Chapter

5 Verifying the effect of access rules

Verifying the effect of access rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

View access privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

View access privileges example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

View the rules from which privileges are derived . . . . . . . . . . . . . . . . . . . . . . 5-2

View the access control list (ACL) associated with the object . . . . . . . . . . . . . . 5-3

View performance statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

PLM00020 I Access Manager Guide

Chapter

5 Verifying the effect of access rules

Verifying the effect of access rules

After you implement access rules, verify that the rules produce the desired privileges
for different types of accessors. You can do this by viewing the access privileges in
My Teamcenter. You can also determine which rules result in a privilege being
granted or denied by viewing the verdicts in the Extra Protection dialog box.
In addition, you can view performance statistics.

View access privileges

1. In My Teamcenter, select the object affected by the access rule and choose
View→Access.
Tip
You can also right-click the object and choose Access from the shortcut
menu or you can click on the toolbar.

The Access dialog box appears, showing the privileges that the logged-on user
has to the selected object.

Note
The Digital Sign privilege listed in the Access dialog box is not available
in the current release.

2. To view privileges assigned to your other roles and groups, select the role or
group from the lists in the Access dialog box.

PLM00020 I Access Manager Guide 5-1

Chapter 5 Verifying the effect of access rules

The system updates the Access table to reflect the privileges of the selected
group and role.

3. To view the privileges of a different user, select the user, group, and role from the
lists in the Access dialog box.
The system updates the Access table to reflect the privileges of the selected
user, group and role.

View access privileges example

In this example, you see privileges for two users for one object. To view access on a
selected object, choose View→Access.
The Access dialog box shows the user taylor has Write, Delete, and Change
privileges to the 000001/A dataset.

To view the privileges of a different user, select the user, group, and role from the
lists in the Access dialog box.
The Access dialog box shows the user smith has Write privileges but does not have
Delete or Change privileges to the 000001/A dataset.

Note
The Digital Sign privilege listed in the Access dialog box is not available
in the current release.

View the rules from which privileges are derived

• In the Access dialog box, click .

5-2 Access Manager Guide PLM00020 I

 Verifying the effect of access rules

The Extra Protection dialog box appears, showing the rules that apply to a
privilege being granted or denied.

Note
The Digital Sign privilege listed in the Extra Protection dialog box is
not available in the current release.

View the access control list (ACL) associated with the object
• In the Access dialog box, click .
The system displays the ACL Control List dialog box.

PLM00020 I Access Manager Guide 5-3

Chapter 5 Verifying the effect of access rules

Note
The Digital Sign privilege listed in the ACL Control List dialog box is
not available in the current release.

View performance statistics

You can use the AM_PERFORMANCE_STATISTICS environment variable to
view Access Manager performance statistics for each call to a rule or accessor
function. For example, if you customize access rules, you can use the performance
statistics to view the performance of the customization. The statistics are logged
to the syslog file at server shutdown.
Note
Because there is a significant performance impact to collect the statistics, the
feature is disabled by default.

Statistics are logged in both grep/Excel-compatible and human-readable format.

The grep utility is used to extract the statistics entries from the syslog file using
the AM_STATISTIC_ENTRY string. Each resulting entry is in comma-separated
values (CSV) format for import into Microsoft Excel.
grep/Excel format:

AM_STATISTIC_ENTRY,entry_type,name,call_count,min_cpu,max_cpu,total_cpu,
min_real,max_real,total_real,min_sql,max_sql,total_sql
Where:
entry_type: RULE | ACCESSOR
name: Name of the rule or accessor function
call_count: Total number of calls to this Rule or Accessor function
min_cpu: Minimum number of seconds of CPU time used by a call to this function
max_cpu: Maximum number of seconds of CPU time used by a call to this function
total_cpu: Total number of seconds of CPU time used by all calls to this function
min_real: Minimum number of seconds of real time used by a call to this function
max_real: Maximum number of seconds of real time used by a call to this function
total_real: Total number of seconds of real time used by all calls to this function
min_sql: Minimum number of SQL requests used by a call to this function

5-4 Access Manager Guide PLM00020 I

 Verifying the effect of access rules

max_sql: Maximum number of SQL requests used by a call to this function

total_sql: Total number of SQL requests used by all calls to this function

The following is an example in grep/Excel:

AM_STATISTIC_ENTRY,RULE,Owning User,8601,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0,0,0
AM_STATISTIC_ENTRY,RULE,Has Class,198591,0.000000,0.016000,0.186000,0.000000,0.016000,0.156000,0,0,0
AM_STATISTIC_ENTRY,RULE,Has Status,16416,0.000000,0.016000,0.031000,0.000000,0.016000,0.031000,0,0,0
AM_STATISTIC_ENTRY,RULE,In Job,8208,0.000000,0.016000,0.016000,0.000000,0.016000,0.016000,0,0,0
AM_STATISTIC_ENTRY,ACCESSOR,World,321,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0,0,0

The human-readable format contains the statistics in tabular form with column
and row labels.
The following is an example in human-readable format:
Access Manager Rule Statistics

Rule_Name Total Calls

Resource Minimum Maximum Average Total

Owning User 8601

CPU Time 0.000000 0.000000 0.000000 0.000000
Real Time 0.000000 0.000000 0.000000 0.000000
SQL Calls 0 0 0.000000 0
Has Class 198591
CPU Time 0.000000 0.016000 0.000001 0.186000
Real Time 0.000000 0.016000 0.000001 0.156000
SQL Calls 0 0 0.000000 0
Has Status 16416
CPU Time 0.000000 0.016000 0.000002 0.031000
Real Time 0.000000 0.016000 0.000002 0.031000
SQL Calls 0 0 0.000000 0
In Job 8208
CPU Time 0.000000 0.016000 0.000002 0.016000
Real Time 0.000000 0.016000 0.000002 0.016000
SQL Calls 0 0 0.000000 0

Access Manager Accessor Statistics

Accessor_Name Total Calls

Resource Minimum Maximum Average Total

World 321
CPU Time 0.000000 0.000000 0.000000 0.000000
Real Time 0.000000 0.000000 0.000000 0.000000
SQL Calls 0 0 0.000000 0

PLM00020 I Access Manager Guide 5-5

Appendix

A Glossary

PLM00020 I Access Manager Guide

Appendix

A Glossary

access control entry (ACE)

In Access Manager, each pairing in the access control list of an accessor with the
granted privileges.

access control list (ACL)

Access Manager component that contains a list of accessors and the privileges
granted, denied, and not set for each accessor.

accessor
Access Manager component that grants or denies privileges to clusters of users who
share certain common traits (for example, perform the same function or work on
the same project).

ACE
See access control entry (ACE).

ACL
See access control list (ACL).

ADA License
Application that administers International Traffic in Arms Regulations (ITAR),
intellectual property (IP), and exclude licenses. It provides enhanced control and
new attributes for these licenses. ADA stands for Authorized Data Access.

approver
User who has a signoff in a workflow process regardless of role and group
membership. In Access Manager, the approver accessor is used to allocate privileges
that apply to all signoffs (for example, read access). See also RIG approver, role
approver, and group approver.

class
Set of objects that share the same list of attributes but distinguishable by the value
the attributes acquire for specific objects. For example, the Automobile class can be
defined by the brand, color, and price, but each car associated to the Automobile
class has a different brand, color, and price combination.

class hierarchy
Structure defining subclasses that inherit the attributes of their superclasses, also
called their parents or ancestors.

PLM00020 I Access Manager Guide A-1

Appendix A Glossary

dataset
Teamcenter workspace object used to manage data files created by other software
applications. Each dataset can manage multiple operating system files, and each
dataset references a dataset tool object and a dataset business object.

group (Organization)
Organizational grouping of users at a site. Users can belong to multiple groups
and must be assigned to a default group.

group administrator
User with special maintenance privileges for a group.

group approver
User who is a signoff in a workflow process with a specific group of users. In Access
Manager, the group approver accessor is used in Workflow ACLs and matches the
signoff definition (that is, group) for the release level associated with the Workflow
ACL. The group approver accessor ensures that only signoffs are given privileges, not
a user who matches the group. See also approver, RIG approver, and role approver.

item
Workspace object generally used to represent a product, part, or component. Items
can contain other workspace objects including other items and object folders.

item relation
Description of an association between a Teamcenter item and a piece of information
that describes or is related to the item.

item revision
Workspace object generally used to manage revisions to items.

item revision relation

Description of an association between a Teamcenter item revision and a piece of
information that describes or is related to the item revision.

master form
Teamcenter workspace object used to display product information (properties) in
a predefined template. Master forms are used to display product information in
a standardized format.

metadata
Object description in the Teamcenter database.

named ACL
Named group of access controls. See also access control list (ACL).

A-2 Access Manager Guide PLM00020 I

 Glossary

object-based protection
Use of access control lists to create exceptions to rules-based protection on an
object-by-object basis. Object access control lists are most useful for either granting
wider access or limiting access to a specific object.

owner
User that owns an object, initially the user who created it. Ownership can be
transferred from the owner to another user. An object owner usually has privileges
that are not granted to other users (for example, the privilege to delete the object).

owning group
Group that owns an object, usually the group of the user creating the object. Because
users commonly share data with other members of a group, additional privileges may
be granted to the owning group (for example, the privilege to write to the object).

PLM XML
Siemens PLM Software format for facilitating product life cycle interoperability
using XML. PLM XML is open and based on standard W3C XML schemas.
Representing a variety of product data both explicitly and via references, PLM
XML provides a lightweight, extensible, and flexible mechanism for transporting
high-content product data over the Internet.

privileged team member

Project team member with privileges to assign and remove objects from that
project. Compare with project team member.

product structure
Hierarchy of assembly parts and component parts with a geometric relationship
between them, for example, a bill of materials (BOM). Variant and revision rules
define the generic BOM. This BOM can then be loaded to display the configured
variant.

project
Basis for identifying a group of objects available to multiple organizations, such as
project teams, development teams, suppliers, and customers for a particular piece
of work.

Project administrator
Teamcenter super user with unrestricted access to administer projects they create
using the Project application. A Project administrator creates, modifies, and deletes
project information and team members.

project team administrator

Project team member with privileges to modify project information and project team
members for that project. Only one project team administrator is allowed per project.

project team member

Team member who does not have privileges to assign objects to or remove objects
from their projects. Compare with privileged team member.

PLM00020 I Access Manager Guide A-3

Appendix A Glossary

propagation
Process of transferring characteristics of one object to another object.

relation
Description of an association between a Teamcenter object and a piece of information
that describes or is related to the object.

RIG approver
User who is a signoff in a workflow process with a specified role and group. In
Access Manager, the RIG approver accessor is used in Workflow ACLs and matches
the signoff definition (that is, role in group) for the release level associated with
the Workflow ACL. This accessor ensures that only signoffs are given privileges,
not a user who matches the role in group. See also approver, group approver, and
role approver.

role
Function-oriented cluster of users that models skills and/or responsibilities. The
same roles are typically found in many groups. In Access Manager, role is an accessor
used to grant privileges to all users with the same skills and/or responsibilities
regardless of project.

role approver
User who is a signoff in a workflow process with a specific role. In Access Manager,
the role approver accessor is used in Workflow ACLs and matches the sign-off
definition (that is, role in group) for the release level associated with the Workflow
ACL. This accessor ensures that only signoffs are given privileges, not a user who
matches the role. See also approver, group approver, and RIG approver.

role in group
Specific role in a specific group. In Access Manager, role in group is an accessor
used to grant privileges to all users with the same skills and/or responsibilities
in the same group.

role in owning group

Specific role in the object’s owning group. In Access Manager, role in owning
group is an accessor used to grant privileges to users with the same skills and/or
responsibilities on the same project. For example, all designers in the owning group
are usually granted write privilege on their development data.

rules-based protection
Conditions or rules that control who can or cannot access objects. These rules are
global (that is, they affect the entire Teamcenter site) and are enforced by the Access
Manager. These rules are defined by a system administrator.

rule tree
Access Manager component the system administrator uses to grant users access to
Teamcenter objects. It is a tree of rules and access permissions that when processed
determines the access that each user has to a specified object.

system administrator
Teamcenter user who is a member of the system administration group.

A-4 Access Manager Guide PLM00020 I

 Glossary

user
Definition that is the mechanism by which Teamcenter identifies and interacts with
each user. User definitions contain a name (derived from the person definition), user
ID, operating system name, and password.

value
Content of a field or variable. It can refer to alphabetic, numeric, or alphanumeric
data.

workflow
Automation of the concept that all work flows through one or more business
processes to accomplish an objective. Using workflow, documents, information, and
tasks are passed between participants during the completion of a particular process.

world
All users regardless of group or role.

PLM00020 I Access Manager Guide A-5