Overview of Windchill Participants

Windchill uses the term participant to mean a user, group, or an organization; it includes any combination of users, groups, or organizations.

As the Windchill system administrator for any Windchill solution, you can create and update Windchill user, group, and organization objects through the Participant Administration utility. As an Organization Administrator, you can update the Windchill user, group, and organization objects that are in your organization context.

Note

When a Windchill solution is installed, the system administrative user (Administrator), the system administrative group (Administrators), and the initial organization object are always created. By default, the user Administrator (for example, wcadmin) belongs to the Administrators group. This user does not have an organization affiliation (as defined by the LDAP organization attribute, which is "o" by default).

Windchill uses both the Windchill database and a directory service when creating participants. For each participant, there is an entry in a directory service and a Windchill object stored in the database:

•The directory service entry contains attributes specific to the type of participant. For example, user entries have attributes for the user’s full name, email address, and organization.

The Windchill Directory Server is set up when your Windchill solution is installed. Other directory services can be established by setting up JNDI adapter entries through the Info*Engine Property Administrator and adding the adapter entries to the wt.federation.org.directoryServices property value.

For additional information, see thePTC Windchill Installation and Configuration Guide.

•The Windchill object contains information that is relevant to Windchill (such as the associated domain) and the Unique Federation Identifier (UFID) associated with participant.

The UFID contains the distinguished name of the participant and identifies the directory service where the participant entry resides.

Note

If the LDAP directory server is read-only, edit and create actions are not available for participants and Windchill uses existing LDAP entries as participants.

The following sections provide additional details about Windchill participants.

Windchill Users

A Windchill user object identifies a user and is used when establishing group membership and policy rules for that user. It is stored in the Windchill database and holds user information for those users who have access to Windchill. This information includes the user name, the UFID associated with the user, the Windchill domain of the user, and administrative flags that are set if the object needs to be repaired or is disabled.

A Windchill user object is automatically created and persisted in the Windchill database the first time the user is selected from a search or the first time the user logs on to Windchill. In both of these cases, the corresponding directory service entry for the user already exists and is then referenced in the object that is created. As an administrator, you can also create, update, and delete users through the Participant Administration utility.

Windchill does not rely on the user object to authenticate users. Rather, the web server authenticates users and passes the authenticated user name to Windchill. The user's web server ID is then mapped directly to the user object that has a matching user name.

Windchill users are usually affiliated with an organization that is set through the directory service organization attribute (by default, "o"). If the organization attribute is not set, then the user is an unaffiliated user and cannot create products, libraries, projects, or programs. However, that user can be invited to a team by email or by selecting the Restricted Directory Search checkbox when creating or editing the organization. Users that have been invited to the team through one of these methods can do the same things within the product, library, project, or program as any other member.

Note

If your site does not use the organization attribute in the directory service entry, users can be assigned to an organization by specifying the usersOrganizationName property in a JNDI adapter. For more information on using this property, see thePTC Windchill Installation and Configuration Guide.

Windchill Groups

Windchill has two types of groups:

•User-defined groups are those groups created and managed by the users of a Windchill solution. These groups can be created through the Participant Administration utility or can be created through a third party LDAP tool and have a corresponding UFID that is maintained in an LDAP database.

•System groups are created and managed internally by the system and do not have a corresponding UFID. Windchill uses system groups for managing context team membership and other system activities.

Additionally, dynamic roles represent the system groups that are used in managing context team membership. Dynamic roles can be participants in access control policy rules. For additional information, see the PTC Windchill Specialized Administration Guide.

Organizing users into user-defined groups provides you with a more efficient way to apply policies for access control and event notification, to populate participants in team and life cycle roles, and to populate recipients of workflow tasks. Each user-defined group object identifies selected users, organizations, and possibly other groups, under one name. You can create user-defined groups so that you can efficiently apply administrative tasks to groups of users, rather than to each user individually.

User-defined groups are associated with the context in which they are created. Some Windchill solutions also create and manage system groups that are used to manage team role membership. These groups are not accessible from the Participant Administration utility. For more information on accessing groups from the Participant Administration utility, see Using the Participant Administration Utility on page 265 .

A Windchill user-defined group object holds the group name, the UFID associated with the group, the Windchill domain of the group, and administrative flags that are set if the object needs to be repaired or is disabled. The UFID contains the distinguished name of the user-defined group and identifies the directory service where user-defined group entry resides.