Teamcenter® 2007 Access Manager Guide Publication Number PLMo0020 CProprietary and restricted rights notice This software and related documentation are proprietary to Siemens Product Lifecycle Management Software Inc. © 2007 Siemens Product Lifecycle Management Software Inc. All Rights Reserved All trademarks belong to their respective holders. cose Manager Guide PLwo0020 ¢Contents Getting started 6.6... cece e cece cece ee een n teeter ene een Del Access Manager interface 1 Basic concepts about Access Manager 13 Basic tasks using Access Manager zig Creating and managing Access Manager rules ..... 0.60. s0ee0eeee8 Sel Best practices and cautionary statements a4 Understanding the rule creation process 22 Add an Access Manager rule 23 Modify an Access Manager rule 23 Delete an Access Manager rule 23 Reposition an Access Manager rule in the rule tree 23 Creating and managing access control lists (ACLS) .......6se0ee0e8 Bel Create an access control list (ACL) 34 Modify an access control list (ACL) 32 Delete an access control list (ACL) 32 Distributing, reverting, and repairing the rule tree .....4. 66. 60e005 Aol Export the Access Manager rule tree 42 Import the Access Manager rule tree 42 Verifying the effect of accessrules 6.6.6.0. 0s eee eeeee ene eneen ene Bel View access privileges Bl View the rules from which privileges are derived 52 View the access control list (ACL) associated with the object 53 GLOSSALY eect enter nee ees Bel Index eee eee ee cece ence eee nee e nett eens ene eee IndexeL Figures 5-1. Viewing access privileges 52 5-2. Extra Protection dialog box 52 5-3. ACL Control List dialog box 53 PLMo020 ¢ Access Manager Guide 3Contents Tables 1-1 Before you begin 1 1-2 Access Manager menu commands 1 13. Access Manager buttons 12 14. Data life cycle 13 15. Rule tree conditions 19 1-6. Accessor types by category 115 17. Access privileges Lis 4 Asceee Manager Guide PLwo0020 ¢Chapter PLMo0020 ¢ Getting started Access Manager interface ‘Access Manager menus ‘Access Manager buttons ‘Access Manager symbols Basic concepts about Access Manager Protecting Teameenter data Life cycle of data Rules-based protection Object-based protection Access Manager rule tree How rules work Rule tree conditions Accessor types and accessor precedence Access privileges Basic tasks using Access Manager Access Manager GuideChapter Access Manager PLMo020 ¢ Getting started Access Manager controls user access to objects in Teamcenter ® using the Access ‘Manager (AM) rule tree, which is a collection of rules applicable at your site For more information, see Basic concepts about Access Manager and the Security Administration Guide. Table 1-1. Before you begin Prerequisites Enable Access Manager Configure Access Manager Start Access Manager terface ‘You must have system administrator privileges to use Access ‘Manager. Access Manager does not need to be enabled before you use it. If you are an administrator, you can use Access Manager Access Manager does not need to be configured before you use it. Olick Access Manager ®% in the navigation pane Note If the Access Manager button is not displayed in the navigation pane, click i at the bottom of the navigation pane and choose Show More Applications. All Access Manager menus are standard Teamcenter rich client menus except for those described here, For additional information, see the My Teamcenter Guide. Access Manager menus Table 1-2, Access Manager menu commands Menu command Description File>Import File-Export Editup ‘Browses for the ASCII file containing the rule tree data and then imports the file Browses for the ASCII file containing the rule tree data and then exports the file Moves a rule tree entry up one branch at a time within the same level seae Manager Guide 1-4Chapter 1 Getting started Table 1-2, Access Manager menu commands Menu command Description Edit>Down View—Expand Below Moves a rule tree entry down one branch at a time within the same level. Expands the rule tree to display subbranches, Access Manager buttons Table 1-3, Access Manager buttons Button Description Move Rule Up f Move Rule Down + Add + Modify °* Delete x Save Create ACL ‘Moves a rule tree entry up one branch ata time within the same level Moves a rule tree entry down one branch at a time within the same level ‘There are two Add buttons ‘The button to the right of the access control entry (ACE) table adds a new row to the table. ‘The button at the bottom of the pane adds the rule to the Access Manager tree. ‘Modifies the selected rule and/or access control list (ACL) ‘There are two Delete buttons ‘The button to the right of the ACL Name box deletes the selected ACL. ‘The button at the bottom of the pane deletes the selected rule from the Access Manager tree, There are two Save buttons ‘The button at the top right of the ACE table saves the ACL. ‘The button in the toolbar saves changes to the rule tree. Creates the ACL after you enter a name in the ACL Name box, Access Manager symbols Access Manager uses symbols to represent privileges that can be granted using access control lists (ACLs), For more information, see Access privileges, 462. songs Manager Guide PLwo0020 ¢Getting started Basic concepts about Access Manager PLMo020 ¢ ‘To take full advantage of Access Manager, you should be familiar with the data access methodologies, rules, accessors, and privileges that are used to implement data access protections. For more information about data security, see the Security Administration Guide. Protecting Teamcenter data Object protection and ownership are extremely important in a distributed computing environment, Objects represent actual product information in the database and must be protected from unauthorized or accidental access, modification, and deletion ‘Teamcenter implements two different tiers of data protection: © Rules-based protection Rules-based protection is the primary security mechanism, * Object-based protection Object-based protection is a secondary security mechanism that allows you to grant exceptions to rules, Life cycle of data All data in an enterprise typically passes through three basic phases, Released, In-Process, and Working Table 1-4. Data life cycle Data state Description Released Data is formalized and must be protected from modification Released data is often consumed by users outside the authoring group; whereas, in-process and working data is consumed by authors and generally requires more restrictive read access. In-Process Data is semiformalized and because it is in the process of being released, it is assumed to be accurate and in its final form However, allowances must be made for last-minute changes. The primary objective for protecting in-process data is to ensure that it is tightly controlled while it is being released Working Data is not very firm and is expected to undergo many changes before it is released, The objective for protecting working data is to ensure that only the right persons have permission to view, modify, or manipulate the data. Rules-based protection Rules control access to data on a global basis by determining whether a user has permission to view or perform an action on an object, Rules filter data according to the attributes of the data and grant privileges to the data according to the users IDs and their session context (the group and role they used to log in), Rules are defined by a combination of a condition, a value for that condition, and an access control list (ACL) that grants privileges to accessors, The condition and value identify the Access Manager Guide 43Chapter 1 Getting started set of objects to which the rule applies, the ACL defines the privileges that will be granted to users (accessors) The following syntax applies to rules: Condition (Value}®ACL For example: Has Type {UGMASTER}® UG Model In this example, Has Type is the condition, UGMASTER is the value, and UG ‘Model is the name of the ACL. ‘The parts of the rule can be thought of as an IF clause and a THEN clause, The condition and value supply the IF part of the rule and examine the object with Boolean logic, and the access control list (ACL) supplies the THEN part of the rule by describing access permission Object-based protection Object-based protection introduces exceptions to the access rules for a specific object. Unlike rules, which can only be created and maintained by authorized administrators, ACLs that specify exceptions to rules can be defined by any ‘Teameenter user who has change privileges to the object. Access Manager rule tree Rules are organized in the Access Manager rule tree and are evaluated based on their placement within the tree structure, The default rule tree included in your ‘Teamcenter installation assumes that users are granted privileges unless explicitly denied, The rules are evaluated from the top of the tree to the bottom of the tree, with rules at the top of the tree taking precedence over rules at the bottom of the tree. The rule tree acts as a filter that an object passes through when a user attempts to access the object. When conditions that apply to the selected object are met, the privileges defined in the ACL are applied. Note Subbranches always take precedence over parent branches in the tree ‘The Access Manager application displays the rule tree ‘% Has Class(POM_object) ‘© Has Bypass(true) -> Bypass © © Has Class(POM_object) —> System © In Job(true) ‘© Has Status(TCM Released) -> TCM Released Rule © Has Statua( ) -> Vault © Has Object ACL(true) ‘© Has Class(POM_application_object) > Import/Export © In Project( ) -> Projects 4-4 Asonge Manager Guide PLwo0020 ¢PLMo020 ¢ Getting started © Owning Group Has Security(Internal) -> Internal Data © Owning Group Has Security(Bxternal) -> External Data ‘© Has Class(POM_application_object) > Working How rules work Rules are defined by a combination ofa condition, a value for that condition, and an access control list (ACL) that grants privileges to accessors, The condition and value identify the set of objects to which the rule applies; the ACL defines the privileges that are granted to users (accessors). ‘The following syntax applies to rules: Condition (Value}® ACL For example Has Type(UGMASTER)® UG Model In this example, Has Type is the condition, UGMASTER is the value, and UG ‘Model is the name of the ACL. When a user attempts to access data, the rule tree is evaluated to determine the privileges to be granted or denied. The following assumptions apply to the evaluation: © Rules higher in the rule tree are more global in nature and apply to all object types + Lower-level rules refine access to more specific objects such as UGMASTER datasets. For example Has Class(POM_app_object) Has Class(ataset) Has Type(UGMASTER) * Precedence determines the privileges granted. Accessor precedence in the ACL. and rule precedence within the tree are both considered when granting access privileges, Rule precedence is from top to bottom in the tree, with the highest, rule having greatest precedence and the lowest rule having least precedence ‘Accessors have a predefined precedence in the system. For more information, see Accessor types and accessor precedence. % Has Class(POM_object) ‘© Has Bypass(true) —> Bypass ‘Gn Job(true) Has Status( )—> Vault Has Object ACL(true) ‘© Has Class(POM_application_object) —> Working © Has Clasa(Item) -> Items Accese Manager Guide 45Chapter 1 Getting started © Has Clasa(Item Revision) —> Item Revs © Has Class(Dataset) ‘© Has Type(UGMASTER) -> UGMASTER ‘The following ACLs are considered when the sample rule tree is evaluated: * The UGMASTER ACL explicitly grants write access to users who fill the Designer role in the owning group and explicitly denies write access to all other users in the owning group ® 8 ow lf) x & » ” & Read | Weite| Detete | change |Promote| Demote_| Copy alee Owalag Group | Desgaee v aie ie Ovalag Grup x * The Working ACL explicitly grants write, delete, and change privileges to owning users and write privileges to the owning group. It also grants delete and change privileges to the group administrator and the system administrator All other users are granted read and copy privileges and explicitly denied write, delete, change, promote, and demote privileges. ® 3 “lal xfaytrwjoe ]e Read | wetto| Delete | change | Promote] Demote | Copy Crag Ur vilvlv Group Adair vbw Ova Group v Sra Adair vbw Won vi[xfx fx fx if x v * The Vault ACL grants all users read and copy privileges and denies all users write, delete, change, promote, and demote privileges. 468 conse Manager Guide PLwo0020 ¢Getting started r 3 o~lalx]s x a ® Read | Wette| Delete _| change | Promote| Demote | Copy Wort vfi[xfx x x x v Evaluating the rule tree ‘The rule tree evaluation results in an effective ACL that represents the cumulative buildup of all the named ACLs that apply to the object the user is trying to access ‘The rule tree is evaluated as follows © Alllines that do not apply to the object are trimmed from the rule tree. Note The rules are not removed from the tree, but they are ignored during evaluation, * The remaining lines in the tree are traversed by: — Evaluating the child of a rule before evaluating the parent rule — Evaluating child rules in order of precedence, from top to bottom, in the event that there are multiple child rules. * The effective ACL is determined by compiling the ACLs in the order that the tree is traversed, Example of building an effective ACL When the user attempts to access a UGMASTER dataset, the rule tree is trimmed to reflect only those rules that apply to the object. Has Class(POM_object) Has Class(POM_app_object) ->Working Has Class(Dataset) Has Type(UGMASTER) ->UGMASTER Based on the trimmed rule tree, the effective ACL is compiled by evaluating the tree (from bottom to top) as follows: 1. Find the topmost leaf node in the tree, in this case, Has Type(UGMASTER) ->UGMASTER, and add the U@MASTER ACL to the effective ACL, 2, Find the next node, Has Class(Dataset), which has no associated ACL so it does not contribute to the effective ACL 3. Find the next node, Has Class(POM_app_object) ->Working, and add the Working ACL to the effective ACL. Pumooo20 ¢ sess Manager Guide 47Chapter 1 Getting started 4. Find the next node in the tree, which is the Has Class(POM_object) root node, ‘This node has no associated ACL, so it does not contribute to the effective ACL. ‘The rule tree evaluation results in the following effective ACL: ® accesso 8 ow lo) x oe ~ a | 8 Read | Wetto| Delete | Change | Promote | Demote | Cops | nate ale ia Owalag Group | Desigoer v vy [vomasran Word x x x [eonasren Owaiag Uae viw lev WORKING Group Adimiaitrotor vbw WORKING Owaiog Group v WORKING ‘Speen Admialtrotor vbw WORKING Word vixlx« fx [x x | v | WoRsING ‘The effective ACL is evaluated when a user attempts to access a UGMASTER dataset and the lines that do not apply to the user are ignored. For example, if you are a designer in the owning group of the UGMASTER dataset, but you are not the owning user, system administrator, or group administrator, the following entries in the ACL are applied when you try to access a UGMASTER dataset: ® sccemne 3 w~latx fo ~ a ]® Read | Weite| Delete | Change | Peomote | Demote | Copr Fale ia Owaiag Group | Designer v v Wort x x x 468 Asonge Manager Guide PLwo0020 ¢Getting started Accesme 8 ow | a) x oe Read | Wette| Detete | change Waid v x After the effective ACL is trimmed to only the entries that apply to the user attempting to access the dataset, the privileges in the remaining ACL entries are evaluated by working down each privilege column until you encounter a granted ¥ or denied X symbol. In this example, the privilege evaluation grants the accessor read, write, and copy privileges and denies the accessor delete, change, promote, and demote privileges. Rule tree conditions Table 1-5 describes conditions in the base rule tree, by category. Table 1.5. Rule tree conditions Category Condition Value Deseeiption “Admunteteative Hos Bypass teue or false Specifies whether the usee hos bypass privileges sat. Bypase privilege supersedes other privileges. Default Hos Close clagename Specifies on object class. ‘The object is evaluated to determine tact the specif ioe Hos attribute class attributesvalue Specifiesoa attribute aad value ssecrinted with a particular casa, lage isthe class of the object for ‘which you set the rule attribute is 1a attribute af the class. Supported attribute types-re string, integer, Aouble, logical, aad refereuce value {a the value for which the attribute t= evaluated Note Bloat spacesore actallowed fa the rule syntax “Logical values must be ‘either 0 (false) ot 1 (trv). ‘Raferoaces ooa oaly be ‘check foro ll_tog (0) or ‘poa-aull (non-zero) value Hos Type ype-name Specifies the object type agaiast which the object is evaluated PLMo020 ¢ seae Manager Guide +8Chapter 1 Table 1.5. Rule tree conditions Getting started Desceiption Category Condition Ta dob Hos Object ACL Hoa Statue Genecal Hos Description Hos Nome Ho Form Attribute Hos Item D In archived, 440 Acces Manager Guide ‘ene of flee tena of fotze Accepts aull eatry ull-al textsring Note ‘The desriptioa value con contoia wildcard characters, textsring Note ‘The name valve coa coataia svildeotd choroctara form-scorage-clase attribute=ualue orm-sorageclassis the storage class fe the form type on which you aot the role attribute ia attribute of the form Supported attribute types ote POM string, POM iat, 203 POM double. value isthe value for ‘which the ottribute is evaluated, Note Bloat spacesore actallowed fa the rule syntax tomiad Note ‘The item ID value cow contota wildeord charactors, tena of fotze Specifies whether the target object isla ‘workiiow Job (process). This coaditioa does aot expect oa ACL attoched toa rule This placeholder tot iadieatesthe point ot which ‘workifiow ACLsate applied ia the rule tee hierarchy Specifies that an ACL isaseocisted with oa ‘object. Thiscoaditioa dose aot expect aa ACL attached toa rule Ite placeholder ‘that indicates the point ot wich process ACLs2ad object ACLs are applied ta the Tule tres erates Specifies the totus type against which the object is evaluated. Specifies description forthe object. The object is evaluated to determine whether the description motches thisvalue Specifies aame against which the object isevolunted aables access coatral of thas oud iba revisions by ssttiag conditiousoa attributes cof the Mastevform cioea This rule co be pplied tothe ItemRevifonMastee form ‘2 codtral arcane to the ita ‘This rule coa also be uasd to coutral write ecess to the propertias of itemsad item revisions which ia tura determiae who cou ada or temare dotneste asscintad ‘with the itam of itu revision through 2 Specificatfoa relation ‘This rule conaot be used to contra access ‘to the cotnssts aad it caaact be applied to ‘usetlefaed forma I should beaded below the Worlsing@ Item Revistoa/Ttem Rule rule ia the role tree Specifies item ID ogaiast which the item isevolunted, Specifies thatthe objectsarchive siotusis. evaluated PLwo0020 ¢Table 1.5. Rule tree conditions Getting started Category Condition Value Desceiption TeLosl ‘ene of flee Taoctive Sequence teue or false OwnersdhipiAccessoe Owaiag User user ID Owaiag Group sroup-name Owning Site etename (Owaiag Group Has tntecnal or external Security rasa, tena of fotze Baa tena of fotze Inccemental PLMo020 ¢ ‘Specifies whether the object's recideace {a the loro dotaboee ie evaluated. ‘This condition ie uesd whaa Multi-Site Colisboratioa i plemented ‘eed in coajuactioa with the Inactive Sequence Objects ACL. This ccasitioa specifies thot previous sequeaces are historical oad coaaot be worked oa ldepeadeatly. The latest sequeace is always the working e=quecce for the Bvoluates whether the objet is owaed by the opecited usee Bvoluates whether the objet is owaed by ‘the group uader which the user is lagged oa tp Teowceatar ‘Wideard chatacters coa be used with the Owning Group condition to allow you to define rules applriag to group ‘ad oll it subgroupa. For example, emume thot the Destgn group hos thro subgroups AnalytaDedgn 20d Development Design. By defaiag 3 value for the Owning Group cooditioa Using 9 wildcard, you eoa defiue a geueral ral fo coatral oovens tall dato raed by ‘the Design group ad its subgroups. For comple © Owntng Group ("Dedga)->dedgn_group_act voluates whether the objet isowasd by the specified at, This coaditioa is used whea ‘Molt-Sita Colisboratioa is iaplemeatad voluotee whether the owaiag group af the objecthosa security striag. Thiscoaditioa is ‘rus oaly ifthe security value ofthe owaing. {group isequal to the value ofthis couditioa, Specifies whether the usar’ eystea aimlalstration group membership is evaluated Specifies whether the user's tatusasa {group administrator ia the curreat group is fraloted Access Manager Guide 4-14Chapter 1 Getting started Table 1.5. Rule tree conditions Category Condition Value Desceiption Ta 10 Contant ‘ene of flee ‘aablee structore edits escurreace edit cxcurreace notes, transform edits oad Note ‘ttochaeat edits) tobe coatrolled by the Product Structure Kditor,Moauctoriag Always use the true value Structure Balter, Collaboration Contant, of {fr this condition. The Port Plogast application, Tae rule does aot false applies the rule to depend ou the properties the object oll obsets, regardless of ‘whether dructure editsore Whea thete {soa active iacraaaatol being mode chouge ta the structure editor, the IC Context true) coaditioa is mtisfied aad its ‘eaxiated ACL teopelied Project a Project projectD Specfieso project to which the object must a Curteat Project IaProject Member Internatfonal ‘Teatne (a Acme Regulations aman) ‘User Nationality (Group Nationality 412 Acces Manager Guide ‘The syator for thisrule is projectD tena of fotze ‘Trocharocter 150 3160 codes ‘Thiscoadition accepts negation usiag 2 miaus(~ prefs For emmple,-us ldiestescuy uset act ftom the US, ‘Trocharocter 150 3160 codes ‘Thiscoadition accepts negation usiag 2 miaus(~ prefs For emmple, -us indicates aay user beloagiag toa froup act ftom the US. be Sougaed. The condition is evaluated 25 being true whaa the active projet to which the object is assigned matches the project specified for this rule condition. Ifyou ‘use aa empty striag 28 the value for this coaditioa, the couditioa iadaemed true ifthe object in Sesigaed to aay active project Specifies the project ID against which the object isevalunted. The condition is evaluated a8 blag true whea the object ista the curreat active project of the logged-oa ‘use, 20d the project ID of the curreat project matches the value for thiscoaditioa. Note ‘This rule ie act delivered with the defoult iastallotion of Teounoaatat aust be added mouvolly Specifies whether the user's membership ia the project is evaluated Thiscondition ts aly true whea the user isa curreat member ofthe project. Specifies the antioaality 9 vast Specifies the aatiouality of 2 group ot orgatzstion. PLwo0020 ¢Table 1.5. Rule tree conditions Getting started Category Condition Value Desceiption ‘User Laration Site Loration ‘User Is TAR Licensed Hos Goverameat Clesifcation Hos No Gorerameat Classification ‘User Hos Goverament clsoroace ‘User Is Excluded Intellectual property GP) PLMo020 ¢ ‘Trocharartar 15D 3160 codee ‘Thiscoadition accepts negation usiag 2 mlaus(~ prefs For emmple,-us ladiestesaay user loosed outed the us. ‘Trocharocter 150 3160 codes ‘Thiscoadition accepts negation usiag 2 mlaus(~ prefs For empl, -us ladieatesaay user ata site outside the US tena of fotze Specific goverameat classification attribute values that coa be pref by the following operators: Specific goverament cleoraare attribute values that coa be prefixed by the felowing operators: ‘Specifies the loratioa ofthe user Specifies the location of the site, ‘Vertis the existance of void ITAR licease that anmes the curreat vost 280 liceasee Volidates the goverameat classification attribute valve of the abject agoiast the value specified forthe condition ‘The operators cou be used without fa clsoroace valve ia which cage the {overameat classification attribute of the object is compated to the user's clearaace level based on the speciied operator Note 1 the object hos uo goveramoat lossifcotion attribute valve, thie tule does act opel. ‘Motches if the object hosa aull value for the {goverameat clossiicatioa attribute Volidatas the vaet’scleoroace level against the value specified forthe couditioa ‘The operators coa be used without a claorouce valve a which coos the wost’s cleoraace iscompoted to the goverameat ‘laseiicatiog attribute of the abject sad oa the specitied operator Note 1 ao value is supplied, the user aust have oclmoroace value ost Specifies whether the user o group iscited bya valid esclusioa lcease, Accees Manager Guide 1413,Chapter 1 Getting started Table 1.5. Rule tree conditions Category Condition Value Desceiption ‘User Hoe Cleoraace Object Hae IP Classification HosNo IP Classified ‘User Is Licensed ‘Specific clearaace values tint caa be prefsed by the folowing operators: Specific IP classification attribute values that caa be prefized by the {ellowiag operators: tena of fotze ‘Validatas the uaerscleoroace level aginst the value specified forthe couditioa. ‘The operators coa be used without a claprouce valve ia which coos the wost’s cleoraace iscompated t the IP classification ptteibute ofthe object based on the specified operator Note 1 the dota ie aot IP closaifed, the Uaw HaeIP Cleaeance ‘condition is evaluated ae bag true regardless of whether or act the user is assigned a clearaace level. Volidates the IP clasadcatioa attribute valuecf the object against the value specified fe the coadition| ‘The operators caa be used without a cleoraace value, the IP classification tteibute of the object is compared to the Uosr'acleoraace level booed oa the specified operator Note [the object has no IP classification ‘ttribute value this rule does aot pels ‘Motches if the object basa aull value for the IP classification attribute If at to true verifies the existence of 2 valid (aot expited) IP licease thot anes the curteat user of thetr group a8 licensee Accessor types and accessor precedence ‘An accessor is a user or group of users who share certain traits, such as membership in the group that owns the object or membership in the project team. The following list presents the predefined accessors delivered with Teamcenter in order of precedence, from most restrictive to least restrictive, The more restrictive the accessor, the higher precedence it has over other accessors Approver (RIG) Approver (Role) “Approver (Group) Appeover Task Owner Task Owning Group Responsible Party Owning User User Excluded ‘User ITAR Licensed 414 Acces Manager Guide PLwo0020 ¢Table 1.6. Accessor types by category ‘User ITAR Unlicensed Getting started ‘User Under Government Clearance ‘User Has Government Clearance User Over Government Clearance User IP Licensed User IP Unlicensed ‘User Under IP Clearance ‘User Has IP Clearance ‘User Over IP Clearance User Group Administrator Role in Owning Group Role in Projects of Object Role in Geoup Role in Project Role Owning Group System Administrator Group Current Project Team Current Project Teams Project Team Groups with Security Project Teams RoleInAny Schedule RoleInSchedule Public Schedule World Site Remote Site For descriptions of each accessor type, see table 1-6. Table 1-6 describes the accessor types by category, Category ‘Acceame Deseeiption Genecal PLMo020 ¢ Owning User Owning Group Group Groups with Secuctts Role ‘Users who iaitilly ctented 20 object. Owaership coa be ‘rousferred aad odditiouol privileges for example, delete) ore usually groated toa object's owaer that are uot graated to other (Group thot owas the object. Usually, tis the group ofthe user creotiag the object. Additional privileges for example, write) may be granted to the owaiag group, because it common for usersto shore dato with other aeabers of tlt group Project-orleatad cluster of users, Taisollr2all users ia a group ‘tnarcessa commioa panl af project data regardless ofthe actual, ‘work each wast petforaie ‘Users who have the givea security value, ether Inteenal of External Foaction-oieated cluster of ussra Acceos Manager Guide 445Chapter 1 Getting started Table 1.6. Accessor types by category Category Accosme Deseeiption Role fn Group ‘Usete who havea speci role tao apecfc group Use thie for gronting privileges tooll users performing the some eills andlor Tesponsibilitieso the mae project Role (a Owning Group ‘Users with 9 specific role ia the objects owatag group. This useful for grouting privileges to 2a ianer-citle of users with ‘the some ails aadlor responsiblties oa the some project. For sample, oll designers ia the owaiag group ate usually graated ‘white privilege oa their development dota, System Admalntsteator ‘Users whoote members the system admiaistration group. Group Admit stator ‘User who hoe special aiateaoace privileges forthe group, Site A specie site Remote Site ‘Ay site that is wot local Worta Any user, regardless of group or role Use A specie user Wortsfow Approver (RIG) Users who ore members of siguaff teom tao workflow process ‘with 9 epecidic rte in 9 specific group (RIG). This accessor is aly used ia Workflow ACL aad motches the sigacff RIG requirements {or the release level assented with the motifiow ACL. Approver (ole) Users whoote memborsof sigacf team ia 3 woeliow proce epeciti rale Approver (Group) Users who ore members of siguaff teom ina workflow process a> specite group, Approver Users who are members. signoff teom ina workflow process regardless of thet tale oad group. ‘Tad Owner ‘oak owasr ia given privileges for the tad’ torget dota, ‘Tad: Owning Group The orig gtoup ote given privileges forthe toa’ torget dato Responsible Party ‘Users responsible for performing o particulot task. This easures ‘that only the user assigned as respoasible party in given privileges ‘the tnd torget dat Project Project Team Teom members in a particular projet Project Teams ‘Team members ia aay active project for the object Current Project Team Users who are members ofa particulsr curteat project team, Applicable oaly whea the projects st aa the current project ofthe ‘row mambersoud ifthe curreat project ie active Current Project Teams Users who ote membersofcurret project teams Applicable oaly ‘when the object is a the curreat project of the team members, ‘ond the current project isactive Role tn Projectsof Object ‘Users who have 2 specific ros ia one of the projects af the object. This accessor Ia affected by the values ast ia the AMLPROJECT MODE prefereace. It is effective only whea the ‘ser islogged in withthe specified rol ia the curteat project, oad the curreat project is one of the projects assigned to the dafiaed object Role in Project Project members with 9 specific role ina specific project. This 446 Acces Manager Guide Is afacted by the values set ia the AM_PROJECT_MODE preference, PLwo0020 ¢Table 1.6. Accessor types by category Getting started Category Accosme Deseeiption ‘Scheduler Public Schedule Rotelaschedule RotelnAny Schedule rar, ‘Use Excluded ‘Use HasGovernment Cleacance ‘Use ITAR Licensed ‘Use ITAR Unlicensed Use Under Government Cleacance ‘Uae Over Government Cleacance ‘Use IP Licensed ‘Use IP Unlicensed Use HasIP Clearance ‘Use Over IP Clearance ‘Use Under IP Cleaeance ‘Access tooll waste for schedules which ore teaplatee of wade public. Thisarcessne 2pplies to the Schedule Maanger application Dembership privilages of the logged ia vast withia 9 potticulor ehedvle Member privileges (accessor IDs) con be COORDINATOR, PARTICIPANT, or OBSERVER. This ‘content applies tothe Schedule Macager pplication, Membership privileges of the logged ia user ocrossall ececles {a the syetam. Member privileges (scent IDs) coa be COORDINATOR, PARTICIPANT, ot OBSERVER. This ‘content applies tothe Schedule Macager pplication, ‘The user or group iscited ia 2 valid exclusion liceuse attached to the object. Compares the user's claorouce withthe objec closaifcatioa oud ‘testa whether the user hosclearaace above, belo, of quo fo that requited to sees the abject ‘User cited ia acurreut iceuse aasxcinted withthe selected object ‘User is uot cit ia a current lioause associated with the selcted, object The user's cleoraace is below the level required by the object This, ecessor is typically used to revo access aad is ouly applicable ‘whea the goverameat cleave oa the uset oad the goverameat Clousifcatioa oa the object come ftom commoa multi-level scheme defined by the TEAR eval Ifst_ordering preforeace ‘The user's clearaace isover the level required by the object. Tht Decessor is typically used to groat access. is oaly applicable ‘hea the goverameat cleoroare oa the uset oad the goverameat classifcatioa oa the object come from 3 commoa multi-level scheme defined by the TEAR level Ifst_ordering prefereace ‘User iacitad tao current licease associated with the selected abject cither directly or by membership ia 9 cited orgaaizatioa (group) ‘User ia uot cited ia a current lioause associated with the selcted, object Compares the user's claorouce withthe objec closaifcatioa oud ‘testa whether the user hosclearaace above, belo, of quo fo that requited to sees the abject ‘The user's clearaace isover the level roquited by the object. Thi ecessor is typically used to groat access.ad is oaly applicable ‘when the IP cleoraace oa the wast oad the IP claeefcatioa oa the ‘bject come from o common multi-level scheme daflaed by the IP level list ocdertng prefereace ‘The user's cleorauce is below the level required by the object This ecessor is typically used to revo access.aad is ouly applicable ‘when the IP cleoraace oa the wast oad the IP clnesfatioa oa the ‘object come from 9 common multi-level scheme daflaed by the IP level list ocdertng prefereace PLMo020 ¢ Accees Manager Guide 4-7Chapter 1 118 Getting started Access privileges ‘The following table describes the Teamcenter access privileges and the symbols that represent these privileges in the user interface. Table 1-7. Access privileges ‘Symbol Privilege Description on Read Controls the privilege to open and view an abject. o Weite Controls the privilege to modify the object. x Delete Controls the privilege to delete the object. x Change Controls the privilege to modify object protections that override the rules-based protection for the object. You must have change privileges to apply object-based protection (object ACLs). ~ Promote Controls the privilege to move a task forward in a workflow process a Demote Controls the privilege to move a task backward in a workflow process. Copy Controls the privilege to copy an object. Change ownership ° Publish a Subscribe a Export a Import ib Teansfer out, Transfer in & Write Classification Ico Accees Manager Gutdc Controls the privilege required to grant, change, or restrict ownership rights to an object. Controls the publish privilege to users or groups, Controls the privilege to subscribe to an event on a specified workspace object Controls the privilege to export objects from the database. Controls the privilege to import objects in to the database. Controls the privilege to transfer ownership of objects when they are exported from the database Controls the privilege to assign ownership of objects when they are imported in to the database. Controls the privilege to write Classification objects (COs) PLwo0020 ¢Table 1-7. Access privileges Getting started ‘Symbol Privilege Description ¥ ‘Assign to project © Remove from project e Remote checkout és Unmanage © IP Admin = ITAR Admin cIco & Controls the privilege to assign an object toa project, This applies to users who are not designated as privileged project team members, Note The validation of the Assign to project privilege in conjunction with privileged project membership is evaluated based on the value of the TC_project_validate_conditions preference, Controls the privilege to remove an object from a project, This applies to users who are not designated as privileged project team members, Note The validation of the Assign to project privilege in conjunction with privileged project membership is evaluated based on the value of the TC_project_validate_conditions preference, Controls the privilege to remotely check. out an object, Enables users to circumvent the blocking implemented using the TC_session_clearance preference, For more information about session clearance, see the Security Administration Guide Enables users to add users to manage IP Hcenses, Enables users to add users to manage ITAR licenses, Controls checkin, checkout, transfer checkout, and cancel checkout features Basic tasks using Access Manager ‘Using Access Manager, you can: PLMo020 ¢ Accees Manager Guide 1413Chapter 1 Getting started * Create, modify, and delete rules * Create, modify, and delete access control lists (ACLs) * Export and import the rule tree. For details on how to perform these tasks, see Creating and managing Access Manager rules, Creating and managing access control lists (ACLs), and Distributing, reverting, and repairing the rule tree. 420 Acces Manager Guide PLwo0020 ¢Chapter PLMo020 ¢ Creating and managing Access Manager rules Best practices and cautionary statements 1 Understanding the rule creation process 2-9 Add an Access Manager rule 23 Modify an Access Manager rule 23 Delete an Access Manager rule 23 Reposition an Access Manager rule in the rule tree 23 Access Manager GuideChapter Creating and managing Access Manager rules ‘The Access Manager (AM) rule tree determines privileges on objects in the database ‘You must have system administrator privileges to modify the AM rule tree. Best practices and cautionary statements PLMo020 ¢ * Do not modify access control lists (ACLs) referenced by rules on the System Objects branch. Adding new rules, deleting rules, or in any way modifying existing rules on the Systems Objects branch of the rule tree may result in unpredictable behavior or loss of data, * Do not modify the upper area of the rule tree. Deleting or changing the order of the branches in this area of the rule tree may result in unpredictable behavior or loss of data. * Do not use a text editor to modify rule tree files. Rule tree files are simple ASCII files and conform to a particular format, You can read rule tree files using any text editor, however, modifying them with a text editor can easily corrupt the file * Do not use the infodba account to change object ACLs. It is assumed that objects owned by infodba are seed parts or other special-case objects * Use the Has Attribute rule to create custom rules based on any attribute of an object of a given class. For example: Workspacethject: object_nane=*x PublicationRecord: security-suppliers ‘The class and attribute names are not case sensitive, The attribute type can be string, double, integer, logical, or reference, This rule supports custom attributes, * Add new cules for working data in the Working Data branch of the tree. Accese Manager Guide 24Chapter2 Creating and managing Access Manager rules ‘The proper location to add new rules for working data is under the Working Data branch in the rule tree, This helps you customize your rule tree and identify working data. * Set security precedence. ‘You can embed type-level security rules under project-level security rules to give the type-level security rules higher precedence than the project-level security mules. For example, the project administrator can add a subbranch under the Has Class (Form) rule entry to control access to certain form types that contain sensitive data. The rule for the form type is written as follows Has Class (Form) Has Type(Finance)->finance_acl Ifyour site requires that project-level security rules take precedence over type-level security rules, you must embed project-level security rules under the type-level security rules However, Siemens PLM Software does not recommend this practice. * Whenever possible, leave privileges unset. Leaving privileges unset in ACLs allows rules to accomplish focused objectives, and it also allows objects and accessors to filter through rules that do not apply to them. * Define relevant ACL names. ACL names are displayed in the rule tree and in dialog boxes throughout the Teamcenter interface. You can significantly enhance overall usability by defining these names carefully. For example, when creating an ACL for working data, name it according to the data type (for example, item, item revision, or UGMASTER) rather than a role name or some other description, Note ACLs can be referenced in more than one rule * Use diseretion in applying the Bypass ACL. ‘The Bypass ACL grants all privileges to system administrators who have set the User Status Bypass button to ON. Use discretion in applying this ACL Understanding the rule creation process ‘The basic process used to create rules is: 1. Add a rule to the tree. 2 Create and save the access control list (ACL). 3. Attach the new ACL to the rule by modifying the rule. Tip ‘You must always save the rule or ACL after making modifications 22 AcceseManager Guide PLwo0020 ¢Creating and managing Access Manager rules Add an Access Manager rule 1. Select the parent tree rule to which the new node will be added. 2. Set the Condition, Value, and ACL Name for the new rule. Note ACLs can be referenced in more than one rule. 3. Click Add. 4. Click Save. This creates the new rule and adds it to the selected parent in the rule tree. An asterisk appears next to the Access Manager name indicating that the application has been modified. Modify an Access Manager rule 1. Select the rule you want to modify. 2. Modify the condition or value in the rule pane, 3, To attach an ACL to the rule, select an ACL from the ACL Name list. 4, Click Modify = 5 Click Save W Note ‘When you make changes to a rule, the changes are not saved until you choose File-Save or click Save on the toolbar. Delete an Access Manager rule 1. Select the rule you want to delete. 2. Click Delete. 3. Click Save 8 Note Deleting a rule does not delete its corresponding ACL(s), To remove ACLs from the rule tree, they must be explicitly deleted, jon an Access Manager rule in the rule tree 1. Select the rule that you want to reposition. PLMo020 ¢ Accese Manager Guide 23Chapter2 Creating and managing Access Manager rules After selecting the rule, you can: Click Move Up f in the toolbar to move the rule up one level in the rule tree, * Click Move Down $ in the toolbar to move the rule down one level in the rule tree. 3. Click Save W 24 AcceaeManager Guide PLwo0020 ¢Chapter 3. Creating and managing access control lists (ACLs) Create an access control list (ACL) BA Modify an access control list (ACL) Delete an access control list (ACL) PLMo020 ¢ Access Manager GuideChapter Creating and managing access control lists (ACLs) ‘There are three types of ACLs: © Rule tree ACL ‘These ACLs control access to general data creation. They are managed through ‘Access Manager. © Workflow ACL These ACLs control access to data that is in process at a particular release level. ‘They provide a subset of Access Manager functionality that can be accessed from Workflow Designer, * Project ACL. These ACLs control access to project data They provide a subset of Access ‘Manager functionality that can be accessed from Project, Create an access control list (ACL) PLMo020 ¢ 1 Enter the ACL name in the ACL Name box Click Create “i 3. Click the Save ¥ button to the right of the ACL Name box, 4. Click Add + to add a new row to the access control entry (ACE) table. 5. Double-click the cell in the Type of Accessor column to select an accessor. 6 Double-click the cell in the ID of Accessor column to select an accessor ID. Note ‘Some accessor types, such as User, Group, and Role, require you to select, an accessor ID to define a specific instance of the accessor type. Other accessor types, such as World and Owning Group, are either singular or are relative to the object being accessed; therefore, no ID is required. 7. Set privileges by double-clicking the cell corresponding to the privilege you want to set, and choose “to grant privileges or choose X to deny privileges. Accese Manager Guide 34Chapters Creating and managing access control lists (ACLs) Note Whenever possible, do not explicitly set privileges. Leaving privileges unset allows rules to accomplish focused objectives by allowing objects and accessors to filter through rules that do not apply to them. 8. Click Save ¥ Modify an access control list (ACL) 1. Select the ACL you want to change from the ACL list. Note You cannot modify the Accessor Type or Accessor ID values, To change these values, you must delete the entry and add a new entry that reflects the correct accessor type and ID. 2. Modify the privileges 3. Click Save W Delete an access control list (ACL) 1. Select the ACL you want to delete from the ACL list. 2, Click Delete ACL — 3. Click Save W 32 Access Manager Guide PLwo0020 ¢Chapter 4 Distributing, reverting, and repairing the rule tree Export the Access Manager rule tree 42 Import the Access Manager rule tree 42 PLMo020 ¢ Access Manager GuideChapter PLMo020 ¢ Distributing, reverting, and repairing the rule tree Importing and exporting the rule tree file enables you to distribute access rules to other Teameenter sites and also enables you to restore your local rule tree file. Note Rules, ACLs, accessors, and privileges that support new functionality are introduced with each Teameenter version, Introducing new rules into your security implementation requires analysis to determine how they should be used. ‘You can distribute rules to other sites by first exporting the rule tree as an ASCIT file and then importing that file at the receiving site. Before importing a rule tree file, you must ensure schema compatibility, To successfully load a new rule tree from a file, the importing site must have the same types, roles, and groups as those referenced in the rule tree file, If there is any incompatibility, the import operation is terminated at the first discrepancy and an error message appears, Ifyou encounter schema compatibility issues, open the rule tree file with a text editor and either print the file or make note of the types, roles, and groups referenced in the file, You can then use the Organization application to define the exact types, roles, and groups at your site. Caution Siemens PLM Software recommends that you do not modify the rule tree file in a text editor, as this file must conform to a particular format and can be easily corrupted. You can use Access Manager to modify the rule tree after the file is imported. Reverting the rule tree to a previous version ‘You can export your access rules before making major changes to the rule tree, which enables you to import the file if the rules need to be restored, Another method of restoring the rule tree is to import the file that is created each time the rule tree is saved When you save the rule tree, a file is saved in the TC_DATA\am directory. This file is named teee_date-time; it can be used to revert the rule tree to its state at a specific date and time Accese Manager Guide 44Chapter 4 Distributing reverting, and repairing the rule tree Access Manager bypass for administrators ‘The AM_BYPASS environment variable can be used to allow administrators to bypass Access Manager rules, This enables you to repair the rule tree in the event that rule tree modifications have been made that render you unable to functionally logon to Teameenter. For example, if a rule tree modification results in rendering you unable to see your Home folder when you log on to Teameenter, you can use the bypass privilege to log on and repair the rule tree. Note This environment variable should only be used when you cannot log on to Access Manager using your standard administrative logon. It is not intended for general rule tree maintenance. Export the Access Manager rule tree 1. Choose File+Export 2 Enter a name for the file into which you want to export the AM rule tree data and browse to the directory where you will store the new file. 3. Click Export Import the Access Manager rule tree 1. Choose File—-Import 2. Lovate the ASCII file to be imported 3. Click Import 42 Access Manager Guide PLwo0020 ¢Chapter PLMo020 ¢ Verifying the effect of access rules View access privileges Bl View the rules from which privileges are derived 52 View the access control list (ACL) associated with the object 53 Access Manager GuideChapter 5 Verifying the effect of access rules After you have implemented access rules, you should verify that the rules produce the desired privileges for different types of accessors, You can do this by viewing the access privileges in My Teamcenter. You can also determine which rules resulted in a privilege being granted or denied by viewing the verdicts in the Extra Protection dialog box. View access privileges 1 In My Teameenter, select the object affected by the access rule and choose View—Access. Tip You can also right-click the object and choose Access from the shortcut menu or you can click { on the toolbar, The system displays the Access dialog box, which displays the privileges that the logged-on user has to the selected object. 2. ‘To view the privileges of a different user, choose the user, group, and role from the lists in the Access dialog box. ‘The system displays the privileges that the selected user has to the object, Access dialog box Figure 5-1 shows the privileges that two users, taylor and smith, have to the 000001/A dataset, The user taylor has Write, Delete, and Change privileges to the dataset, The user smith has Write privileges but does not have Delete or Change privileges PLMo020 ¢ Access Manager Guide 54Chapter Verifying the effect of access rules Grorqouiey ch ousmousoat > cy “be bet Ae root Grade, | Pees ee) oar seca jal a a | pane a] Q ae frweres] co] fet a apc Preapaves Soc Beers aces MyommNeon cpp Stason Shove Qe eB Pate i Seterretannejes )seuate Sy taaten Bum Dee Smee oo Figure 5-1. Viewing access privileges View the rules from which privileges are derived * In the Access dialog box, click ‘The system displays the Extra Protection dialog box (figure 5-2) eGo cs ange rues wet) fe car ee_apayrarcn eke 5 CT) Pe Cnircee te) i) AnuNonUES NS Me Cnr ek te) i) =m Figure 5.2, Extra Protection dialog box 52 Accese Manager Guide PLwo0020 ¢Verifying the effect of access rules View the access control list (ACL) associated with the object * In the Access dialog box, click ‘The system displays the ACL Control List dialog box (figure 5-8). rm Gi sarcoma ce _* FPR UE Saamaamaoaly x. Figure 5-3. ACL Control List dialog box PLMo020 ¢ Accese Manager Guide 53Appendix A Glossary PLMo020 ¢ Access Manager GuideAppendix A PLMo020 ¢ Glossary A Access Control Entry (ACE) In Access Manager, each pairing in the access control list of an accessor with the granted privileges. Access Control List (ACL) Access Manager component that contains a list of accessors and the privileges granted, denied, and not set for each accessor. Accessor Access Manager component that grants or denies privileges to clusters of users who share certain common traits (for example, perform the same funetion or work on the same project) ACE See Access Control Entry (ACE). ACL See Access Control List (ACL). Approver User who has a signoff in a workflow process regardless of role and group membership, In Access Manager, the approver accessor is used to allocate privileges that apply to all signoffs (for example, read access). See also RIG Approver, Role Approver, and Group Approver. c Class Set of objects that share the same list of attributes but distinguishable by the value the attributes acquire for specific objects For example, the Automobile class can be defined by the brand, color, and price, but each car associated to the Automobile class has a different brand, color, and price combination. Class Hierarchy ‘Structure defining subclasses that inherit the attributes of their superclasses, also called their parents or ancestors, AcceosManager Guide AAAppendix A Glossary D Dataset ‘Teamcenter workspace object used to manage data files created by other software applications Each dataset can manage multiple operating system files, and each dataset references a dataset tool object and a dataset business object. c Group Organizational grouping of users at a site, Users can belong to multiple groups and must be assigned to a default group. Group Administrator User with special maintenance privileges for a group Group Approver User who is a signoff in a workflow process with a specific group of users. In Access ‘Manager, the group approver accessor is used in Workflow ACLs and matches the signoff definition (that is, group) for the release level associated with the Workfiow ACL. The group approver accessor ensures that only signoffs are given privileges, not a. user who matches the group. See also Approver, RIG Approver, and Role Approver. Item Workspace object generally used to represent a product, part, or component. Items can contain other workspace objects including other items and object folders. Item Relation Description of an association between a Teameenter item and a piece of information that describes or is related to the item Item Revision Workspace object generally used to manage revisions to items Item Revision Relation Description of an association between a Teamcenter item revision and a pieve of information that describes or is related to the item revision Master Form ‘Teamcenter workspace object used to display product information (properties) in a predefined template, Master forms are used to display product information in a standardized format. Metadata Object description in the Teameenter database Named ACL Named group of access controls. See also Access Control List (ACL). A2 Access Manager Guide PLwo0020 ¢PLMo020 ¢ Glossary ° Object-Based Protection Use of access control lists to create exceptions to rules-based protection on an object-by-object basis. Object access control lists are most useful for either granting wider access or limiting access to a specific object. Owner User that owns an object, initially the user who created it, Ownership can be transferred from the owner to another user An object owner usually has privileges that are not granted to other users (for example, the privilege to delete the object) Owning Group Group that owns an object, usually the group of the user creating the object. Because users commonly share data with other members of a group, additional privileges may be granted to the owning group (for example, the privilege to write to the object) P PLM XML Siemens PLM Software format for facilitating product life cycle interoperability using XML, PLM XML is open and based on standard W3C XML schemas Representing a variety of product data both explicitly and via references, PLM XML provides a lightweight, extensible, and flexible mechanism for transporting +high-content product data over the Internet, Privileged Team Member Project team member with privileges to assign and remove objects from that project. Compare with Project Team Member. Product Structure Hierarchy of assembly parts and component parts with a geometric relationship between them, for example, a bill of materials (BOM), Variant and revision rules define the generic BOM. This BOM can then be loaded to display the configured variant, Project Basis for identifying a group of objects available to multiple organizations, such as project teams, development teams, suppliers, and customers for a particular piece of work Project Administrator ‘Teamcenter user with privileges to administer projects using Project A Project administrator creates, modifies, and deletes project information and team members Project Team Administrator Project team member with privileges to modify project information and project team members for that project. Only one project team administrator is allowed per project, Project Team Member Project team member with read privileges to objects within that project, Compare with Privileged Team Member. Propagation Process of transferring characteristics of one object to another object. AcceosManager Guide ASAppendix A Glossary Relation Description of an association between a Teameenter object and a piece of information that describes or is related to the object. RIG Approver User who is a signoff in a workflow process with a specified role and group. In Access ‘Manager, the RIG approver accessor is used in Workflow ACLs and matches the signoff definition (that is, role in group) for the release level associated with the Workflow ACL. This accessor ensures that only signoffs are given privileges, not a user who matches the role in group. See also Approver, Group Approver, and Role Approver. Role Function-oriented cluster of users that models skills and/or responsibilities, The same roles are typically found in many groups. In Access Manager, role is an accessor used fo grant privileges to all users with the same skills and/or responsibilities, regardless of project. Role Approver ‘User who is a signoff in a workflow process with a specific role, In Access Manager, the role approver accessor is used in Workflow ACLs and matches the sign-off definition (that is, role in group) for the release level associated with the Workflow ACL. This accessor ensures that only signoffs are given privileges, not a user who matches the role. See also Approver, Group Approver, and RIG Approver. Role in Group Specific role in a specific group. In Access Manager, role in group is an accessor used to grant privileges to all users with the same skills and/or responsibilities, in the same group Role in Owning Group Specific role in the object's owning group. In Access Manager, role in owning gfoup is an accessor used to grant privileges to users with the same skills and/or responsibilities on the same project. For example, all designers in the owning group are usually granted write privilege on their development data Rules-Based Protection Conditions or rules that control who can or cannot access objects, These rules are global (that is, they affect the entire Teamcenter site) and are enforced by the Access ‘Manager. These rules are defined by a system administrator Rule Tree Access Manager component the system administrator uses to grant users access to ‘Teameenter objects. It is a tree of rules and access permissions that when processed determines the access that each user has to a specified object. s system Administrator ‘Teameenter user who is a member of the system administration group, Ad Access Manager Guide PLwo0020 ¢PLMo020 ¢ Glossary u User Definition that is the mechanism by which Teameenter identifies and interacts with each user. User definitions contain a name (derived from the person definition), user ID, operating system name, and password. v Value Content ofa field or variable. It can refer to alphabetic, numeric, or alphanumeric data w Workflow Automation of the concept that all work flows through one or more business processes to accomplish an objective, Using workflow, documents, information, and tasks are passed between participants during the completion ofa particular process World All users regardless of group or role. AcceesManager Guide ASIndex A Access control lists Vault Working Access Manager ‘Add rule Basic concepts Basic tasks Buttons Export rule tree Import rule tree Interface Menu Purpose Symbols Accessor precedence Accessor types Accessors Approver Approver Group Approver RIG Approver Role Current project team Current project teams Group Group administrator Groups with security Owner (owning user) Owning group Project team Project teams Public schedule Remote site Responsible party Role Role in group Role in owning group Role in project Role in projects of object Site System administrator Task owner ‘Task owning group User PLMn0020 ¢ 1 1 1 ereeeren aes SEES RA SASSI TATA DOR oR E EL User Excluded User Has Government Clearance User Has IP Clearance User IP Licensed User IP Unlicensed User ITAR Licensed User ITAR Unlicensed User Over Government Clearance User Over IP Clearance User Under Government Clearance User Under IP Clearance World ACL Adding entries Creating Deleting ‘Modifying Project Rule tree Workflow Adding rules Approver Group RIG Role Assign to project privilege Basic Access Manager concepts Buttons c Change ownership privilege Change privilege CICO privilege Conditions Group Nationality Has Attribute Has Bypass Has Class Has Description Has Form Attribute Has Government Classification Accees Manager Gutdc Lis Lis 11g 19 112 19 19 19 1-10 110 1:13 indexesindex Has Item ID Has Name Has No Government Classification Has No IP Classified Has Object ACL Has Status Has Type In Current Project In IC Context In Job In Project Inactive Sequence Is Archived IsGA Is Local Is Project Member IsSA Object Has IP Classification Owning Group Owning Group Has Security Owning Site Owning User Site Location ‘User Has Government Clearance User Has IP Clearance User Is Bxcluded User Is IP Licensed User Is ITAR Licensed User Location User Nationality Configuring Access Manager Creating ACL Current Project team Project teams D Data In-process Released Working Delete privilege Deleting a rule Deleting ACL Demote privilege Effective ACL example Enabling Access Manager Export privilege Exporting the rule tree Index2 aAsceaeManager Guide EL GBSEBREBSEEEEREBEE Bo c Group Administrator Group Nationality condition Groups with security H Has Attribute condition Has Bypass condition Has Class condition Has Description condition Has Form Attribute condition Has Government Classification condition Has Item ID condition Has Name condition Has No Government Classification condition Has No IP Classified condition Has Object ACL condition Has Status condition Has Type condition Import privilege Importing a rule tree Importing the rule tree In Current Project condition In IC Context condition In Job condition In Project condition Inactive Sequence condition InAnySchedule InSchedule IP Admin privilege Is Archived condition Is GA condition Is Local condition Is Project Member condition Is SA condition ITAR Admin privilege M Menus Modifying ACL Moving a rule ° Object Has IP Classification condition Te ee ee gg 114 PLMo0020Object-based protection Owner (owning user) Owning group Owning Group condition Owning Group Has Security condition Owning Site condition Owning User condition P Prerequisites for Access Manager Privileges Assign to project Change Change ownership cco Delete Demote Export Import IP Admin TTAR Admin Promote Publish Read Remote checkout Remove from project Subscribe ‘Transfer in ‘Transfer out ‘Unmanage Write Write Classification ICO Project ‘Team ‘Teams Project ACL Promote privilege Protecting Teameenter data Public schedule Publish privilege R Read privilege Remote checkout privilege ‘Remote site Remove from project privilege Responsible party Restoring the rule tree Reverting the rule tree Role In group In owning group PLMn0020 ¢ Bb bik S Index In project, In projects of object TnAnySchedule InSchedule Rule tree Conditions Exporting Importing Restoring Reverting to previous version Rule tree ACL. Rule tree precedence Rules Adding Definition Deleting Modifying ‘Moving Subbranch precedence Syntax Tree Rules-based protection s Site 116 Site Location condition 113 Starting Access Manager 11 Subscribe privilege za System administrator 116 T Task owner 116 Task owning group 116 Transfer in privilege Lis ‘Transfer out privilege Lis u Unmanage privilege User User Excluded User Has Government Clearance User Has Government Clearance condition User Has IP Clearance User Has IP Clearance condition User IP Licensed User IP Unlicensed User Is Excluded condition User Is IP Licensed condition User Is ITAR Licensed condition User ITAR Licensed User ITAR Unlicensed Accees Manager Guide indax-3index User Location condition User Nationality condition User Over Government Clearance User Over IP Clearance User Under Government Clearance User Under IP Clearance v ‘Vault ACL. Index asceee Manager Guide w Workflow ACL, Working ACL World Write Classification ICO privilege Write privilege PLwo0020 ¢