I have a problem with OBJECT ACL. I have a form. The role "Structural Designer" and the role "Weight Specialist" have write access to the form. When I revoke write access of "Structural Designer" with using teamcenter interface, OBJECT ACL, write access of "Weight Specialist" is revoked, too. However, these roles are different and non-related roles. In my structure there is no relation between roles. Anybody has an idea what can cause this problem ?
Thanks in advance.
Try to get rid of object ACL!
IMHO most of the installations using ACLs within the Ruletree definition. It is mainly configured on accessor Group or Role.
In a workflow, I need to revoke write access of role that approves after approval because approve means that design or form is completed so there is no need for write access and I do that with OBJECT ACL. Thats why I use.
But even then, Object ACLs are the wrong approach. Please familiarize with TC access management.
Rules-based protection is the primary security mechanism.
• Controlling access to data on a global basis.
• Determining whether a user has permission to view or perform an action on an object.
• Filtering data according to the attributes of the data.
• Granting privileges to the data according to the users' IDs and their session context (the group and role they used to log on).
Rules are defined by a combination of:
• A condition.
• A value for the condition.
• An access control list (ACL) that grants privileges to accessors.
The condition and value identify the set of objects to which the rule applies; the ACL defines the privileges granted to users (accessors).
TC objects which have not status object are controlled by the 'working' ACL.
TC objects which have a status object (released objects) are controlled by the 'vault' ACL.
In case of workflow: a workflow ACL has an higher priority as working or vault ACL. Means if you define workflow ACL overrides the rule tree definition - if the workflow is still active. E.g. if you set the workflow ACL 'vault' after the approval task, nobody has write access to the target objects. And after the workflow is finished, the 'vault' ACL is valid anyway - because all your released objects have a released status.