rules using the Policy Administration utility. If an administrator has created a policy rule for a dynamic role in an organization or site context, the permissions set by the policy rule will appear on the Access Rules table in a table row for the system group associated with the role in the application context. If policy rules are also created for the system group, the policy rules for the dynamic role and system group are merged and appear as one row in the table. |
Life Cycle | The permissions with this source designation were set through a life cycle template, where permissions can be granted to participants (associated with specific roles) as an object moves through its life cycle states. Only administrators who can change the life cycle template can change the permissions. Changes to the template can affect the permissions set when the template is used. |
Work Item | The permissions with this source designation were set through a workflow template, where permissions can be granted to participants (associated with specific roles) as an object moves through the workflow process. Only administrators who can change the workflow template can change the permissions. Changes to the template can affect the permissions set when the template is used. |
Access Control | The permissions with this source designation were set from the Set Access Control step when the object was created, from a Edit Access Control action, from imported rules, or by Windchill services. If you have the permission named Change Permissions for an object, you are authorized to grant other participants any permission that you have from a Edit Access Control page. For example, if you have Change Permissions, Read, and Download permissions on an object, you may be able to grant these permissions to others. For more information, see Understanding When You Can Modify Permissions. |
Team | The permissions with this source designation were set when the team was created at object creation and are a result of the workflow that is associated with the object. These permissions can get updated when participants of the team are updated as a result of making a change in the Set Up Participants table that is displayed on the task information page. The task information page is accessible from the Tasks table when tasks are present. |
Context | The permissions with this source designation are set when an application context is created and each time participants are added to the context team (controlled by the wt.inf.team.wtusersUseAccessPolicyRules property). You cannot change permissions that have this source. |
Share | If the object for which the access information is being displayed is an object that has been shared from another context, the permissions set when the object was shared have Share as the source designation and any additional changes made using the Access table from the context that the object is shared to have Share as the source designation. For shared object information, see Setting Access Control on a Shared Object. |
• The Participant column has the identity of the participant for which the permissions are set. See Participant Details.
• The Permissions column shows the permissions that are granted (+), denied (-), or absolutely denied (!). Only policy access control rules can deny or absolutely deny permissions.
 | You cannot change any of the access control rules from this window. If a rule should be changed, use the information presented in the Source column to determine where the rule is managed and whether you can change it or need to request that an administrator change it. Administrators can get more information about how policy and ad hoc access control rules are evaluated from the Access Control Overview. |