ACL Issue

RRAKOTOV · ‎Apr 19, 2024

I am using Windchill PDMLink Release 12.0 and Datecode with CPS 12.0.2.7

Rehost from production server to Qualification server in order to validate some ACL functionality
Custom Role "PartDoc Author" in production is granted to create Part
Same Custom Role "PartDoc Author" in Qualification server does not have same behavior

When click or launch "Part creation" > Error is raised.

Here are the errors that I faced
Attention : Action Unavailable

You do not have create permission for this object. Please contact your system administrator.

Hari_Vara · ‎Apr 22, 2024

Hi,

Please check the ACL for the custom Role, there may be some "Deny" permission. Check MS logs.

Rgds

Hari

RRAKOTOV · ‎Apr 22, 2024

Hi @Hari_Vara,
Thanks for your answer but we've made some check on policy administration and we do not found any "Deny" permission on "PartDoc Auhtor" Role.
See extract log from MS regarding ACL (no "Deny" permission) during Part creation process with user "rrakotov" member of this Role.

DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - => getPolicyAcl - IN: = wt.admin.AdministrativeDomain:6325995, wt.part.WTPart|1071177, INCREATION
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - <= getPolicyAcl - OUT - acl from cache: wt.admin.AdministrativeDomain:6325995, wt.part.WTPart|1071177, INCREATION
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Sharing Manager (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:70576678): [Change Permissions]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Guest_Plus (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:103050606): [Read, Download]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Product Manager (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:6325996): [Full Control (All)]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Organization Administrator (ASN_Org) (wt.org.WTGroup:1061725): [Full Control (All)]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Team Members (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:6325997): [Read, Download]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Supplier Administrators (ASN_Org) (wt.org.WTGroup:1061886): [Read]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Administrators (Site) (wt.org.WTGroup:15): [Full Control (All)]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Guest (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:6327103): [Read, Download]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - ! Participant: Doc Author (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:90687681): [Modify, Create, Delete, Administrative, Revise, New View Version, Change Permissions, Modify Content, Change Domain, Create By Move, Change Context, Set State, Modify Identity, Modify Security Labels]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - => getPolicyAcl - IN: = wt.admin.AdministrativeDomain:1061719, wt.pdmlink.PDMLinkProduct
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - <= getPolicyAcl - OUT - acl from cache: wt.admin.AdministrativeDomain:1061719, wt.pdmlink.PDMLinkProduct
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Product Creator (ASN_Org) (wt.org.WTGroup:1061729): [Create]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: EMS - GROUP (ASN_Org) (wt.org.WTGroup:5436899): [Read]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Organization Administrator (ASN_Org) (wt.org.WTGroup:1061725): [Full Control (All)]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Administrators (Site) (wt.org.WTGroup:15): [Full Control (All)]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - => getPolicyAcl - IN: = wt.admin.AdministrativeDomain:6325995, wt.folder.SubFolder
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - <= getPolicyAcl - OUT - acl from cache: wt.admin.AdministrativeDomain:6325995, wt.folder.SubFolder
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Sharing Manager (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:70576678): [Change Permissions]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Guest_Plus (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:103050606): [Read, Download]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Product Manager (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:6325996): [Full Control (All)]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Organization Administrator (ASN_Org) (wt.org.WTGroup:1061725): [Full Control (All)]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Team Members (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:6325997): [Read, Modify, Modify Security Labels]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Administrators (Site) (wt.org.WTGroup:15): [Full Control (All)]
DEBUG [ajp-nio-127.0.0.1-8010-exec-3] wt.access.evaluation.policyACL rrakotov - + Participant: Guest (Product - SLTE 1620 SOFTNODE) (wt.org.WTGroup:6327103): [Read, Download]
DEBUG [ajp-nio-127.0.0.1-8010-exec-10] wt.access.evaluation.policyACL rrakotov - => getPolicyAcl - IN: = wt.admin.AdministrativeDomain:1061709, wt.org.WTOrganization
DEBUG [ajp-nio-127.0.0.1-8010-exec-10] wt.access.evaluation.policyACL rrakotov - <= getPolicyAcl - OUT - acl from cache: wt.admin.AdministrativeDomain:1061709, wt.org.WTOrganization
DEBUG [ajp-nio-127.0.0.1-8010-exec-10] wt.access.evaluation.policyACL rrakotov - + Participant: Unrestricted Organizations (Site) (wt.org.WTGroup:250): [Read]
DEBUG [ajp-nio-127.0.0.1-8010-exec-10] wt.access.evaluation.policyACL rrakotov - + Participant: All Participating Members (ASN_Org) (wt.org.WTGroup:1061754): [Read]
DEBUG [ajp-nio-127.0.0.1-8010-exec-10] wt.access.evaluation.policyACL rrakotov - + Participant: Unrestricted Supplier Administrators (Site) (wt.org.WTGroup:53453): [Create]
DEBUG [ajp-nio-127.0.0.1-8010-exec-10] wt.access.evaluation.policyACL rrakotov - + Participant: Organization Administrator (ASN_Org) (wt.org.WTGroup:1061725): [Full Control (All)]
DEBUG [ajp-nio-127.0.0.1-8010-exec-10] wt.access.evaluation.policyACL rrakotov - + Participant: Administrators (Site) (wt.org.WTGroup:15): [Full Control (All)]
DEBUG [ajp-nio-127.0.0.1-8010-exec-10] wt.access.evaluation.policyACL rrakotov - + Participant: ASN_Org (Site) (wt.org.WTOrganization:1061710): [Read]
DEBUG [ajp-nio-127.0.0.1-8010-exec-10] wt.access.evaluation.policyACL rrakotov - + Participant: Owner (Pseudo Role): [Full Control (All)]

MikeLockwood · ‎Apr 22, 2024

Logged on as admin, from an object (e.g. a Part), select Edit Access Control. This is not to edit / change the access but to investigate. It lists all sources of permissions here, allowing selection of groups / roles / individual users.

Best tool for investigating.

RRAKOTOV · ‎Apr 23, 2024

Actions on "PartDoc Author" role are set as-expected. -->

I will continue to investigate !

joe_morton · ‎Apr 22, 2024

Check also the license applied to the test user.

RRAKOTOV · ‎Apr 23, 2024

Licensing is OK

--> "PTC Windchill advanced" is not fully used