How to logout of Windchill?

ocorten-2 · ‎Feb 12, 2010

Wouldn't it be nice to have a Logout button in Windchill?

Especially when switching between user and administrator accounts this
could be very usefull in my opinion.
As a newbie user maybe I'm missing something, but I can't imagine
nobody else ever asked for this functionality.
Shouldn't be that hard to implement.

Olaf Corten
CAD/PLM Manager, Besi Competence Center - Other Business Applications
Fico BV, Ratio 6, 6921 RW Duiven, The Netherlands
Tel.: +31 26 3196215
Fax: +31 26 3196200
Mobile: +31 644548554
www.fico.nl

bfrandsen · ‎Feb 12, 2010

Olaf,
to my knowledge logout is not possible with the way Windchill
authenticates. You might find the exact answer in the exploder archives.
This is in my opinin only an annoying issue for admins, that have several
logins. The normal user do not have the need.

/Bjarne

Olaf Corten <->
12-02-2010 09:04
Please respond to
Olaf Corten <->

To
-
cc

Subject
[solutions] - How to logout of Windchill?

Wouldn't it be nice to have a Logout button in Windchill?

Especially when switching between user and administrator accounts this
could be very usefull in my opinion.
As a newbie user maybe I'm missing something, but I can't imagine nobody
else ever asked for this functionality.
Shouldn't be that hard to implement.

Olaf Corten
CAD/PLM Manager, Besi Competence Center - Other Business Applications
Fico BV, Ratio 6, 6921 RW Duiven, The Netherlands
Tel.: +31 26 3196215
Fax: +31 26 3196200
Mobile: +31 644548554
www.fico.nl

Attachment Links: Outlook.jpg (13 k) Fico_Logo.gif (2 k)
Environment.gif (1 k) Site Links: View post online View mailing list
online Send new post via email Manage your subscription Use of this
email content is governed by the terms of service at:

RandyJones · ‎Feb 12, 2010

On 02/12/10 01:58, Olaf Corten wrote:
> Wouldn't it be nice to have a Logout button in Windchill?
> Especially when switching between user and administrator accounts this
> could be very usefull in my opinion.
> As a newbie user maybe I'm missing something, but I can't imagine nobody
> else ever asked for this functionality.
> Shouldn't be that hard to implement.
> Olaf Corten
> CAD/PLM Manager, Besi Competence Center - Other Business Applications
> Fico BV, Ratio 6, 6921 RW Duiven, The Netherlands
> Tel.: +31 26 3196215
> Fax: +31 26 3196200
> Mobile: +31 644548554
> _www.fico.nl
user name and password. Recent versions of Firefox have this ability under:
Tools | Clear Recent History and then make sure you only select
"Active Logins"

Or you can download the "Web Developer" addon for FireFox which provides
this functionality (and a whole lot more) under:
Miscellaneous | Clear Priva...

jessh · ‎Feb 12, 2010

It seems like something is wrong somewhere if an administrator has to
use multiple accounts.

The administrator should be able to just log in as themselves and do
what they have privileges for.

--
Jess Holle

MarlonMendes · ‎Feb 12, 2010

Do you have this solution Step by Step ?

image001Marlon Mendes

Technical Manager

PLM Solutions do Brasil

O representante estratégico da PTC

Tel.: (55-11) 5052-9730 R. 207

mmoore-5 · ‎Feb 12, 2010

We log into our Windchill environment with both admin and user accounts all the time. The admin account is used to change configuration and the user account is used to verify the change from the Windchill user's perspective. Not sure why that would be considered abnormal or 'something wrong'. Logout functionality would be very valuable in our environment.

Matt Moore - Intel

Bill_Kunz · ‎Feb 12, 2010

The place where this problem bites administrators is when it is necessary to do testing for different types of group permissions.

Then it is required to login in as a representative member of each group to test for the correct configuration of ACLs, etc.

ocorten-2 · ‎Feb 12, 2010

Hi Jess,

I don't agree and think that's a bit shortsighted.

Imagine a user with multiple roles who uses different accounts for them.
He is doing design stuff 80% of his time and administrator tasks 20% of
his time. He wants to switch between accounts easily.
Imagine an administrator who wants to login as wcadmin or as orgadmin or
with his own account or as a testuser.
Most online portals (even www.ptc.com) provide a logout button.

The general conscensus seems to be that for administrators this would be
a nice feature.
Especially since logoff means closing the entire browser with all it's
tabs.

Kind regards,

Olaf Corten
CAD/PLM Manager, Besi Competence Center - Other Business Applications
Fico BV, Ratio 6, 6921 RW Duiven, The Netherlands
Tel.: +31 26 3196215

MikeLockwood · ‎Feb 12, 2010

We have a large number of users with 2 accounts - one for regular work and one for "super user" or "admin" work. Seems to be fairly common.

As admin's, we also commonly log on using test accounts that represent what each group can see / do.

Logout would be helpful.

HugoHermans · ‎Feb 12, 2010

Hi Matt

This works as long as users do not discover how to change their password
in Windchill ... 😞

Kindest regards,

Met vriendelijke groeten,

Hugo Hermans

RandyJones · ‎Feb 12, 2010

On 02/12/10 09:12, Jess Holle wrote:
> It seems like something is wrong somewhere if an administrator has to
> use multiple accounts.
>
> The administrator should be able to just log in as themselves and do
> what they have privileges for.
>

Let's see.
1. make a change as an admin
2. login as user to verify change works

Maybe if the admin was an windchill administrator expert you could trust
the changes without having to test as a user. However due to the
complexity of Windchill and the bazillion combinations/permutations
of properties, lifecycles, workflows, teams, roles, access policies,
and etc there is no way a mortal person can get it right the first time.

Especially when you are just beginning Windchill. Like we are and it sounds
like Olaf is too.

I can't count the number of times I have had multiple logins going in
order to get something working properly.

I would like to think that someday I will be that Windchill administrator
that can make a change and NOT have to verify however that doesn't seem
likely. At least not in the next 5 or 10 years.

--
------------------------------------------------------------------------
Randy Jones
Systems Administrator
Great Plains Mfg., Inc.
1525 E North St
PO Box 5060
Salina, KS USA 67401
email: -
Phone: 785-823-3276
Fax: 785-667-2695
------------------------------------------------------------------------

amansfield · ‎Feb 12, 2010

I have to jump on the pile here: how can you NOT use multiple accounts? If you set access rights, etc for you users but only use an account with heightened privileges you will not be able to tell whether things are properly configured for the standard user..

I frequently use multiple accounts with multiple web browsers: I often have IE 7, Chrome and Firefox all running at the same time with different logins. Since Chrome apprears to be the (noticeably) fastest browser for doing most things, it's the one I use the most (it doesn't work 100% of the time with various parts of Windchill, so I can't use it by itself). I use IE wth Pro/E.

I would like a logout button so I can use my browser of choice without having to shut it down and restart it.. Running 3 browsers along with all the other stuff I use can often exhaust virtual memory..

My 2 cents..

Andrew Mansfield

KI Design & Development

Green Bay, WI

In Reply to Jess Holle:

It seems like something is wrong somewhere if an administrator has to
use multiple accounts.

The administrator should be able to just log in as themselves and do
what they have privileges for.

--
Jess Holle

HugoHermans · ‎Feb 12, 2010

What would help as well is to see which user is logged in in which browser window. Now, I always have to go back to the Home page in the particular window to know how I'm.

I think I've seen guidelines passing by to configure this, but I've lost the link ...

Have a nice weekend, Hugo.

<< ProE WF3 M190 - PDMLink 8.00 M040 >>

ddemay · ‎Feb 12, 2010

Hugo, I'll resend it to you.what you referring to is something I created.I
posted it back in October last year to the list.

I'm also going to attempt to create a logout/logoff button this weekend. If
it works, I'll post something so everyone can add to their windchill systems
and test it out.

- David DeMay

_____

ptc-46674 · ‎Feb 12, 2010

Olaf

There is no need to close all the Tabs if you are using FireFox

to log out using Firefox you can use "Ctrl+Shift+Del" or "Tools | Clear Recent History" then refresh the page "F5" FireFox will prompt for user name and password, once you log in as a different user you have that users access permissions in all of the open "Tabbed Pages"

Dave McClinton

MCAD System Administrator

McKesson Automation

BobLehman2 · ‎Feb 12, 2010

Hugo Hermans wrote:

To all:

Someone posted a solution to this a while back. I was looking for it
but could not find (granted I did not look very hard) if you know what
javascript I am referencing could you maybe repost the solution for all?

Thanks
--Bob
>
> What would help as well is to see which user is logged in in which
> browser window. Now, I always have to go back to the Home page in the
> particular window to know how I'm.
>
> I think I've seen guidelines passing by to configure this, but I've
> lost the link ...
>
>
>
> Have a nice weekend, Hugo.
>
> << ProE WF3 M190 - PDMLink 8.00 M040 >>
>
>
> -----End Original Message-----

BobLehman2 · ‎Feb 12, 2010

David DeMay wrote:

Dave,
That would be cool! Can you also send out a pointer to the original code?
Sorry I should have read all my messages before sending out the last one.

--Bob

> Hugo, I’ll resend it to you…what you referring to is something I
> created…I posted it back in October last year to the list.
>
> I’m also going to attempt to create a logout/logoff button this
> weekend. If it works, I’ll post something so everyone can add to their
> windchill systems and test it out.
>
> - David DeMay
>

sdrzewiczewski · ‎Feb 12, 2010

http://portal.ptcuser.org/p/fo/st/topic=16&post=80059#p80059

This is the link to David's solution for the name in the title bar.

jessh · ‎Feb 12, 2010

What strikes me as "wrong" here is that one has to log in as a user to
predict the impact of administrative changes.

I suppose it may be unrealistic for the product to allow sufficient
predictability without testing by logging in as a "dummy" or "test"
user, but it would seem preferable to obviate the need for such test logins.

Basic authentication credentials are cached by the browser and there is
no reliable standard way for the server to get the browser to uncache
these. The best solution to this particular issue is one of the myriad
browser plugins that allow such a cache clearing for one's browser of
choice. For instance, I believe the web developer plugin for Firefox
allows this.

--
Jess Holle

jessh · ‎Feb 12, 2010

That's exactly what strikes me as "wrong" -- the administrative tools
should provide enough information as to the impact of administrative
settings that one does not have to login as a representative member of
each group.

If the tools are not up to the task today, then certainly I can
understand fulfilling the need through login testing.

--
Jess Holle

On 2/12/2010 9:37 AM, Kunz,William,IRVINE,R&D wrote:
> The place where this problem bites administrators is when it is necessary to do testing for different types of group permissions.
>
> Then it is required to login in as a representative member of each group to test for the correct configuration of ACLs, etc.
>
>

jessh · ‎Feb 12, 2010

On 2/12/2010 9:37 AM, Olaf Corten wrote:
> Hi Jess,
>
> I don't agree and think that's a bit shortsighted.
>
> Imagine a user with multiple roles who uses different accounts for them.
> He is doing design stuff 80% of his time and administrator tasks 20% of
> his time. He wants to switch between accounts easily.
> Imagine an administrator who wants to login as wcadmin or as orgadmin or
> with his own account or as a testuser.
>
It would seem to make a good deal more sense for the user to always log
in as themselves, rather than as "wcadmin", etc, and for them to simply
be in the Administrators, etc, groups as is appropriate for the
privileges they need.

On issue with the user logging in as "wcadmin" or "orgadmin" is that you
then lose traceability of which administrator did an action if you have
multiple administrators. From a traceability perspective, it makes much
more sense for everyone to log in as themselves.

This isn't UNIX and "root" -- the application shouldn't be dangerous to
use with one's full privileges. If it is, then I'd assert that that
would be a case of "
> Most online portals (even www.ptc.com) provide a logout button.
>
> The general conscensus seems to be that for administrators this would be
> a nice feature.
> Especially since logoff means closing the entire browser with all it's
> tabs.
>
> Kind regards,
>
> Olaf Corten
> CAD/PLM Manager, Besi Competence Center - Other Business Applications
> Fico BV, Ratio 6, 6921 RW Duiven, The Netherlands
> Tel.: +31 26 3196215
> Fax: +31 26 3196200
> Mobile: +31 644548554
> www.fico.nl
>
>
> -----Original Message-----
> From: Jess Holle [
>> user name and password. Recent versions of Firefox have this ability
>>
> under:
>
>> Tools | Clear Recent History and then make sure you only select
>> "Active Logins"
>>
>> Or you can download the "Web Developer" addon for FireFox which
>> provides this functionality (and a whole lot more) under:
>> M...

MikeLockwood · ‎Feb 12, 2010

We agree that it is "wrong" but the fact is there is no realistic way that we have found to do this "predictively" with confidence. We'll be delighted when better tools come along for the purpose.

The user permissions that result from the complex combination of configurable elements is the single biggest chess game in Windchill that we're aware of.

First, there is no tool to simply report what exists in the system in a concise way (there is a report but it's not convenient). It takes many hundreds of mouse clicks to even examine what exists.

Second, the OTB product/library templates include all the needed ACR's - resulting in repeating everything that is common in all contexts. A change requires many hundreds of mouse clicks - so the desire always is to factor out all that are common and put them one or maybe two domain levels up.

Third, the actual permissions don't align with user menu picks very well (example: Modify is the permission: Check out is the actual user menu pick). See attached spreadsheet on this.

Fourth, you have to address a five-dimensional inheritance puzzle if you want to avoid repeating every statement brute force: Domain inheritance (site, org, etc), Object type inheritance (WTObj, WTDoc, RefDoc, etc._, State (All, Released) inheritance, Principal inheritance (group, sub-group), Permission prerequisites (read required for Revise).

Fifth, the implies properties (we immediately blank these properties on every install) select idiotic combinations of permissions - and you can't see ahead of time very easily what is being selected. The prerequisites are not consistently applied by these properties (example: Read is prerequisite for many other actions but is not applied to all where it is prerequisite). As provided, if you select Delete the system also selects Modify - assuming that the only way someone can delete something is if they have Modify permission for it.

wt.access.permissionImplies.1=
wt.access.permissionImplies.2=
wt.access.permissionImplies.5=
wt.access.permissionImplies.7=
wt.access.permissionImplies.8=
wt.access.permissionImplies.10=
wt.access.permissionImplies.11=
wt.access.permissionImplies.13=

Sixth, there are subtle hidden combinations of permissions needed. Examples:
- Need Create at the resulting state in addition to Revise at the current state
- Need both Modify and Modify Identity to rename a Folder
- Need both Modify for a cabinet and Create for a document to create a document
- Set State requires both a Set State transition in the LC at the current state and the Set State permission
- The OTB context templates all use the TeamMembers pseudo-role; many unpredictable results from this
- The Guest Role OTB can see absolutely everything in the system
- Many OTB ACR's in the templates are redundant
- For Project, the local Manage Security tools are combined in some strange ways with ACR's
- It goes on and on...

jessh · ‎Feb 12, 2010

I accidentally hit send. Redoing response below.

AL_ANDERSON · ‎Feb 12, 2010

"- It goes on and on..."

Mike,

This is the best list of access control related issues that I have seen.

Do you have a comprehensive list of what goes on and on that you could
mail out? Or was this simply off the top of your head, and you don't have
a document or more complete list.

This is really good information.

Al Anderson
Solar Turbines Incorporated

"Lockwood,Mike,IRVINE,R&D" <mike.lockwood@alconlabs.com>
02/12/2010 01:17 PM
Please respond to
"Lockwood,Mike,IRVINE,R&D" <mike.lockwood@alconlabs.com>

To
"Jess Holle" <->, "Moore, Matt M" <matt.m.moore@intel.com>
cc
"-" <->
Subject
[solutions] - RE: How to logout of Windchill?

jessh · ‎Feb 12, 2010

Thanks for the detailed explanation of what's wrong. That's helpful.

I'd like to see us (PTC) focus on this issue, i.e. our application --
and leave the issue of browser credential clearing to the browsers. As
some have noted, Firefox's built-in Tools -> Clear Recent History does
the trick out-of-the-box. In most browsers there are a variety of
plug-ins to choose from that provide similar functionality as well.

--
Jess Holle

On 2/12/2010 3:17 PM, Lockwood,Mike,IRVINE,R&D wrote:
> We agree that it is "wrong" but the fact is there is no realistic way that we have found to do this "predictively" with confidence. We'll be delighted when better tools come along for the purpose.
>
> The user permissions that result from the complex combination of configurable elements is the single biggest chess game in Windchill that we're aware of.
>
> First, there is no tool to simply report what exists in the system in a concise way (there is a report but it's not convenient). It takes many hundreds of mouse clicks to even examine what exists.
>
> Second, the OTB product/library templates include all the needed ACR's - resulting in repeating everything that is common in all contexts. A change requires many hundreds of mouse clicks - so the desire always is to factor out all that are common and put them one or maybe two domain levels up.
>
> Third, the actual permissions don't align with user menu picks very well (example: Modify is the permission: Check out is the actual user menu pick). See attached spreadsheet on this.
>
> Fourth, you have to address a five-dimensional inheritance puzzle if you want to avoid repeating every statement brute force: Domain inheritance (site, org, etc), Object type inheritance (WTObj, WTDoc, RefDoc, etc._, State (All, Released) inheritance, Principal inheritance (group, sub-group), Permission prerequisites (read required for Revise).
>
> Fifth, the implies properties (we immediately blank these properties on every install) select idiotic combinations of permissions - and you can't see ahead of time very easily what is being selected. The prerequisites are not consistently applied by these properties (example: Read is prerequisite for many other actions but is not applied to all where it is prerequisite). As provided, if you select Delete the system also selects Modify - assuming that the only way someone can delete something is if they have Modify permission for it.
>
> wt.access.permissionImplies.1=
> wt.access.permissionImplies.2=
> wt.access.permissionImplies.5=
> wt.access.permissionImplies.7=
> wt.access.permissionImplies.8=
> wt.access.permissionImplies.10=
> wt.access.permissionImplies.11=
> wt.access.permissionImplies.13=
>
> Sixth, there are subtle hidden combinations of permissions needed. Examples:
> - Need Create at the resulting state in addition to Revise at the current state
> - Need both Modify and Modify Identity to rename a Folder
> - Need both Modify for a cabinet and Create for a document to create a document
> - Set State requires both a Set State transition in the LC at the current state and the Set State permission
> - The OTB context templates all use the TeamMembers pseudo-role; many unpredictable results from this
> - The Guest Role OTB can see absolutely everything in the system
> - Many OTB ACR's in the templates are redundant
> - For Project, the local Manage Security tools are combined in some strange ways with ACR's
> - It goes on and on...
>

jessh · ‎Feb 12, 2010

Agreed. This should be fed to PTC product management.

dtkach1 · ‎Feb 12, 2010

I tried several times to get answer from PTC Tech support how they
assume that customer should manage ACL/Security/Permissions in Windchill
and so far did not have any luck. Seems different companies are doing
permission/security/acl management using own way. Have not seen any
standard techniques how to do it so far that will be easy and good
enough. May be I missed something....?

Thanks,
Dmitry

cc-2 · ‎Feb 14, 2010

Hi

we find it would be a useful functionality. However, PTC seem relunctant to implement it. However here is our workaround

Use Internet Explorer, Firefox, Chrome etc.. at the same time to log as different users. Certain functionalities are not compatible with Firefox or Chrome but depending what you are doing this is OK. Also if you start IE several time (at least with IE 7) you can log in as with different users for each session. The problem is that you need to remember which window is for which user.

Anyone else with a different workaround ?

Cheers

JoePriest · ‎Feb 15, 2010

We have to toggle back and forth all the time as well and simply opening a second browser session (not a new tab) works wonderfully for us. (FYI - we are using IE7) We utilize this in our training sessions too.

Joe

CadMan · ‎Feb 15, 2010

We purchased the Medical Device Template for PDMLink 8.0 and it includes a
Logout button...so PTC knows how to do this. The first thing we asked is
why they don't include it in PDMLink. They had no answer. It is there in
the MDT because of FDA requirements and access to the system.

If they can include it in the MDT, it would be pretty easy to put it in all
of PDMLink. I guess we have to beg.

Pete

_____