From within the Policy Administration utility, the hierarchy is shown as follows:

/ (Site)

|-Private (Organization Bike Company)

|--Default (Project Future Bike)

|--System (Project Future Bike)

The domain hierarchy for the /Default domain in a product, library, project, or program depends on whether a shared team is used, or if a shared team is not used, on the Private Access selection. If a shared team is used, the Private Access selection is disabled. When creating a project (or program), the manager selects the Private Access option Project Members Only (or Program Members Only) to create a private project (or program) that uses a domain hierarchy branch that starts with /Private. Selecting any other Private Access option creates a public project (or program) that uses a domain hierarchy branch that starts with the /Default domain in the organization context.

When creating a product (or library), the manager selects Yes for the Private Access option to create a private product (or library) that uses a domain hierarchy branch that starts with /Private. Selecting No creates a public product (or library) that uses a domain hierarchy branch that starts with the /Default domain in the organization context.

The /Private domain in the organization context only contains an out-of-the-box policy rule granting access rights to the organization context administrators, which is why it is named /Private. The /Default domain and its child domains in the organization context have a set of out-of-the-box policy rules that provide access rights to a broader set of participants, and so application contexts inheriting from these domains are referred to as public contexts.

Domains in the Site Context

When a Windchill solution is installed, the following domains are initially defined in the site context:

The root, /System, /User, and /Default domains cannot be moved or deleted. Also the domain names of these domains and of the /Unaffiliated domain are configured through the wt.properties file.

The /System, /User, /Default, and /SessionIterationDomain domains belong to the / (root) domain. Additional domains can be defined and associated with the root domain, or domains can be nested by defining them as children of another domain. This allows you to define a hierarchy of domains and then define policies at each level in the hierarchy.

Creating Domains

Windchill automatically creates domains as follows:

•During installation, as described earlier in this chapter.

•When you create contexts. Each context template defines a set of domains that are created.

•Each time Windchill identifies a user that is affiliated with an organization that does not have an associated domain, Windchill creates the corresponding domain for the organization as a child domain of the User domain.

In addition, administrators can manually create domains.

The name of a domain can be a maximum of 200 characters. When Windchill automatically creates the domains associated with organizations, the domain name is usually the same as the organization name. However, organization names can be

up to 200 characters. Therefore to name the domain, Windchill truncates the organization name to 193 characters. This allows Windchill to add a maximum of seven more characters to the domain name to identify a unique name when two or more organizations have the same beginning 193 characters in their names. When the truncated domain name is not unique, Windchill appends [1] to the truncated name. If appending [1] to the name does not make it unique, then Windchill appends [2] instead of [1]. If appending [2] does not make the name unique, then [3] is appended and so on until a unique name is found or until the maximum number of attempts to find a unique name is achieved. The maximum number of attempts is defined in the following property in the wt.properties file:

wt.inf.container.WTContainerServerHelper.maxDomainCreationAttempts

The default value for this property is 25.

If the organization name contains a forward slash ( / ), Windchill automatically converts the forward slash to a dash ( - ) in the domain name. For example, if the organization name is "ABC/Main", the domain name created would be "ABCMain".

Note

After Windchill creates a domain that is associated with an organization, an administrator can change the domain name to something more meaningful; Windchill does not rely on the organization domain name matching the organization name.

Defining Domain-based Policies

Using the Policy Administration utility, you can create additional domains and define or change the rules set for each domain. For example, you can define the following:

•An access control policy, which determines a participant's permissions to access objects associated with the domain.

•An indexing policy, which determines the collections into which metadata for an object is entered when the object is in a specific life cycle state.

•A notification policy, which determines who is informed when an event of interest occurs to an object in the domain.

Load files can include sets of domain-based policies for access control and indexing. Templates that are used to create contexts can only include sets of domain-based policies for access control.

Note

Policy rules apply to object types. Access to an instance of an object type can be governed by ad hoc access control rules in addition to policy rules.

For more information, see the Access Control chapter of the PTC Windchill Specialized Administration Guide..

Using the Policy Administration Utility

The Policy Administration utility initially operates within the confines of the context from which it is started. You can access the Policy Administration utility

from the Utilities pages that are under the Site , Organizations , Products ,

Libraries , Projects , and Programs .

You begin policy administration on the Policy Administration window. From this window, you have access to the following domains:

•The domains that are in the current context.

•The parent domains of the domains in the current context.

When accessing the Policy Administration utility from Site Utilities, the initial window is similar to the following:

The domains display in a tree view which is open to the domains at the top of the domain hierarchy within the current context. The current context appears selected in the Context drop-down list.

The format of each domain in the list includes the domain name followed by the following information in parentheses:

•The type of context (for organization and application contexts)

•The name of the context where the domain resides

For example, if a domain in the list is shown as Default (Library Common Parts), then the domain name is Default and the domain resides in the library context named Common Parts. If the Default domain is in the Site context, then you will see Default (Site). In this case, the context type is not displayed.