Xid 1614187

SIEMENS
Teamcenter 12.2
Access Controls
AW022 • 12.2
Contents
Administering Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Managing your users' access to data using Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
What are Access Controls rules? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Create, modify, or delete Access Controls rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
What are Access Controls conditions? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Create, modify, or delete Access Controls conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
What are Access Controls operation groups? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Create, modify, or delete Access Controls operation groups . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Installing Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Prerequisites for installing Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Install the Access Controls Active Workspace application and the Microservice component . . . . 2-1
Post-install Access Controls steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Manually migrate your existing Access Manager rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Verify and test Access Controls rules with am_rule_test_harness . . . . . . . . . . . . . . . . . . 3-1
Using the Access tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Viewing access rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Adding the Access tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Setting BMIDE conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1

Clear object indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
Migrate custom conditions and accessor types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1
Access Controls conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1

Access conditions by group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1
Information about out-of-the-box rules, conditions, and operations . . . . . . . . . . . . . . . . . D-1
AW022 12.2 Access Controls 3

Chapter 1: Administering Access Controls
Managing your users' access to data using Access Controls

Managing how users access your company data is an important factor in information security.
Users may be employees within your company, or they may be external users such as suppliers
and contractors.
Data security tasks include, but are not limited to:
• Regulating which users have access to your systems or networks based on their roles, groups,
and projects.
• Preventing unauthorized access, modification, or deletion of your data.
• Optimizing user access to relevant data.
When you use Access Controls to manage users' access to your company's data, you can:
• Quickly deactivate and reactivate rules using the Active parameter.
• Control the length of access by creating a condition that determines how long the objects are
accessible.
• Evaluate your security model using the Access tab. This tab allows you to view and filter your
rules to determine who can perform what actions for a role/group/project combination.
You control access by defining and applying:

• Rules
• Conditions
• Operation groups and operations
After you have installed the application, the ACCESS CONTROLS tile displays on the Active
Workspace home page.
After defining data access, you and your end users can view object permissions for any selected
object from the Access tab. Initially, you must configure the Active Workspace stylesheet to include
the Access tab and set Business Modeler IDE conditions.
Features of Access Controls
Access Controls provides many advantages over Access Manager for managing access to data:
AW022 12.2 Access Controls 1-1

Chapter
Chapter 1: 1: Administering
Administering Access
Access Controls
Controls
Feature Description
Simplified access • Rules are in a flat list enabling you to focus on a specific rule without the
rule model need to consider rule precedence or order of rule evaluation.
• Access denied by default.
• Use operation groups to grant access to an entire group of actions,
achieving simplified rule configuration with fewer rules.
Simplified Manage rules, conditions and operation groups in the Active Workspace client.
administration The intuitive interface includes filters to search access rules, so you can
in the Active analyze your security model faster.
Workspace client
Create and Add and manage new conditions using the Active Workspace client.
manage new
conditions
Granular and Extend access control using meta model operations, such as Revise, SaveAs,
extensible access or any custom operation. In addition, you can write your own condition logic
control to suit your business security needs.
What are Access Controls rules?

Access Controls rules are rules that conditionally permit a user can perform an action on an object
(for example, an Item).
How do I view Access Controls rules?

You can view the Access Controls rules by selecting the Rules page in the Access Controls location.
You can change the sort order of the rules by tapping or clicking a column heading and selecting
ascending or descending order. For example, you can sort by Accessor.
To quickly locate access rules of interest on the Rules page, you can filter Access Controls rules
based on Object Type, Operation, Condition, Accessor Type, and Active by clicking Search
Filters .
Note
When the number of rules in the database exceeds 100, all rules may not be searchable
using Search Filters. Siemens PLM Software recommends you change the sort order
to locate the specific rule.
Create, modify, or delete Access Controls rules

Create a rule
Out-of-the-box access rules are included with Teamcenter. In addition to the default access rules,
you can add your own access rules.
1. Click New > Add Access Rule to display the Add Rule panel.
1-2 Access Controls AW022 12.2

Administering Access Controls
2. Add values for the following parameters:
For this
parameter Do this
Object Type Select the type of the object for which the rule is valid, for example, Item.
Accessor Type Select the accessor type, for example, Role_In_Project.
Accessor If required, select the accessor, for example, Designer in Project1.
Condition Select the condition, for example, isTrue.
If the condition requires an argument, the Condition Argument value must
be populated.
Condition If required, select the condition argument.
Argument
Operation Select the operation or operation group for which it is valid, for example,
READ.
Operations include legacy Access Manager access privileges and Access
Controls-enabled meta model operations.
An example of an operation group is Author_Group, which may consist of
READ, WRITE, DELETE, and DEMOTE.
Category Select the category of the rule, which is a means of classifying rules.
This rule... Does this...

Specifies regular
Operation
rules.
Specifies access
rights to a specific
object. Migrated
Object rules from Access
Manager object ACL
rules belong to this
category.
Controls access
to objects in a
workflow. Migrated
Workflow rules from Access
Manager Workflow
ACL rules belong to
this category.
Description (Optional) Type a description of the rule.
For rules migrated from the AM rule tree, this field is populated with a value
that came from the rule tree.
Active The new rule is active by default and is enforced. Therefore, it is included in
the access evaluation. Uncheck the box to deactivate the rule. Non-active
rules are not enforced at runtime.

Chapter
Access Controls
Controls
3. Click Add.
Modify a rule
To modify the parameters of a specific rule, do the following:
1. Select the access rule you want to modify.
2. Click Access Rule Information to display the properties of the selected rule.
3. Click Edit and modify the fields.
4. Click Save.
Delete a rule
Caution
If you delete an access rule, the access granted by this rule for the specific users is gone if
this is the only rule to grant user access privilege for specified objects.
Instead, you can set the rule to inactive by unchecking the Active checkbox.
There are cases where you may want to delete an Access Controls rule. For example, if you
created a rule and you find you need to make access less restrictive, then you can delete the rule
and create a new one.
1. Select the access rule you want to delete.
2. Click Edit > Delete Access Rule.

A message appears to confirm you want to delete the rule.
3. Click the Delete button to delete the rule.
What are Access Controls conditions?

Conditions are conditional statements that resolve to true or false based on the evaluation of an
expression. Rules use conditions to describe the types of objects to which the rules apply.
How do I view my conditions?

You can view conditions using the Conditions sublocation on the Access Controls page.
By default, the conditions are displayed in the List with Summary view. You can change the view to
Table view to see the three fields associated with the conditions.
Name Name of the condition, which is unique.
Description Describes the condition.
Expression Expression that evaluates to either true or false. The expression includes
equivalence relationships, such as equal, not equal, greater than, less than,
and can also include references to other functions.

Create, modify, or delete Access Controls conditions

Create a condition
Out-of-the-box access conditions are included with Teamcenter. You can add your own access
conditions.
1. In the Access Controls application Condition page, click New > Add Condition to display
the Add panel.
For this
parameter Do this
Name Type the name of the condition, for example, complex_condition.
Description (Optional) Type a description of the condition.
Object Type Select the business object type to which this condition will apply, for
example, WorkspaceObject.
Argument Type (Optional) Select the argument type: String, Integer, Character, Boolean,
None.
Argument Type Select from the list of values what argument value to include in your
LOV expression.
Signature Review the signature resulting from entries for the preceding parameters.
Expression Select Expression 1 to display the Add Expression Element dialog
Element box and enter the expression that this function evaluates.
The expression, which evaluates to either true or false, includes equivalence
relationships, for example, equals (=), not equals (!=), greater than (>), less
than (<), and references to other functions.
Using the Add Expression Element dialog box, enter the expression that
this function evaluates.
3. In Append With, select an operator, either AND or OR.
4. Select Expression 2 to add a second expression.
5. Click Add to save the complex condition that you have created.
Modify a condition
1. Select the condition you want to modify.
2. Click Condition Information .
4. Click Save.

Chapter
Access Controls
Controls
Delete a condition
Note
You cannot delete a condition that is used by another condition, rule, or operation group.
1. Select the condition you want to delete.
2. Click Edit > Delete Condition.

A message, Condition will be deleted, displays at the bottom of the screen.
3. Click Delete to delete the selected condition.
What are Access Controls operation groups?

Operations are actions a user can perform with an object in Teamcenter. An operation is identified
by a three-gear icon.
An operation group is a set of operations or operation groups that share common characteristics.
Grouping operations simplifies rule definition by allowing you to write rules that address an entire set
of user actions. An operation group is identified by a three-gear icon within a folder.
How do I view operations and operation groups?
You can view the operations and operation groups using the Access Controls application
Operations page.
You can view these in different views, for example, List with Summary and Images.
Create, modify, or delete Access Controls operation groups

Create an operation group
In addition to the out-of-the-box operations, you can add your own operation groups.

Note
Currently, Teamcenter supports two types of operations, one for processing single objects
and one for processing multiple objects. Siemens PLM Software recommends grouping
a fnd0Operation and an operation. Use this combined group when defining your rules.
For example:
• Create an operation group, Revise_Group that contains both the Revise and the
fnd0Revise operations.
• Create an operation group, SaveAs_Group that contains both the SaveAs and the
fnd0SaveAs operations.
1. Click New > Add Operation Group to display the Add panel.
For this parameter Do this

Name Type the name of the operation group, for
example, Author_Group.
Description (Optional) Type a description of the operation
group in the Description box.
Members Select members from the operations and
operation groups dropdown list, for example,
READ, WRITE, and DELETE operations.
3. Click Add.
Modify an operation group

1. Select the operation group you want to modify.
2. Click Operation Information .
4. Click Save.
Delete an operation group
Note
You cannot delete an operation group that is used by another condition or rule.
1. Select the operation group you want to delete.
2. Click Edit > Delete Operation Group.

A message, Operation Group will be deleted, displays at the bottom of the screen.

Chapter
Access Controls
Controls
3. Click Delete.

Chapter 2: Installing Access Controls
Prerequisites for installing Access Controls

The following are prerequisites for installing the Access Controls feature:
• Teamcenter 12 or later.
• Active Workspace 4 or later.
• Deployment Center
You must use the latest available Deployment Center to install the Access Controls microservice
and dependencies. This centralized web application for deploying software to your Teamcenter
environments simplifies the process of installing software and automates the deployment.
For instructions on using Deployment Center, see the Deployment Center help collection
available on the Siemens PLM Software Doc Center.
• Docker (required for a Linux installation only)

You must have Docker installed on a Linux machine on which you can deploy the Access
Controls microservice.
For more information about the Docker prerequisite, see the Microservice Framework section
of the Deployment Center Guide.
• (For migration scenarios only) If you customized Teamcenter Access Manager codefully for
custom conditions, accessor types, or privileges, then you need to create corresponding
conditions and accessor types and operations.
Note
For information about versions of operating systems, third-party software, and Teamcenter
software that are certified for your platform, refer to the Teamcenter Software Certifications
section of the hardware and software certifications page on GTAC.
Install the Access Controls Active Workspace application and the

Microservice component
1. Ensure that prerequisites for installing Access Controls are met. Note that if you are installing on
Linux, Docker must be installed before installing Access Controls.
2. Log on to Deployment Center.
3. Click the SOFTWARE REPOSITORIES tile and verify availability in the software repository of the
Teamcenter Foundation, Active Workspace, and the Microservice Framework software kits.

Chapter
Chapter 2: 2: Installing
Installing Access
Access Controls
Controls
For more information about Microservice Framework, see the Deployment Center Guide.
4. From the Deployment Center home page, click the ENVIRONMENTS tile to display the
environments in Deployment Center. Select the environment on which to install Access Controls.
Note
• In case you are creating a new environment, click the Add button on the
Environments page.
• You can register an existing environment to Deployment Center, as mentioned in

the Deployment Center Guide.
5. Click the Deploy Software tab.
a. In the Software task, select Active Workspace, Foundation, and Microservice Framework
from the Available Software list.
b. Click Update Selected Software to add them to the Selected Software list.
c. After the list updates, click Go to Options.
6. In the Options task, select the Distributed environment type and either the Java EE (default) or
the .NET architecture type. Click Save Environment Options.
Note
If you are installing on a Windows platform, you can select the Single Box environment
type.
7. In the Applications task, click Edit Selected Applications to open the Available
Applications list.
a. From the Available Applications list, select Access Controls and click Update Selected
Applications.
b. From the Selected Applications list, verify you have selected the applications you wish
to install.
8. Click Go to Components to display the Components task. Start configuring the individual
components and bring each component to a 100% complete status by supplying the required
settings for each.
While supplying settings, record values, such as installation paths, user names, and passwords,
for later reference.
• The following details are for configuring the Corporate Server component. When finished,
click Save Component Settings.

Installing Access Controls
Access If you are installing Access Controls in an existing Teamcenter

Manager Rules environment, then select this option to migrate your existing Access
to Access Manager rules to Access Controls.
Controls Rules
Migration If you select the option, you can also choose to migrate your Workflow
ACLs and object-based ACLs.
Note
Selecting this option runs the migrate_am_rules script, which
is located in the TC_ROOT /bin directory. It also creates
two additional scripts that you can use later in the migration
process: load_migrated_am_rules and regen_ac_ops.
• The following details are for configuring the Microservice Node component. When finished,
click Save Component Settings.
Note
For information about configuring the Microservice Node component, refer to the
Microservice Framework documentation in the Deployment Center Guide.
Number Access Controls

of Service Enter the number of instances to run when you are on your
Instances to Windows-based framework node.
Run
Note
One instance is sufficient for Access Controls. However,
you may see additional fields if you are installing additional
microservices.
9. Once the configuration displays 100% complete in the Selected Components list, click Go to
Deploy to generate the install scripts.
10. In the Deploy task, click Generate Install Scripts to generate all the scripts necessary to install
the Teamcenter Active Workspace client and the microservice to your selected environment.
11. Copy the scripts to the target machine and run the scripts.
You must perform the following in particular for the microservice script:
a. Run the deployment script for the Access Controls microservice. As part of the microservice
Deployment Center deployment scripts, a microservice framework utility is invoked
to create signer_config information for both the microservice and the web tier. The
output of this utility puts files required by the web tier installation in the following location:
microservice-install-dir/web_tier/signer_config.

Chapter
Installing Access
Access Controls
Controls
b. As instructed by the deployment script, copy the signer_config directory to the root of the
Deployment Center installation folder of the web tier host machine.
c. Run the deployment script for the web tier.
Perform the post-installation steps to complete the Access Controls installation.
Post-install Access Controls steps

After installing Access Controls as described in Install the Access Controls Active Workspace
application and the Microservice component, perform the following steps to complete the installation
of Access Controls.
1. Start the Access Controls microservice.
Windows systems:
On a Windows microservice node, all microservice processes are started by the Microservice
Manager.
For details about the starting the Microservice Framework, see Starting the Microservice Manager
(Windows only) section of the Microservice Framework section of the Deployment Center Guide.
Linux systems:
The Docker compose-files start the Access Controls Admin Service microservice-container and
other framework containers. The containers are installed in the folder specified in Deployment
Center by the Container Configuration Path field for the Microservice component. The folder is
referred to as the installation_path.
The following steps start the Docker container for Access Controls Admin Service, as well as
containers for two supporting services: Service Dispatcher and Eureka Server.
Tip
As part of the Access Controls Admin Microservice deployment, Deployment Center
looks up the Teamcenter database IP address to communicate from the microservice
to the database. In complex network situations, this lookup may fail. To resolve such
failure, update the value with the correct IP address of the Teamcenter database.
The IP address is located in the Environment section of the
access_controls-version.yml file. If this setting, -Doar.tc.db.server=IP-address is
not correct, update the value with the correct IP address of the Teamcenter database.
a. Open a command window and run cd installation_path/container.
b. Ensure Docker Swarm is initialized by running docker swarm init.
c. Run the following commands, where my_stack represents the name assigned to the Docker
stack. You can choose any meaningful name; however, the same name must be used for
both commands. This name can be used to stop and control the stack.

docker stack deploy -c tc_microservice_framework.yml my_stack

docker stack deploy -c access_controls-version.yml my_stack
To confirm these three containers are running, use the docker ps command. If you configured
Docker to start when the system boots, the most recently deployed Docker stack is deployed
automatically at that time.
After issuing these Access Controls microservice commands, it can take a minute or two for the
Access Controls microservice to become available.
You can stop the Access Controls microservice using the docker stack rm my_stack command.
2. Regenerate Access Controls operations.

If you are not migrating Access Manager rules, default operations must be regenerated.
Regenerate the default operations using the ac_data_loader utility.
Example
ac_data_loader -u=acadmin
-pf=C:\PROGRA~1\Siemens\TEAMCE~1\security\myenv_acadmin.pwf
-g=dba -msUrl=http://dockerhost:9090/acadmin/v1/general/regenerate
3. Turn on Access Controls mode.

Set the TC_enable_access_control site preference to true in the rich client.
Manually migrate your existing Access Manager rules

You can use the following procedure to manually migrate Access Manager rules to Access Controls
rules. The Access Manager rules can come from an exported file or from the current environment.
1. Run the am2ac_rule_converter command line utility to convert the hierarchical Access Manager
rules to flat Access Controls rules.
Example
The following command migrates Access Manager rules, including workflow and object
ACL references, into Access Controls rules. The new Access Controls rules are in the
ac_rules.txt under the output directory. The new Access Controls functions are in the
ac_functions.txt file under the output directory.
am2ac_rule_converter -u=acadmin -p=pw_acadmin -g=dba
-outputDir=output-directory -format=CSV -rule_category=all
-honor_am_default_grant=true
-add_mm_operation_rule=true -generate_report=true
Siemens PLM Software provides the migrate_am_rules script in the TC_ROOT /bin directory
if you migrate your rules manually.
This utility produces a migration report, am2ac_migration_report.

Chapter
Installing Access
Access Controls
Controls
Your migration report shows how the Access Manager rules are migrated into Access Controls
rules. The AM rule tree is displayed on the left side; migrated Access Controls rules, Access
Controls conditions, and accessor types are displayed on the right side. The report also shows
how each individual Access Manager rule is converted into Access Controls rules. Each
granting rule is converted into one or more Access Controls rules. Each deny rule, if needed, is
incorporated into the condition expression of Access Controls rules from subsequent AM rules.
If there is no granting Access Manager rule from an ACL table, there is no Access Controls
rule generated from the Access Manager rule.
Example
If you click on an access control list (ACL) name, for example, Signoff (Index 29), the
Access Controls entries are displayed on the right side of the report. The Access
Controls Entries table contains the list of accessors and the privileges granted,
denied, or not set for each accessor. The Access Controls rules and referenced
conditions that are created from this Access Manager rule are displayed below the
Access Controls Entries table.
Notice that Signoff has five operation access rules that were created and two
referenced conditions.
2. Review your created Access Controls rules, conditions, and accessor types.
Use the right-hand side of your migration report, Access Controls: Rules, to view
the Access Controls rules, conditions, and accessor types that were generated by the
am2ac_rule_converter utility.

3. Use the microservice utility, ac_data_loader, to load your default functions and your custom
functions and rules into the database.
Siemens PLM Software provides the load_migrated_am_rules script in the TC_ROOT /bin
directory if you need to run this to manually migrate your rules.
To load your custom rules and functions, run the following command:
ac_data_loader -u=user-ID -p=password -load -clearAll \

-functionFile=custom_ac_functions_file_path \
-ruleFile=custom_ac_rules_file_path \
-loadBaseFunctions=true \
-msUrl=microservicesURL
Note
• Obtain the microservicesURL value from the Microservice component in
Deployment Center. For example:
-msUrl=http://host:port/oaradmin/v1/general/regenerate
• If you experience difficulty with your migration and need to regenerate, use the
regen_ac_ops script in the TC_ROOT /bin directory.

Chapter 3: Verify and test Access Controls rules
with am_rule_test_harness
Before releasing Teamcenter into production, it is a best practice to test access rules. This ensures
users have access to data and are able to perform tasks. It also ensures no users are granted access
to data or can perform a task that they should not perform.
You can use the am_rule_test_harness utility to search for specified objects and evaluate whether
operations are granted or denied for a given user, group, and role combination.
1. Define the search criteria in a test input XML file, which specifies the user, group, role
combination, project, and object. This is followed by the operations, for example, READ, WRITE,
and DELETE, and the expected result (Grant or Deny).
Note
• The format for the search criteria is:
className{attrb1=value1,attrib2=value2...}
• Only single-value attributes, including those from parent classes, are supported.
• The following special characters cannot be used in class name, attribute name, or
attribute value: { } =,.
• Wildcard characters are supported and defined by the TC_pattern_match_style

preference.
• Attribute value for the date range must be in the following format:
creation_date=\"start-date to end-date.
For example, to specify objects created from 01 June to 20 June:
creation_date=\"01-Jun-2016 00:00 to 20-Jun-2016 04:00.
• For the input XML file, user_id, group, and role values are mandatory. Only
the project value is optional.
Example
Your test input file will resemble the following:

Chapter
Chapter 3: 3: VerifyVerify and Access
and test test Access Controls
Controls rulesrules with am_rule_test_harness
with am_rule_test_harness
2. Run the am_rule_test_harness utility.
Example
am_rule_test_harness -u=johnadmin -p=passjohn -g=dba

-inputFile=C:\inputDir\am_rule_test_harness_sample_input.xml
-outputDir=C:\output
3. Open the output HTML report.
4. To display the test results, click the Access Controls tile.
5. Analyze the generated output report Access Controls Rules: Operation Test Results.
If the report indicates that corrections need to be made, correct the rules and rerun the
am_rule_test_harness utility.

Verify and test Access Controls rules with am_rule_test_harness
Example
In the following example report, two operation tests failed. Select one of the failed tests
to see the detailed status showing the reason the test failed.

Chapter 4: Using the Access tab
Viewing access rights

Users can view access rights on a selected object in Active Workspace by clicking the Access tab.
Note
The ACCESS tab is not enabled by default. For instructions on enabling the Access
tab, see Adding the Access tab.
The tab contains three sections.

Access rights Filters for user, group, role and project define the context in which user rights
context to the currently selected object are evaluated.
Initially, the filters are set for the current user session context. You (and those
users who have been granted permission by means of BMIDE conditions) can
use the lists to select another combination of user, group, role and project
for which you want to view the associated access rights for the currently
selected object.
Changes to these lists are applied when you click Show Access Rights.
ACCESS RIGHTS Lists the operations granted to the filtered combination of user, group, role
and project.
ASSOCIATED Lists the rules associated with the given object and selected operation.
RULES
Example
In this example, user Ed can view his access rights and associated rules for his role as
designer in the Engineering group working on a passenger aircraft project. Here Ed can
see what rule grants him copy privileges for item revisions on which he is working.

Chapter
Chapter 4: 4: UsingUsing the Access
the Access tab tab
Adding the Access tab

By default, the Access tab is not available. To add the Access tab, edit the style sheet registered to
the summary view for the type of object to which you wish to add the Access tab.
1. Open the style sheet registered to the summary view for the type of object to which you wish to
add the Access tab.
Example
For an item revision, the default summary style sheet is Awp0ItemRevSummary.
2. Add the following line as shown in the example.

<inject type="dataset" src="Oar1ItemRevSummary" />
Example

Using the Access tab
Setting BMIDE conditions

Once you add the Access tab, you can allow users to view their associated rights and access rules
on objects by setting two BMIDE conditions:
Fnd0OARCanSeeAccessDetails 0 0 1 1
Fnd0OARCanSeeOthersAccess 0 1 0 1
Filter behavior Only currently logged User can filter for Only currently logged User can filter for
on user's information is any permutation of on user's information is any permutation of
displayed. user/group/role/project displayed. user/group/role/project
in the system. in the system.
User is not able to
change to any values.
ASSOCIATED RULES table Hidden. Hidden. Visible with details of the Visible with details of the
operation selected in the operation selected in the
ACCESS RIGHTS table. ACCESS RIGHTS table.

Appendix A: Best practices
Clear object indexing

Immediately after switching from Access Manager to Access Controls mode, clear object indexing
for the objects in Access Manager mode and re-index in Access Controls mode. Following are
guidelines. For more details on indexing, refer to object indexing documentation.
Run the following utilities using the Teamcenter command prompt (TC_ROOT\TcFTSIndexer\bin):
• To clear the indexing data in Access Manager mode:
runTcFTSIndexer.bat -task=objdata:clear
• To index the data in Access Controls mode:

runTcFTSIndexer.bat -task=objdata:index
• To keep indexing the newly created/modified objects with an interval of 120 seconds:
runTcFTSIndexer.bat -task=objdata:sync -interval=120
AW022 12.2 Access Controls A-1

Appendix B: Migrate custom conditions and accessor types
If you customized Teamcenter Access Manager codefully for custom conditions, accessor types, or
privileges, you can migrate these customizations to Access Controls with minimal effort.
1. Identify existing custom conditions and accessor types.
If you are aware of existing custom Access Manager (AM) conditions and accessor types in your
system, you can proceed to add them into Access Controls conditions and accessor types. The
migration process identifies any non-identified custom AM conditions and accessor types, and
allows you to list them for migration.
2. Add custom conditions and accessor types as base Access Controls functions.
For each identified custom condition and accessor type, add an entry to the Base Access
Controls Functions file, TC_DATA/base_oar_functions.txt. Following are example entries.
#
Access Controls Function for an AM Condition that took an argument
0|0|OAR_Function_Name|_evaluate_am_condition('custom_am_condition_name',
ARG_1)|1||Target Data|target_object_type|description
#
Access Controls Function for an AM Accessor Type that took an argument
0|0|OAR_Function_Name|_evaluate_am_accessor('custom_am_accessor_type_name',
ARG_1)|1||User Session|target_object_type|description
#
Access Controls Function for an AM Condition that did not take an argument
0|0|OAR_Function_Name|_evaluate_am_condition('custom_am_condition_name')
|0||Target Data|target_object_type|description
#
Access Controls Function for an AM Accessor Type that did not take an argument
0|0|OAR_Function_Name|_evaluate_am_accessor('custom_am_accessor_type_name')
|0||User Session|target_object_type|description
The custom_am_condition_name and the custom_am_accessor_type_name values must match

the names as they exist in Access Manager. The OAR_Function_Name value is the unique
name of the matching Access Controls function for the associated Access Manager condition
or accessor type. The name must:
• Be unique.
• Not exceed 128 characters.
• Contain only letters and underscores.
• Not begin with an underscore.
Migrated rules use the specified target object type value.

The target_object_type value specifies the business object type of target objects with the AM
condition or accessor type. Use this when performing attribute comparisons in Access Controls.
If you don't know the target object type, use POM_object for the value. A blank value for the
target object type defaults to POM_object.
AW022 12.2 Access Controls B-1

Appendix
Appendix B: B: Migrate
Migrate custom
custom conditions
conditions and accessor
and accessor typestypes
For more details on the field mapping in this file, check the header row.
3. Run the migration.

Now that you have listed the custom conditions and accessor types, the migration utility can
use them in migrating AM rules into Access Controls rules if they are referenced in AM rules.
If you accidentally skip any custom conditions or accessor types, a warning displays indicating
the translation is not complete when running the am2ac_rule_converter migration utility. In
this case, repeat steps 1 and 2 for the missing AM conditions and accessor types, and then
re-attempt the migration.
Simplifying condition expressions
After running the am2ac_rule_converter migration utility, you can review the migrated Access
Controls rules using the migration report.
Since prior Access Manager deny rules are honored through negation clauses in Access Controls
rules, Access Controls conditions could be complicated. If a condition expression has a primary
non-negation clause and a negation clause, and the primary non-negation clause and negation
clause are mutually exclusive, then you can remove the negation clause without compromising
the access rule.
Example
Consider the condition expression Has_Status('') AND !(Has_Class('SavedSearch')). If
Has_Status('') is true for an target object, Has_Class('SavedSearch') must be false for
the same object. Therefore, Has_Status('') and Has_Class('SavedSearch') are mutually
exclusive. To simplify the expression without compromising the access rule, you can
remove !(Has_Class('SavedSearch')) from the expression.
1. Review the complex condition expressions.
2. Identify mutual exclusive relations between Access Manager conditions.
3. Add the mutual exclusive relations to the am_condition_information.xml file under $TC_DATA.
4. Rerun the migration utility.
The new output file will contain simplified condition expressions.
B-2 Access Controls AW022 12.2

Appendix C: Access Controls conditions
Access conditions by group

The following table lists the access conditions by category. Click a condition to learn more about it.
Condition Description
Administrative
HAS_BYPASS Specifies whether the user has bypass privileges set. Bypass privilege supersedes other privileges.
General
HAS_ATTRIBUTE Specifies an attribute and value associated with a particular class.
HAS_CLASS Specifies an object class. The object is evaluated to determine if it is of the specified class.
HAS_CLASSIFICATION Validates the custom classification attribute value of the object against the value specified for the
condition.
HAS_DESCRIPTION Specifies a description for the object. The object is evaluated to determine whether the description
matches this value.
HAS_DIGITAL_SIGNATURE Specifies whether a business object has a digital signature of the specified status.
HAS_FORM_ATTRIBUTE Enables access control of items and item revisions by setting conditions on attributes of the
Masterform class.
HAS_ITEM_ID Specifies an item ID against which the item is evaluated.
HAS_ITEM_KEY Specifies a multifield key identifier against which the item is evaluated.
HAS_NAME Specifies a name against which the object is evaluated.
HAS_OBJECT_ACL Specifies that an ACL is associated with an object. This condition does not expect an ACL attached
to a rule. It is a placeholder that indicates the point at which process ACLs and object ACLs are
applied in the rule tree hierarchy.
HAS_PROPERTY Specifies the value of a compound property against which an object is evaluated.
HAS_STATUS Specifies the status type against which the object is evaluated.
HAS_TYPE Specifies the object type against which the object is evaluated.
INACTIVE_SEQUENCE Specifies that previous sequences are historical and cannot be worked on independently. The latest
sequence is always the working sequence for the revision.
Note
This condition is used in conjunction with the Inactive Sequence Objects ACL.
IN_JOB Specifies whether the target object is in a workflow job (process). This condition does not expect
an ACL attached to a rule. It is a placeholder that indicates the point at which workflow ACLs are
applied in the rule tree hierarchy.
Note
No subbranches can be added below the In Job branch in the Access Manager rule
tree.
IS_ARCHIVED Specifies that the object's archive status is evaluated.
AW022 12.2 Access Controls C-1

Appendix
Appendix C: C: Access
Access Controls
Controls conditions
conditions
IS_LOCAL Specifies whether the object's residence in the local database is evaluated. This condition is used
when Multi-Site Collaboration is implemented.
IS_SPONSORED_MODE Checks whether the Teamcenter session is in sponsored mode. It enables end users to configure
rules to enforce data access control when the Teamcenter session is launched in sponsored mode.
SITE_GEOGRAPHY Checks whether the given geography matches the geography of the site being evaluated.
USER_HAS_DIGITAL_ Specifies whether a business object has a digital signature of the specified status in the context
SIGNATURE of the logged-on user.
Ownership/Accessor based
CURRENT_GROUP_IS Checks the current logged-on group that is set in the session. It enables end users to configure
access rules for the Sponsor group.
IS_GA Specifies whether the user's status as a group administrator in the current group is evaluated.
IS_SA Specifies whether the user's system administration group membership is evaluated.
OWNING_GROUP Evaluates whether the object is owned by the group under which the user is logged on to Teamcenter.
OWNING_GROUP_HAS_ Evaluates whether the owning group of the object has a security string. This condition is true only if
SECURITY the security value of the owning group is equal to the value of this condition.
OWNING_SITE Evaluates whether the object is owned by the specified site. This condition is used when Multi-Site
Collaboration is implemented.
OWNING_USER Evaluates whether the object is owned by the specified user.
Incremental Change
IN_IC_CONTEXT Enables structure edits (occurrence edits, occurrence notes, transform edits, and attachment edits) to
be controlled by the Structure Manager, Manufacturing Process Planner, Multi-Structure Manager,
or Part Planner application.
Project
IN_CURRENT_PROJECT Specifies the project ID against which the object is evaluated.
Note
This rule is not delivered with the default installation of Teamcenter. It must be added
manually.
IN_PROJECT Specifies a project to which the object must be assigned.

IS_PROJECT_MEMBER Specifies whether the user's membership in the project is evaluated. This condition is only true
when the user is a current member of the project.
HAS_PROJECT_OF_ Checks whether the workspace object being evaluated has any project assigned of the given category.
CATEGORY
Program
IN_CURRENT_PROGRAM Specifies access based on whether the program to which the data is assigned is the current program
under which the user is logged on to Teamcenter.
IN_INACTIVE_PROGRAM Controls access to data based on whether the status of the owning program is inactive.
IN_INVISIBLE_PROGRAM Controls access to data based on whether the status of the owning program is invisible.
IS_OWNED_BY_ PROGRAM Controls access to data based on whether data is owned by the program specified as a value for
the Is Owned By Program condition.
IS_PROGRAM_MEMBER Specifies whether the user's membership in the program is evaluated. This condition is only true when
the user is a member of the owning program or a shared program.
General Authorized data access (ADA) licenses
ADA_LICENSE_HAS_ Checks whether the ADA license being evaluated has the given citizenship.
CITIZENSHIP
C-2 Access Controls AW022 12.2

Access Controls conditions
CITIZENSHIP_ON_ANY_ Checks whether the citizenship of the user being evaluated matches any of the citizenships applied to
ADA_LIC the ADA licenses attached to the workspace objects.
HAS_ADA_LICENSE_ Checks whether the workspace object being evaluated has any ADA license of the given category.
OF_CATEGORY
HAS_NAMED_ADA_ LICENSE Checks whether a specific ADA license is attached to the workspace objects being evaluated.
USER_IN_ATTACH_ADA_ Checks whether the user being evaluated is listed in the ADA license attached to the workspace
LIC_OF_CTGRY objects. The given category must match that on the ADA license.
USER_IN_ATTACHED_ Checks whether the user being evaluated is listed on any or all of the ADA licenses attached to
LICENSE the workspace objects.
USER_IN_LICENSE Verifies that the user being evaluated is listed in the ADA license.
USER_IN_NAMED_ LICENSE Checks whether the user being evaluated is listed on an ADA license of the specified name. It does
not check if the license is attached to the workspace objects being evaluated.
USER-ADA_LIC_HAS_ Checks whether the user's citizenship matches the passed-in value and then sees if the user's
CITIZENSHIP citizenship is on any of the ADA licenses attached to the workspace object being evaluated.
International Traffic in Arms Regulations (ITAR)
CITIZENSHIP_ON_ANY_ Checks whether a citizenship of the user being evaluated matches any of the citizenships applied to
ITAR_LIC the ITAR licenses attached to the workspace objects.
GROUP_NATIONALITY Checks whether the given nationality matches the group nationality.
HAS_GOVERNMENT_ Validates the government classification attribute value of the workspace object against the value
CLASSIFICATION specified for the condition.
HAS_ITAR_LICENSE_ Checks whether the workspace object being evaluated has any ITAR license of the given category.
OF_CATEGORY
HAS_NAMED_ITAR_ LICENSE Checks whether a specific ITAR license is attached to the workspace objects being evaluated.
HAS_NO_GOVERNMENT_ Checks if there is no government classification value on the workspace object.
CLASSIFICATION
ITAR_LICENSE_HAS_ Checks whether the ITAR license being evaluated has the given citizenship.
CITIZENSHIP
SITE_GEOGRAPHY Checks whether the given geography matches the geography of the site being evaluated.
USER_CITIZENSHIP Checks whether the given citizenship matches the citizenships of the user being evaluated.
USER_CITIZENSHIP_OR_ Checks whether the given citizenship matches the citizenship or nationality of the user being
NATIONALITY evaluated.
USER_GEOGRAPHY Checks whether the given geography matches the geography of the user being evaluated.
USER_HAS_ GOVERNMENT_ Checks whether the government classification level of the user being evaluated is equal to, greater
CLEARANCE than, or less than the value specified in the condition.
USER_IN_ATTACH_ Checks whether the user being evaluated is listed in the ITAR licenses attached to the workspace
ITAR_LIC_OF_CTGRY objects. The given category must match that on the ITAR license.
USER_IN_ATTACHED_ Checks whether the user being evaluated is listed on any or all of the ITAR licenses attached to
ITAR_LICENSE the workspace objects.
USER_IN_NAMED_ Checks whether the user being evaluated is listed on an ITAR license of the specified name. It does
ITAR_LICENSE not check if the license is attached to the workspace objects being evaluated.
USER_IS_ITAR_ LICENSED Checks whether the user currently logged on is cited in a valid (not expired) ITAR license attached to
the workspace object either directly or by membership in a cited organization (group).
USER_NATIONALITY Checks whether the given nationality matches the nationality of the user being evaluated.
USER_TTC_EXPIRED Checks whether the current date is later than the technology transfer certification (TTC) date on
the User object.
USER-ITAR_LIC_HAS_ Checks whether the user's citizenship matches the passed-in value and then sees if the user's
CITIZENSHIP citizenship is on any of the ITAR licenses attached to the workspace object being evaluated.
Intellectual property (IP) license

Appendix
Access Controls
Controls conditions
conditions
IP_LIC the IP licenses attached to the workspace objects.
HAS_IP_CLASSIFICATION Checks whether the IP classification of the workspace object being evaluated is equal to, greater than,
or less than the value specified in the condition.
HAS_IP_LICENSE_ Checks whether the workspace object being evaluated has any IP license of the given category.
OF_CATEGORY
HAS_NAMED_IP_ LICENSE Checks whether a specific IP license is attached to the workspace objects being evaluated.
HAS_NO_IP_ Checks whether the workspace object does not have a value specified in the IP classification attribute.
CLASSIFICATION
IP_LICENSE_HAS_ Checks whether the IP license being evaluated has the given citizenship.
CITIZENSHIP
USER_HAS_IP_ CLEARANCE Checks whether the IP clearance level of the user being evaluated is equal to, greater than, or less
than the value specified in the condition.
USER_IN_ATTACH_IP_ Checks whether the user being evaluated is listed in the IP license attached to the workspace objects.
LIC_OF_CTGRY The given category must match that on the IP license.
USER_IN_ATTACHED_ Checks whether the user being evaluated is listed on any or all of the IP licenses attached to the
IP_LICENSE workspace objects.
USER_IN_NAMED_ Checks whether the user being evaluated is listed on an IP license of the specified name. It does not
IP_LICENSE check if the license is attached to the workspace objects being evaluated.
USER_IS_IP_LICENSED Checks whether the user being evaluated is listed on an IP license attached to the workspace object.
USER-IP_LIC_HAS_ Checks whether the user's citizenship matches the passed-in value and then sees if the user's
CITIZENSHIP citizenship is on any of the IP licenses attached to the workspace object being evaluated.
Exclude licenses
EXCLUDE_LIC the exclude licenses attached to the workspace objects.
EXCLUDE_LICENSE_ Checks whether the exclude license being evaluated has the given citizenship.
HAS_CITIZENSHIP
HAS_EXCLUDE_ Checks whether the workspace object being evaluated has any exclude license of the given category.
LICENSE_OF_CATEGORY
HAS_NAMED_EXCLUDE_ Checks whether a specific exclude license is attached to the workspace objects being evaluated.
LICENSE
USER_IN_ATTACH_EXCL_ Checks whether the user being evaluated is listed in the exclude license attached to the workspace
LIC_OF_CTGRY objects. The given category must match that on the exclude license.
USER_IN_ATTACHED_ Checks whether the user being evaluated is listed on any or all of the exclude licenses attached to
EXCLUDE_LICENSE the workspace objects.
USER_IN_NAMED_ Checks whether the user being evaluated is listed on an exclude license of the specified name. It
EXCLUDE_LICENSE does not check if the license is attached to the workspace objects being evaluated.
USER_IS_EXCLUDED Checks whether the user being evaluated is listed on an exclude license attached to the workspace
object.
USER-EXCLUDE_LIC_ Checks whether the user's citizenship matches the passed-in value and then sees if the user's
HAS_CITIZENSHIP citizenship is on any of the exclude licenses attached to the workspace object being evaluated.

ADA_LICENSE_HAS_CITIZENSHIP
CATEGORY
License by Category
DESCRIPTION
Checks whether the ADA license being evaluated has the given citizenship.
Note
Citizenships are a two-letter country code from ISO 3166 (for example,
Germany’s country code is DE). A user can have multiple citizenships.
CONDITION
EVALUATION
true If any of the citizenships of the ADA license being evaluated
match the specified citizenship, the condition evaluates to true.
false If none of the citizenships of the ADA license being evaluated
match the specified citizenship, the condition evaluates to false.
INPUT
ARGUMENTS
(Custom Two-character ISO 3166 codes identifying a country.
License:citizenship)
This condition accepts negation using a minus (–) prefix. For
example, –IR means that the user cannot have an IR citizenship.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Any workspace object.

Appendix
Access Controls
Controls conditions
conditions
CITIZENSHIP_ON_ANY_ADA_LIC
CATEGORY
DESCRIPTION
Checks whether any or all of the citizenships of the user being evaluated matches any
of the citizenships on the ADA licenses attached to the workspace objects.
Note
CONDITION
EVALUATION
true • If set to Any, the condition evaluates to true if any
citizenship of the user being evaluated matches the user
citizenships applied to any nonexpired ADA licenses
attached to the workspace object being evaluated.
• If set to All, the condition evaluates to true if all of the

citizenships listed for the user being evaluated are found
on any nonexpired ADA licenses. Each of the user’s
citizenships must be on at least one of the nonexpired ADA
licenses but does not have to be on each nonexpired ADA
license.
false • If set to Any, the condition evaluates to false if none of

the citizenships of the user being evaluated match the
user citizenships applied to any nonexpired ADA license
attached to workspace object being evaluated.
• If set to All, the condition evaluates to false if at least one

of the citizenships listed for the user being evaluated is not
found on any nonexpired ADA licenses.
INPUT
ARGUMENTS
• Any
• All
• (Custom License:{Any|All})
BUSINESS
OBJECT
SCOPE

RELATED
RULE
CONDITIONS
• CITIZENSHIP_ON_ANY_EXCLUDE_LIC
• CITIZENSHIP_ON_ANY_IP_LIC
• CITIZENSHIP_ON_ANY_ITAR_LIC

Appendix
Access Controls
Controls conditions
conditions
CITIZENSHIP_ON_ANY_EXCLUDE_LIC
CATEGORY
DESCRIPTION
Checks whether the citizenship of the user being evaluated matches any of the
citizenships applied to the exclude licenses attached to the workspace objects.
Note
CONDITION
EVALUATION
citizenships applied to any of the nonexpired exclude
licenses attached to the workspace object being evaluated.

citizenships of the user being evaluated match any of the
user citizenships applied to the nonexpired exclude licenses
attached to the workspace object being evaluated. Each
of the user citizenships must be on at least one of the
nonexpired exclude licenses but does not have to be on
each nonexpired exclude license.

the citizenships of the user being evaluated matches the
user citizenships applied to any of the nonexpired exclude
licenses attached to workspace object being evaluated.

of the citizenships of the user being evaluated is not found
on any of the nonexpired exclude licenses attached to
workspace object being evaluated.
INPUT
ARGUMENTS
Any or All
BUSINESS
OBJECT
SCOPE
RELATED
RULE
CONDITIONS
• CITIZENSHIP_ON_ANY_ADA_LIC


Appendix
Access Controls
Controls conditions
conditions
CITIZENSHIP_ON_ANY_IP_LIC
CATEGORY
Intellectual Property (IP)
DESCRIPTION
Checks whether any or all of the citizenships of the user being evaluated matches any
of the citizenships on the IP licenses attached to the workspace objects.
Note
CONDITION
EVALUATION
citizenships applied to any of the nonexpired IP licenses
attached to the workspace objects.

citizenships of the user being evaluated matches the user
citizenships of any nonexpired IP licenses attached to the
workspace objects. Each of the user citizenships must be
on at least one of the nonexpired IP licenses but does not
have to be on each nonexpired IP license.
false • If set to Any, the condition evaluates to false if none of the

citizenships of the user being evaluated match the user
citizenships applied to any of the nonexpired IP license

on any nonexpired IP licenses.
INPUT
ARGUMENTS
Any or All
BUSINESS
OBJECT
SCOPE
RELATED
RULE
CONDITIONS


Appendix
Access Controls
Controls conditions
conditions
CITIZENSHIP_ON_ANY_ITAR_LIC
CATEGORY
DESCRIPTION
Checks whether a citizenship of the user being evaluated matches the any of the
citizenships applied to the ITAR licenses attached to the workspace objects.
Note
CONDITION
EVALUATION
citizenships applied to any of the nonexpired ITAR licenses

citizenships of the user being evaluated are found on any
of the nonexpired ITAR licenses attached to the workspace
objects. Each of the user citizenships must be on at least
one of the nonexpired ITAR licenses but does not have to
be on each nonexpired ITAR license.
• If none of the nonexpired ITAR licenses attached to the

workspace objects have user citizenships applied, the
condition evaluates to true.

the citizenships of the user being evaluated matches the
user citizenships applied of any nonexpired ITAR license
attached to workspace object being evaluated.

on any nonexpired ITAR licenses.
INPUT
ARGUMENTS
Any or All
BUSINESS
OBJECT
SCOPE

RELATED
RULE
CONDITIONS

Appendix
Access Controls
Controls conditions
conditions
CURRENT_GROUP_IS
CATEGORY
General
DESCRIPTION
Checks the current logged-on group that is set in the session. It enables end users to
configure access rules for the Sponsor group.
Note
This condition applies to the current logged-on user only. This does not
apply to a given user and group that are different from the logged-on user
group.
INPUT
ARGUMENTS
true or false
RELATED
RULE
CONDITIONS
• IS_SPONSORED_MODE

EXCLUDE_LICENSE_HAS_CITIZENSHIP
CATEGORY
License by Category
DESCRIPTION
Checks whether the IP license being evaluated has the given citizenship.
Note
CONDITION
EVALUATION
true If any of the citizenships of the user being evaluated match the
specified citizenship, the condition evaluates to true.
false If none of the citizenships of the user being evaluated match the
specified citizenship, the condition evaluates to false.
INPUT
ARGUMENTS
citizenship Two-character ISO 3166 codes identifying a country.
BUSINESS
OBJECT
SCOPE

Appendix
Access Controls
Controls conditions
conditions
GROUP_NATIONALITY
CATEGORY
DESCRIPTION
Checks whether the given nationality matches the group nationality.
INPUT
ARGUMENTS
nationality Two-character ISO 3166 codes identifying the nationality of the
group or organization.
example, –us indicates any user belonging to a group not from
the U.S.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to classified data.
RELATED
RULE
CONDITIONS
• USER_NATIONALITY

HAS_ADA_LICENSE_OF_CATEGORY
CATEGORY
License by Category
DESCRIPTION
Checks if any type of Authorized Data Access (ADA) license with the specified
category is attached to the workspace object being evaluated.
CONDITION
EVALUATION
true If there is any type of ADA license with the specified category
attached to the workspace object, this condition evaluates to
true.
false If there is no ADA license with the specified category or if the
license exists but is not attached to the workspace object, the
condition evaluates to false.
INPUT
ARGUMENTS
(Custom A string identifying the category of the license.
License:license_category)
BUSINESS
OBJECT
SCOPE
EXAMPLE
For an example, see Security Administration.
RELATED
RULE
CONDITIONS
• HAS_EXCLUDE_LICENSE_OF_CATEGORY
• HAS_IP_LICENSE_OF_CATEGORY
• HAS_ITAR_LICENSE_OF_CATEGORY

Appendix
Access Controls
Controls conditions
conditions
HAS_ATTRIBUTE
CATEGORY
Default
DESCRIPTION
Specifies an attribute and value associated with a particular class. The given attribute
should be a valid persistent attribute on the given class.
CONDITION
EVALUATION
If the given attribute does not exist on the class, the rule tree evaluates to false.
INPUT
ARGUMENTS
class:attribute=value
Note
This condition supports the != comparator. If != is used with the Has
Attribute rule tree condition, the condition evaluates to true if the value of
the specified attribute on the object under evaluation is not equal to the
value specified on the righthand side of the != comparator. It will not support
any other comparator like <. >. <=, or >=.
class The class of the object for which you set the rule.
attribute The attribute of the class. Supported attribute types include:
• POM_string (string)
• POM_int (integer)
• POM_float (float)
• POM_logical (logical)
• POM_untyped_reference (reference)
• POM_external_reference (reference)
• POM_typed_reference (reference)
value The value for which the attribute is evaluated. value can contain
wild cards.
BUSINESS
OBJECT
SCOPE
• All subtypes of POM_object
EXAMPLE
The following shows how to use the Has Attribute condition with single-tag reference
attributes, in this case, owning_organization and owning_project:

Has Attribute (WorkspaceObject:owning_project=1) -> TestACL

Has Attribute (Item:owning_organization=1) -> TestACL
The following example shows how to use the Has Attribute condition with a string
attribute:
Has Attribute(Item:object_name=test*)
The following example shows how to use the Has Attribute condition with a reference
attribute:
Has Attribute(Item:owning_organization=1)
• A value of 1 in the argument indicates that the condition expects the attribute
value to be a nonnull (nonzero) value.
value to be a null_tag value.
• Do not use any string values. Only use 0 or 1.
The following example shows how to use the Has Attribute condition with an integer
attribute:
Has Attribute(WorkspaceObject:revision_number=2)
BEST
PRACTICES
FOR RULES
• All the strings used in the rule tree are internal values.
• Blank spaces are not allowed in the rule syntax.
• Logical values must be either 0 (false) or 1 (true).
• References can only be checked for a null_tag (0) or nonnull (nonzero) value.
• Has Attribute supports only single value attributes. Attributes with variable-length
arrays (VLAs) are not supported.
• Has Attribute does not support array attributes.
• Has Attribute supports the persistent attributes on the class.
• Do not use Has Attribute with compound properties or with types.

RELATED
RULE
CONDITIONS
• HAS_CLASS

Appendix
Access Controls
Controls conditions
conditions
• HAS_TYPE
• HAS_PROPERTY

HAS_BYPASS
CATEGORY
Administrative
DESCRIPTION
Specifies whether the user has bypass privileges set. Bypass privilege supersedes
other privileges.
CONDITION
EVALUATION
true If the user has bypass privileges, evaluates to true.
false If the user does not have bypass privileges, evaluates to false.
INPUT
ARGUMENTS
true or false

Appendix
Access Controls
Controls conditions
conditions
HAS_CLASS
CATEGORY
Default
DESCRIPTION
Specifies an object class. The object is evaluated to determine if it is of the specified
class.
INPUT
ARGUMENTS
class-name
GOOD RULE
PRACTICES
Do not use wildcard characters with the Has Class condition. For example, do not use
Has Class (Des*). Has Class requires full and correct class names.
RELATED
RULE
CONDITIONS
• HAS_ATTRIBUTE
• HAS_TYPE
• HAS_PROPERTY

HAS_CLASSIFICATION
CATEGORY
General
DESCRIPTION
Validates the custom classification attribute value of the object against the value
specified for the condition.
INPUT
ARGUMENTS
Custom Classification Property Name{operator}Custom Classification attribute value
EXAMPLE
EAR_classification>=EAR_highest
RELATED
RULE
CONDITIONS
• HAS_GOVERNMENT_CLASSIFICATION
• HAS_IP_CLASSIFICATION

Appendix
Access Controls
Controls conditions
conditions
HAS_DESCRIPTION
CATEGORY
General
DESCRIPTION
Specifies a description for the object. The object is evaluated to determine whether the
description matches this value.
CONDITION
EVALUATION
true Evaluates to true if the description of the object matches the
specified description.
false In all other cases, it evaluates to false.
INPUT
ARGUMENTS
text-string Text of the description to be evaluated.
Note
The description value can contain wildcard characters.
RELATED
RULE
CONDITIONS
• HAS_FORM_ATTRIBUTE
• HAS_ITEM_ID
• HAS_NAME

HAS_DIGITAL_SIGNATURE
CATEGORY
General
DESCRIPTION
Specifies whether a business object has a digital signature of the specified status.
CONDITION
EVALUATION
True Evaluates to True if the attached digital signature has specified
status.
False In all other cases, it evaluates to False.
INPUT
ARGUMENTS
Valid
Invalid
Propagated
Revoked
Voided
BUSINESS
OBJECT
SCOPE
• POM_APPLICATION_OBJECT and its subtypes
Note
This condition is installed only if the digital signature schema is installed.
RELATED
RULE
CONDITIONS
• USER_HAS_DIGITAL_SIGNATURE

Appendix
Access Controls
Controls conditions
conditions
HAS_EXCLUDE_LICENSE_OF_CATEGORY
CATEGORY
License by Category
DESCRIPTION
Checks whether the workspace object being evaluated has any exclude license of
the given category.
CONDITION
EVALUATION
true If there is an exclude license with the specified category
attached to the workspace object, evaluates to true.
false If there is no exclude license with the specified category or if the
INPUT
ARGUMENTS
license_category A string identifying the category of the license.
BUSINESS
OBJECT
SCOPE
EXAMPLE
RELATED
RULE
CONDITIONS
• HAS_ADA_LICENSE_OF_CATEGORY

HAS_FORM_ATTRIBUTE
CATEGORY
General
DESCRIPTION
Enables access control of items and item revisions by setting conditions on attributes
of the Masterform class. This rule can be applied to the ItemRevisionMaster form to
control access to the item.
This rule can also be used to control write access to the properties of items and item
revisions, which in turn determine who can add or remove datasets associated with
the item or item revision through a Specification relation.
This rule cannot be used to control access to the datasets, and it cannot be applied
to user-defined forms. It should be added below the Working→Item Revision/Item
Rule rule in the rule tree.
Note
The way Access Manager evaluates Master forms does not follow the
normal rules. Master forms inherit access privileges from the parent item or
item revision, so if you change access privileges to an item or item revision
you affect the privileges on the Master form.
You can use the TC_MASTERFORM_DELEGATE environment variable to
change the default behavior.
INPUT
ARGUMENTS
form-storage-class:attribute=value
form-storage-class The storage class for the form type on which you set the rule.
attribute The attribute of the form. Supported attribute types are

POM_string, POM_int, and POM_double.
value The value for which the attribute is evaluated.
Note
Blank spaces are not allowed in the rule syntax.
RELATED
RULE
CONDITIONS
• HAS_DESCRIPTION
• HAS_ITEM_ID
• HAS_NAME

Appendix
Access Controls
Controls conditions
conditions
HAS_GOVERNMENT_CLASSIFICATION
CATEGORY
DESCRIPTION
Validates the government classification attribute value of the object against the value
specified for the condition.
The operators can be used without a clearance value in which case the government
classification attribute of the object is compared to the user’s clearance level based on
the specified operator.
Note
If the object has no government classification attribute value, this rule does
not apply.
INPUT
ARGUMENTS
gov_classification_ Specific government classification attribute values that can be
attribute prefixed by the following operators:
>
>=
<
<=
=
RELATED
RULE
CONDITIONS
• USER_HAS_GOVERNMENT_CLEARANCE
• USER_IS_EXCLUDED
• USER_IS_ITAR_LICENSED

HAS_IP_LICENSE_OF_CATEGORY
CATEGORY
License by Category
DESCRIPTION
Checks whether the workspace object being evaluated has any IP license of the given
category.
CONDITION
EVALUATION
true If there is an IP license with the specified category attached to
the workspace object, evaluates to true.
false If there is no IP license with the specified category or if the
INPUT
ARGUMENTS
BUSINESS
OBJECT
SCOPE
• Workspace objects
EXAMPLE
RELATED
RULE
CONDITIONS

Appendix
Access Controls
Controls conditions
conditions
HAS_ITAR_LICENSE_OF_CATEGORY
CATEGORY
License by Category
DESCRIPTION
Checks whether the workspace object being evaluated has any ITAR license of the
given category.
CONDITION
EVALUATION
true If there is an ITAR license with the specified category attached
to the workspace object, evaluates to true.
false If there is no ITAR license with the specified category or if the
INPUT
ARGUMENTS
BUSINESS
OBJECT
SCOPE
EXAMPLE
RELATED
RULE
CONDITIONS

HAS_ITEM_ID
CATEGORY
General
DESCRIPTION
Specifies an item ID against which the item is evaluated.
INPUT
ARGUMENTS
item-id
ID of the item.
Note
• The item ID value can contain wildcard characters.
• This condition can only be used on Item objects.
RELATED
RULE
CONDITIONS
• HAS_DESCRIPTION
• HAS_NAME

Appendix
Access Controls
Controls conditions
conditions
HAS_ITEM_KEY
CATEGORY
General
DESCRIPTION
Specifies a multifield key identifier against which the item is evaluated. In a multifield
key environment, multifield key identifiers are assigned to each object to ensure their
uniqueness in the database.
For assistance obtaining the multifield key identifier defined for an item, use the
following utilities:
• get_key_definition, which obtains the MFK definition for a class.
• get_key_string, which obtains the key string for an item.
CONDITION
EVALUATION
true If the item key ID matches the multifield key of the item, it
evaluates to true.
false In all other cases, it evaluates to false.
INPUT
ARGUMENTS
item-key
Multifield key of the item.
Note
The item key value can contain wildcard characters.
BUSINESS
OBJECT
SCOPE
• Item or item revision
EXAMPLE
You have a multifield key environment set up so that an item and its related objects
have the same ID. You want to restrict access to the CAD data but allow access to the
associated Word document. Set up the Access Manager rule as follows.
Has Item Key (item_id=001,object_type=msword})

World –> Read

The rule states that a user is allowed access if the item has a multifield key ID of
{item_id=Item001,object_type=msword}, with the World having read access.
RELATED
RULE
CONDITIONS
• HAS_ITEM_ID

Appendix
Access Controls
Controls conditions
conditions
HAS_NAME
CATEGORY
General
DESCRIPTION
Specifies a name against which the object is evaluated.
RELATED
RULE
CONDITIONS
• HAS_DESCRIPTION
• HAS_ITEM_ID

HAS_NAMED_EXCLUDE_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the specified exclude license is attached to the workspace object
being evaluated.
CONDITION
EVALUATION
true If there is an exclude license corresponding to the license
ID and the license is attached to the workspace object, the
false In all other cases, the condition evaluates to false.
INPUT
ARGUMENTS
License ID ID of the license to be attached to the workspace object.
BUSINESS
OBJECT
SCOPE
EXAMPLE
For an example, see HAS_NAMED_ITAR_LICENSE.
RELATED
RULE
CONDITIONS
• HAS_NAMED_IP_LICENSE
• HAS_NAMED_ITAR_LICENSE
• HAS_NAMED_ADA_LICENSE

Appendix
Access Controls
Controls conditions
conditions
HAS_NAMED_IP_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether a specific intellectual property (IP) license is attached to the
workspace object being evaluated.
CONDITION
EVALUATION
true If there is an IP license corresponding to the license ID and
the license is attached to the workspace object, the condition
evaluates to true.
INPUT
ARGUMENTS
License ID The ID of the license to be attached to the workspace object.
BUSINESS
OBJECT
SCOPE
EXAMPLE
RELATED
RULE
CONDITIONS
• HAS_NAMED_EXCLUDE_LICENSE

HAS_NAMED_ITAR_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the specified ITAR license is attached to the workspace object being
evaluated.
CONDITION
EVALUATION
true If there is an ITAR license corresponding to the license ID and
the license is attached to the workspace object, the condition
evaluates to true.
INPUT
ARGUMENTS
License ID ID of the license to be attached to the workspace object.
BUSINESS
OBJECT
SCOPE
EXAMPLE
The following Access Manager rule states that a user is allowed access if there is an
ITAR license by the name ITAR001 attached to an object, with the World having
read access:
Has Named ITAR License (ITAR001)

World –> Read
User1 is allowed access because there is an ITAR license ITAR001 attached to

Item001, as shown next. However, User1 is not allowed access to Item002 because
no ITAR001 license is attached to it.

Appendix
Access Controls
Controls conditions
conditions
RELATED
RULE
CONDITIONS

HAS_NAMED_ADA_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the specified ADA license is attached to the workspace object being
evaluated.
CONDITION
EVALUATION
true If there is a license corresponding to the license ID and the
license is attached to the workspace object, the condition
evaluates to true.
INPUT
ARGUMENTS
(Custom ID of the license to be attached to the workspace object.
License:LicenseID)
BUSINESS
OBJECT
SCOPE
EXAMPLE
RELATED
RULE
CONDITIONS

Appendix
Access Controls
Controls conditions
conditions
HAS_NO_CLASSIFICATION
CATEGORY
General
DESCRIPTION
Matches if the object has a null value for the custom classification attribute.
INPUT
ARGUMENTS
Custom Classification Property Name
EXAMPLE
EAR_classification
RELATED
RULE
CONDITIONS
• HAS_NO_GOVERNMENT_CLASSIFICATION
• HAS_NO_IP_CLASSIFICATION

HAS_NO_GOVERNMENT_CLASSIFICATION
CATEGORY
DESCRIPTION
Matches if the object has a null value for the government classification attribute.
RELATED
RULE
CONDITIONS

Appendix
Access Controls
Controls conditions
conditions
HAS_NO_STATUS
CATEGORY
Default
DESCRIPTION
Supports the negation for the existing Has Status rule tree condition.
CONDITION
EVALUATION
Condition evaluates to true if the object under evaluation does not have the defined
status.

HAS_NO_IP_CLASSIFICATION
CATEGORY
Intellectual property (IP)
DESCRIPTION
Checks whether the workspace object does not have a value specified in the IP
classification attribute.
RELATED
RULE
CONDITIONS
• USER_HAS_IP_CLEARANCE
• USER_IS_IP_LICENSED

Appendix
Access Controls
Controls conditions
conditions
HAS_OBJECT_ACL
CATEGORY
Default
DESCRIPTION
Specifies that an ACL is associated with an object. This condition does not expect an
ACL attached to a rule. It is a placeholder that indicates the point at which process
ACLs and object ACLs are applied in the rule tree hierarchy.
INPUT
ARGUMENTS
true or false
BUSINESS
OBJECT
SCOPE
RELATED
RULE
CONDITIONS
• IN_JOB

HAS_PROPERTY
CATEGORY
Default
DESCRIPTION
Specifies the value of a compound property against which an object is evaluated.
INPUT
ARGUMENTS
The Has Property condition supports compound properties and persistent properties
on the business object type. It supports multi-value (VLA) properties.
Note
Has Property does not support the following property types:
• Runtime
• Relation
• Table
• Reference
Typename:prop_name=prop_value
Note
This condition supports the != comparator. If != is used with the Has
Property rule tree condition, the condition evaluates to true if the value of
the specified attribute on the object under evaluation is not equal to the
value specified on the righthand side of the != comparator. It will not support
any other comparator like <. >. <=, or >=.
Typename The name of any business object.

prop_name The name of a compound property on the business object.
prop_value The value of the property against which the condition is
evaluated. Supported property types include:
• PROP_string (string) /PROP_note (short)
• PROP_char (character)
• PROP_int (integer)
• PROP_float (float)
• PROP_logical (logical)
• PROP_untyped_reference (reference)

Appendix
Access Controls
Controls conditions
conditions
• PROP_external_reference (reference)
• PROP_typed_reference (reference)
Note
• Property value can contain wild cards.
• All the strings used in the rule tree are internal

values.
BUSINESS
OBJECT
SCOPE
EXAMPLE
The following example shows how to use the Has Property condition with a string
property:
Has Property(Item:<string_prop_name> =test*)
The following example shows how to use the Has Property condition with a reference
property:
Has Property(Item:<reference_prop_name>=1)
value to be a nonnull (nonzero) value.
value to be a null_tag value.
The following example shows how to use the Has Property condition with a integer
property:
Has Property(WorkspaceObject:<int_prop_name>=2)
The following example shows how to use the Has Attribute condition with a character
property:
Has Property(WorkspaceObject:<char_prop_name>=’c’)
RELATED
RULE
CONDITIONS
• HAS_ATTRIBUTE
• HAS_CLASS

• HAS_TYPE

Appendix
Access Controls
Controls conditions
conditions
HAS_STATUS
CATEGORY
Default
DESCRIPTION
Specifies the status type against which the object is evaluated.
INPUT
ARGUMENTS
status-name Accepts null entry null=all.
BUSINESS
OBJECT
SCOPE
RELATED
RULE
CONDITIONS
• HAS_TYPE

HAS_TYPE
CATEGORY
Default
DESCRIPTION
Specifies the object type against which the object is evaluated.
INPUT
ARGUMENTS
type-name The full object type.
Note
Do not use wildcard characters with the Has Type
condition. For example, do not use Has Type (Des*).
Has Type requires full and correct type names.
RELATED
RULE
CONDITIONS
• HAS_STATUS

Appendix
Access Controls
Controls conditions
conditions
IN_CURRENT_PROGRAM
CATEGORY
Program
DESCRIPTION
Specifies access based on whether the program to which the data is assigned is the
current program under which the user is logged on to Teamcenter.
INPUT
ARGUMENTS
true or false
EXAMPLE
RELATED
RULE
CONDITIONS
• IN_INACTIVE_PROGRAM
• IN_INVISIBLE_PROGRAM
• IS_OWNED_BY_PROGRAM
• IS_PROGRAM_MEMBER

IN_IC_CONTEXT
CATEGORY
Incremental Change
DESCRIPTION
Enables structure edits (occurrence edits, occurrence notes, transform edits, and
attachment edits) to be controlled by the Structure Manager, Manufacturing Process
Planner, Multi-Structure Manager, or Part Planner application. The rule does not
depend on the properties of the object.
When there is an active incremental change in the structure editor, the IC Context
(true) condition is satisfied and its associated ACL is applied.
INPUT
ARGUMENTS
true or false
Note
Always use the true value for this condition. The false value applies the
rule to all objects, regardless of whether structure edits are being made.

Appendix
Access Controls
Controls conditions
conditions
IN_INACTIVE_PROGRAM
CATEGORY
Program
DESCRIPTION
Controls access to data based on whether the status of the owning program is inactive.
INPUT
ARGUMENTS
true or false
EXAMPLE
RELATED
RULE
CONDITIONS
• IN_CURRENT_PROGRAM

IN_INVISIBLE_PROGRAM
CATEGORY
Program
DESCRIPTION
Controls access to data based on whether the status of the owning program is
invisible.
INPUT
ARGUMENTS
true or false
EXAMPLE
RELATED
RULE
CONDITIONS

Appendix
Access Controls
Controls conditions
conditions
IN_JOB
CATEGORY
Default
DESCRIPTION
Specifies whether the target object is in a workflow job (process). This condition does
not expect an ACL attached to a rule. It is a placeholder that indicates the point at
which workflow ACLs are applied in the rule tree hierarchy.
Note
No subbranches can be added below the In Job branch in the Access
Manager rule tree.
INPUT
ARGUMENTS
true or false
RELATED
RULE
CONDITIONS
• HAS_OBJECT_ACL

IN_PROJECT
CATEGORY
Project
DESCRIPTION
Specifies a project to which the object must be assigned. The condition is evaluated
as being true when the active project to which the object is assigned matches the
project specified for this rule condition. If you use an empty string as the value for this
condition, the condition is deemed true if the object is assigned to any active project.
INPUT
ARGUMENTS
project-ID
The syntax for this rule is:
In Project (project-ID)-project_acl
EXAMPLE
RELATED
RULE
CONDITIONS
• IN_CURRENT_PROJECT
• IS_PROJECT_MEMBER

Appendix
Access Controls
Controls conditions
conditions
INACTIVE_SEQUENCE
CATEGORY
General
DESCRIPTION
Specifies that previous sequences are historical and cannot be worked on
independently. The latest sequence is always the working sequence for the revision.
Note
This condition is used with the Inactive Sequence Objects ACL.
INPUT
ARGUMENTS
true or false

IP_LICENSE_HAS_CITIZENSHIP
CATEGORY
License by Category
DESCRIPTION
Checks whether the IP license being evaluated has the given citizenship.
Note
CONDITION
EVALUATION
INPUT
ARGUMENTS
BUSINESS
OBJECT
SCOPE

Appendix
Access Controls
Controls conditions
conditions
IS_ARCHIVED
CATEGORY
General
DESCRIPTION
Note
This rule condition is implemented to support a legacy feature that is now
obsolete. Siemens PLM Software does not recommend this rule condition
for new work.
Specifies that the object's archive status is evaluated.

INPUT
ARGUMENTS
true or false
RELATED
RULE
CONDITIONS
• IS_LOCAL

IN_CURRENT_PROJECT
CATEGORY
Project
DESCRIPTION
Specifies the project ID against which the object is evaluated. The condition is
evaluated as being true when the object is in the current active project of the logged-on
user, and the project ID of the current project matches the value for this condition.
Note
This rule is not delivered with the default installation of Teamcenter. It must
be added manually.
INPUT
ARGUMENTS
project-ID
The syntax for this rule is:
In Project (project-ID)-project_acl
EXAMPLE
RELATED
RULE
CONDITIONS
• IN_PROJECT
• IS_PROJECT_MEMBER

Appendix
Access Controls
Controls conditions
conditions
IS_GA
CATEGORY
DESCRIPTION
Specifies whether the user's status as a group administrator in the current group
is evaluated.
INPUT
ARGUMENTS
true or false
RELATED
RULE
CONDITIONS
• IS_SA

IS_LOCAL
CATEGORY
General
DESCRIPTION
Specifies whether the object's residence in the local database is evaluated. This
condition is used when Multi-Site Collaboration is implemented.
INPUT
ARGUMENTS
true or false
RELATED
RULE
CONDITIONS
• IS_ARCHIVED

Appendix
Access Controls
Controls conditions
conditions
IS_OWNED_BY_PROGRAM
CATEGORY
Program
DESCRIPTION
Controls access to data based on whether data is owned by the program specified as
a value for the Is Owned By Program condition.
INPUT
ARGUMENTS
true or false
EXAMPLE
RELATED
RULE
CONDITIONS

IS_PROGRAM_MEMBER
CATEGORY
Program
DESCRIPTION
Specifies whether the user's membership in the program is evaluated.
Note
This does not apply to project team members who are inactive group
members.
CONDITION
EVALUATION
true Evaluates to true if the user is a member of the owning program
or a shared program.
false In all other cases, evaluates to false.
INPUT
ARGUMENTS
true or false
EXAMPLE
RELATED
RULE
CONDITIONS

Appendix
Access Controls
Controls conditions
conditions
IS_PROJECT_MEMBER
CATEGORY
Project
DESCRIPTION
Specifies whether the user's membership in the project is evaluated. This condition is
only true when the user is a current member of the project.
INPUT
ARGUMENTS
true or false
EXAMPLE
RELATED
RULE
CONDITIONS
• IN_PROJECT

HAS_PROJECT_OF_CATEGORY
CATEGORY
Project
DESCRIPTION
Checks whether the workspace object being evaluated has any project assigned of
the given category.
CONDITION
EVALUATION
true Evaluates to true if a project with the specified category is
assigned to the workspace object.
false In all other cases, evaluates to false if a project with the
specified category is not assigned to the workspace object.
INPUT
ARGUMENTS
project_category, which is a string identifying the category of the project.
BUSINESS
OBJECT
SCOPE
RELATED
RULE
CONDITIONS
• IN_PROJECT

Appendix
Access Controls
Controls conditions
conditions
IS_SA
CATEGORY
DESCRIPTION
Specifies whether the user's system administration group membership is evaluated.
INPUT
ARGUMENTS
true or false
RELATED
RULE
CONDITIONS
• IS_GA

IS_SPONSORED_MODE
CATEGORY
General
DESCRIPTION
Checks whether the Teamcenter session is in sponsored mode. It enables end users
to configure rules to enforce data access control when the Teamcenter session is
launched in sponsored mode.
INPUT
ARGUMENTS
true or false
RELATED
RULE
CONDITIONS
• CURRENT_GROUP_IS

Appendix
Access Controls
Controls conditions
conditions
ITAR_LICENSE_HAS_CITIZENSHIP
CATEGORY
DESCRIPTION
Checks whether the ITAR license being evaluated has the given citizenship.
Note
CONDITION
EVALUATION
INPUT
ARGUMENTS
BUSINESS
OBJECT
SCOPE

HAS_IP_CLASSIFICATION
CATEGORY
DESCRIPTION
Validates the IP classification attribute value of the object against the value specified
for the condition.
The operators can be used without a clearance value; the IP classification attribute of
the object is compared to the user's clearance level based on the specified operator.
Note
• If the object has no IP classification attribute value, this rule does not
apply.
• This condition applies to an object that is IP classified, for example,

super-secret. To set the IP classification to super-secret:
1. Select the object and choose View→Properties.
2. Check out the object.
3. Select Show empty properties and set IP Classification to

super-secret.
4. Check in the object.
INPUT
ARGUMENTS
IP_classification Specific IP classification attribute values that can be prefixed by
_attributes the following operators:
>
>=
<
<=
=
RELATED
RULE
CONDITIONS

Appendix
Access Controls
Controls conditions
conditions
OWNING_GROUP
CATEGORY
DESCRIPTION
Evaluates whether the object is owned by the group specified in the group-name
argument.
INPUT
ARGUMENTS
group-name
Wildcard characters can be used with the Owning Group condition to allow you to
define rules applying to a group and all its subgroups. For example, assume that the
Design group has two subgroups: Analysis.Design and Development.Design. By
defining a value for the Owning Group condition using a wildcard, you can define
a general rule to control access to all data owned by the Design group and its
subgroups, for example:
Owning Group (*Design) –> design_group_acl

EXAMPLE
For examples of managing group-level security, see Security Administration.
RELATED
RULE
CONDITIONS
• OWNING_GROUP_HAS_SECURITY
• OWNING_SITE
• OWNING_USER

OWNING_GROUP_HAS_SECURITY
CATEGORY
DESCRIPTION
Evaluates whether the owning group of the object has a security string. This condition
is true only if the security value of the owning group is equal to the value of this
condition.
INPUT
ARGUMENTS
Internal or External
EXAMPLE
RELATED
RULE
CONDITIONS
• OWNING_GROUP
• OWNING_SITE
• OWNING_USER

Appendix
Access Controls
Controls conditions
conditions
OWNING_SITE
CATEGORY
DESCRIPTION
Evaluates whether the object is owned by the specified site. This condition is used
when Multi-Site Collaboration is implemented.
INPUT
ARGUMENTS
site-name
EXAMPLE
RELATED
RULE
CONDITIONS
• OWNING_GROUP
• OWNING_USER

OWNING_USER
CATEGORY
DESCRIPTION
Evaluates whether the object is owned by the specified user.
INPUT
ARGUMENTS
user-ID ID of the user.
EXAMPLE
For examples of managing group-level security, see Security Administration
RELATED
RULE
CONDITIONS
• OWNING_GROUP
• OWNING_SITE

Appendix
Access Controls
Controls conditions
conditions
SITE_GEOGRAPHY
CATEGORY
DESCRIPTION
Checks whether the given geography matches the geography of the site being
evaluated.
INPUT
ARGUMENTS
country-code Two-character ISO 3166 country codes.
example, –us indicates any user at a site outside the U.S.
RELATED
RULE
CONDITIONS
• USER_GEOGRAPHY

USER-ADA_LIC_HAS_CITIZENSHIP
CATEGORY
Licenses
DESCRIPTION
Checks whether the user's citizenship matches the passed-in value and then checks if
the user's citizenship is listed on any of the ADA licenses attached to the workspace
object being evaluated.
CONDITION
EVALUATION
true This condition evaluates to true if the user's citizenship matches
the input citizenship and that citizenship is listed on any
nonexpired ADA license attached to the workspace object.
INPUT
ARGUMENTS
(Custom Two-character ISO 3166 codes identifying a country.
License:citizenship)
BUSINESS
OBJECT
SCOPE
RELATED
RULE
CONDITIONS
• USER-EXCLUDE_LIC_HAS_CITIZENSHIP
• USER-IP_LIC_HAS_CITIZENSHIP
• USER-ITAR_LIC_HAS_CITIZENSHIP

Appendix
Access Controls
Controls conditions
conditions
USER_CITIZENSHIP
CATEGORY
DESCRIPTION
Checks whether the given citizenship matches the citizenships of the user being
evaluated.
CONDITION
EVALUATION
INPUT
ARGUMENTS
BUSINESS
OBJECT
SCOPE
RELATED
RULE
CONDITIONS
• USER_CITIZENSHIP_OR_NATIONALITY

USER_CITIZENSHIP_OR_NATIONALITY
CATEGORY
DESCRIPTION
Checks whether the given citizenship matches the citizenship or nationality of the
user being evaluated.
CONDITION
EVALUATION
true If any of the citizenships or nationality of the user being
evaluated match the specified citizenship or nationality, the
false If none of the citizenships or nationality of the user being
evaluated match the specified citizenship or nationality, the
INPUT
ARGUMENTS
BUSINESS
OBJECT
SCOPE
RELATED
RULE
CONDITIONS
• USER_CITIZENSHIP

Appendix
Access Controls
Controls conditions
conditions
USER-EXCLUDE_LIC_HAS_CITIZENSHIP
CATEGORY
Licenses
DESCRIPTION
the user's citizenship is listed on any of the exclude licenses attached to the workspace
CONDITION
EVALUATION
nonexpired exclude license attached to the workspace object.
INPUT
ARGUMENTS
BUSINESS
OBJECT
SCOPE
RELATED
RULE
CONDITIONS
• USER-ADA_LIC_HAS_CITIZENSHIP

USER_HAS_CLEARANCE
CATEGORY
General
DESCRIPTION
Validates the user's custom clearance level (from the attached custom LOV) against
the value specified for the condition's input argument.
INPUT
ARGUMENTS
Custom Clearance Property Name {operator} Custom Classification attribute value
EXAMPLE
EAR_clear>=EAR_highest
RELATED
RULE
CONDITIONS

Appendix
Access Controls
Controls conditions
conditions
USER_HAS_DIGITAL_SIGNATURE
CATEGORY
General
DESCRIPTION
Specifies whether a particular business object has a digital signature of the specified
status in the context of the logged-in user.
CONDITION
EVALUATION
True Evaluates to True if the attached digital signature has specified
status in the context of the logged-on user.
False In all other cases, it evaluates to False.
INPUT
ARGUMENTS
Valid
Invalid
Propagated
Revoked
Voided
BUSINESS
OBJECT
SCOPE
• POM_APPLICATION_OBJECT and its subtypes
Note
This condition is installed only if the digital signature schema is installed.
RELATED
RULE
CONDITIONS
• HAS_DIGITAL_SIGNATURE

USER_HAS_GOVERNMENT_CLEARANCE
CATEGORY
DESCRIPTION
Validates the user's government clearance level (secret, super-secret, top-secret)
against the value specified for the condition’s input argument.
Teamcenter defines out-of-the-box clearance levels using the
ITAR_level_list_ordering preference as secret, super-secret, top-secret. This
list can be customized.
This condition has two modes of evaluation:
• If the input argument specifies an operator and a clearance value, the condition
compares this input value to the user’s government clearance.
Example: HasGovernmentClearance (>Secret)
• The operators can be used without a clearance value, in which case the user’s
government clearance is compared to the government classification attribute of
the object based on the specified operator.
Example: HasGovernmentClearance (>)
Note
If the object is not ITAR classified (gov_classification attribute value
is empty), the User Has Government Clearance condition always
evaluates as being true regardless of whether or not the user is assigned a
government clearance level.
CONDITION
EVALUATION
true
Evaluates to true in the following scenarios:
• The workspace object being evaluated does not have

government classification set on it. Therefore, this evaluates
to true because the data is not classified, and the user’s
clearance does not have any effect.
Example:
HasGovernmentClassification()
User’s Gov Object’s Gov

Classification Classification Evaluation
True
secret True

Appendix
Access Controls
Controls conditions
conditions
• The condition has an input argument value and the user’s

government clearance value matches the condition’s input
argument.
Example:
HasGovernmentClassification(>secret)
User’s Gov
Classification Evaluation
top-secret True
secret False
• The condition’s input argument contains only an operator

(without a clearance value), and the user’s government
clearance level matches the object’s government
classification attribute.
• The condition has no input argument, and the user’s

government clearance level is greater than or equal to the
object’s government classification level.
Example:
HasGovernmentClassification()
User’s Gov Object’s Gov

Classification Classification Evaluation
top-secret secret True
secret top-secret False

• The user’s government clearance level is not set, the

object’s government classification level is not set, and the
government clearance value is specified for the condition
as follows:
>
<
=
==
>=
<=
false Evaluates to false in all other cases, including the case

where the object being evaluated is not a subtype of
WorkspaceObject.
INPUT
ARGUMENTS
clearance_value Specific government clearance attribute values that can be
prefixed by the following operators:
>
>=
<
<=
=
BUSINESS
OBJECT
SCOPE
EXAMPLE
The following example shows how to use the User Has Government Clearance
condition using operators and a clearance value:
User Has Government Clearance (>=secret) -> TestACL

User Has Government Clearance (=topsecret) -> TestACL
condition using an operator without a clearance value:
User Has Government Clearance (>=) -> TestACL
condition without any value for the condition:
User Has Government Clearance () -> TestACL

Appendix
Access Controls
Controls conditions
conditions
RELATED
RULE
CONDITIONS

USER_HAS_IP_CLEARANCE
CATEGORY
DESCRIPTION
Validates the user's clearance level against the value specified for the condition.
The Intellectual property (IP) clearance level is the level of access the user has to
sensitive (classified) information.
The operators can be used without a clearance value in which case the user's
clearance is compared to the IP classification attribute of the object based on the
specified operator.
Note
If the data is not IP classified, the User Has IP Clearance condition is
evaluated as being true regardless of whether or not the user is assigned a
clearance level.
CONDITION
EVALUATION
true Evaluates to true in the following scenarios:
• The workspace object being evaluated does not have IP
classification set on it.
• The condition has a clearance value specified and the

user’s IP clearance level matches the value specified for
the condition.
• Operators are specified without a clearance value and

the user’s IP clearance level matches the IP classification
specified on the object being evaluated, based on the
specified operator.
• The IP clearance value is not specified for the condition,

and the user’s IP clearance level is greater than or equal to
the object’s IP classification level.
Example:
User Has IP Clearance (>=secret) -> TestACL
User’s IP
Clearance Evaluation
top-secret True
secret True
• The IP clearance value is specified as “=”/”>=”/”<=” for

the condition, the user’s IP clearance level is not set, and
the object’s IP classification level is not set.

Appendix
Access Controls
Controls conditions
conditions
false Evaluates to false in all other cases, including the case

where the object being evaluated is not a subtype of
WorkspaceObject.
INPUT
ARGUMENTS
clearance_value Specific IP clearance values that can be prefixed by the
following operators:
>
>=
<
<=
BUSINESS
OBJECT
SCOPE
EXAMPLE
The following example shows how to use the User Has IP Clearance condition using
operators and a clearance value:
User Has IP Clearance (>=secret) -> TestACL

User Has IP Clearance (=topsecret) -> TestACL
The following example shows how to use the User Has IP Clearance condition using
an operator without a clearance value:
User Has IP Clearance (>=) -> TestACL
The following example shows how to use the User Has IP Clearance condition
without any value for the condition:
User Has IP Clearance () -> TestACL
RELATED
RULE
CONDITIONS

USER_IN_ATTACH_ADA_LIC_OF_CTGRY
CATEGORY
DESCRIPTION
Checks the following:
• Whether the evaluation object is a workspace object (WorkspaceObject) or one
of its subtypes.
• The workspace object has ADA licenses attached that:

o Match the license category of the input category.
o List the current session user on the license.
CONDITION
EVALUATION
true Evaluates to true if:
• The evaluation object a workspace object or one of its
subtypes.
• The workspace object has ADA licenses attached that:

false Evaluates to false if:

• The evaluation object is not a workspace object.
• The input category is a wildcard character (*, %, @).
• The workspace object has no ADA licenses attached.
• If ADA licenses are attached, none of them list both the

user and match the category.
INPUT
ARGUMENTS
(Custom A string identifying the name of the license category.
License:license_category)
BUSINESS
OBJECT
SCOPE
If the evaluated object is not a workspace object, the condition returns false.
EXAMPLE

Appendix
Access Controls
Controls conditions
conditions
GOOD RULE
PRACTICES
Access control by licenses can be configured based on the license type to vary access
at a high level or based on the license name to vary the access at a granular level.
Categories offer a way to control access by licenses in between the high and granular
levels. They provide a way to have different subtypes of licenses under each type and
configure access based on each category.
To learn more about categories, see Security Administration.
RELATED
RULE
CONDITIONS
• USER_IN_ATTACH_EXCL_LIC_OF_CTGRY
• USER_IN_ATTACH_IP_LIC_OF_CTGRY
• USER_IN_ATTACH_ITAR_LIC_OF_CTGRY
• USER_IN_ATTACHED_EXCLUDE_LICENSE
• USER_IN_ATTACHED_IP_LICENSE
• USER_IN_ATTACHED_LICENSE
• USER_IN_ATTACHED_ITAR_LICENSE

USER_IN_ATTACH_EXCL_LIC_OF_CTGRY
CATEGORY
DESCRIPTION
of its subtypes.
• The workspace object has exclude licenses attached that:

CONDITION
EVALUATION
• The evaluation object is a workspace object or one of its
subtypes.
• The workspace object has ITAR licenses attached that:


• The workspace object has no exclude licenses attached.
• If exclude licenses are attached, none of them list both the

INPUT
ARGUMENTS
license_category A string identifying the name of the license category.
BUSINESS
OBJECT
SCOPE
EXAMPLE

Appendix
Access Controls
Controls conditions
conditions
GOOD RULE
PRACTICES
RELATED
RULE
CONDITIONS
• USER_IN_ATTACH_ADA_LIC_OF_CTGRY

USER_IN_ATTACH_IP_LIC_OF_CTGRY
CATEGORY
DESCRIPTION
of its subtypes
• The workspace object has IP licenses attached that:

o Match the license category of the category input.
CONDITION
EVALUATION
subtypes.
• The workspace object has any IP licenses attached that:


• The workspace object has no IP licenses attached.
• If ITAR licenses are attached, none of them list both the

INPUT
ARGUMENTS
BUSINESS
OBJECT
SCOPE
EXAMPLE

Appendix
Access Controls
Controls conditions
conditions
GOOD RULE
PRACTICES
To learn more about license categories, see Security Administration.
RELATED
RULE
CONDITIONS

USER_IN_ATTACH_ITAR_LIC_OF_CTGRY
CATEGORY
DESCRIPTION
• Whether the evaluation object is a workspace object (Workspace Object) or
one of its subtypes.

This condition checks:

CONDITION
EVALUATION
subtypes.


• The workspace object has no ITAR licenses attached.

INPUT
ARGUMENTS
BUSINESS
OBJECT
SCOPE
EXAMPLE

Appendix
Access Controls
Controls conditions
conditions
GOOD RULE
PRACTICES
RELATED
RULE
CONDITIONS

USER_IN_ATTACHED_ADA_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the user from the current session is listed on any or all of the custom
CONDITION
EVALUATION
true • If set to Any, the condition evaluates to true if the user
is listed on at least one custom license attached to the
workspace object.
• If set to All, the condition evaluates to true if the user is

listed on all custom licenses attached to the workspace
object.

INPUT
ARGUMENTS
• Any
• All
• (Custom License:{Any|All|None})
EXAMPLE
EAR_itarlicense:Any.
RELATED
RULE
CONDITIONS

Appendix
Access Controls
Controls conditions
conditions
USER_IN_ATTACHED_EXCLUDE_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the user from the current session is listed in any or all exclude
CONDITION
EVALUATION
true • If set to Any, the condition evaluates to true if the user is
listed on any nonexpired exclude licenses attached to the
workspace object.
• If set to All, the condition evaluates to true if the user is

listed on all nonexpired exclude licenses attached to the
workspace object.
• If set to None, the condition evaluates to true if the user

is not listed in any of the attached Exclude licenses on the
object under evaluation.

INPUT
ARGUMENTS
Any or All
BUSINESS
OBJECT
SCOPE
EXAMPLE
For an example, see USER_IN_ATTACHED_ITAR_LICENSE.
RELATED
RULE
CONDITIONS

USER_IN_ATTACHED_IP_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the user being evaluated is listed on any or all of the IP licenses
CONDITION
EVALUATION
true • If set to Any, the condition evaluates to true if the user is
listed on at least one nonexpired IP license attached to the
workspace object.
• If set to All, the condition evaluates to true if the user

is listed on all nonexpired IP licenses attached to the
workspace object.

is not listed in any of the attached IP licenses on the object
under evaluation.

INPUT
ARGUMENTS
Any or All
BUSINESS
OBJECT
SCOPE
EXAMPLE
RELATED
RULE
CONDITIONS

Appendix
Access Controls
Controls conditions
conditions
USER_IN_ATTACHED_ITAR_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the user from the current session is listed on any or all of the ITAR
CONDITION
EVALUATION
is listed on any nonexpired ITAR license attached to the
workspace object.

is listed on all nonexpired ITAR licenses attached to the
workspace object.
• If set to None, the condition evaluates to true if the user is

not listed in any of the attached ITAR licenses on the object
under evaluation.

INPUT
ARGUMENTS
Any or All
In all other cases, the condition evaluates to false.
BUSINESS
OBJECT
SCOPE
EXAMPLE
The following Access Manager rule states that a user only needs to be on one or
more of the ITAR licenses attached to an object to be given access to that object,
with World having read access:
User in Attached ITAR License (Any)

World –> Read
User1 is listed on one of the licenses attached to Item001, as shown. Therefore,

User1 is allowed access to Item001. User5, on the other hand, is not listed on any of
the ITAR licenses attached to item002 so User5 is not given access to item002.

RELATED
RULE
CONDITIONS

Appendix
Access Controls
Controls conditions
conditions
USER_IN_ATTACHED_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the user from the current session is listed on any or all of the licenses
CONDITION
EVALUATION
is listed on any nonexpired ADA license attached to the
workspace object.

is listed on all nonexpired ADA licenses attached to the
workspace object.

is not listed in any of the attached licenses on the object
under evaluation.

INPUT
ARGUMENTS
Any or All
BUSINESS
OBJECT
SCOPE
EXAMPLE
RELATED
RULE
CONDITIONS

USER_IN_LICENSE
CATEGORY
ADA
DESCRIPTION
Checks whether the ADA_License object being evaluated lists the user being
evaluated, either individually or as a member of a group, so you can control the
licenses that are visible to the user in Teamcenter applications, such as when
searching for licenses, viewing licenses in the ADA License application, attaching
licenses to an object, or viewing licenses attached to an object. For example, it
determines whether Teamcenter displays a particular license in the ADA licenses
view to the user, as shown, or in the Attach an object to Licenses dialog box.
CONDITION
EVALUATION
true • If set to true, the condition returns true if the user being
evaluated is listed on the license either individually or as
a member of a group.
• If set to false, the condition returns true if the user being

evaluated is not listed on the license either individually or as
false • If set to true, the condition returns false if the user being
evaluated is not listed on the license either individually or as
• If set to false, the condition returns false if the user being

evaluated is listed on the license either individually or as
INPUT
ARGUMENTS
true or false
BUSINESS
OBJECT
SCOPE
• ADA_License object or any of its subclasses (ITAR_License, IP_License, or
Exclude_License)

Appendix
Access Controls
Controls conditions
conditions
USER_IN_NAMED_ADA_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the user being evaluated is listed on a custom license of the specified
name. It does not check if the license is attached to the workspace objects being
evaluated.
INPUT
ARGUMENTS
Custom License: License ID
EXAMPLE
EAR_itarlicense:ear_license_01
RELATED
RULE
CONDITIONS
• USER_IN_NAMED_IP_LICENSE
• USER_IN_NAMED_ITAR_LICENSE
• USER_IN_NAMED_EXCLUDE_LICENSE

USER_IN_NAMED_EXCLUDE_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether a user being evaluated is listed in an exclude license of the specified
license ID. It does not check if the license is attached to the workspace object being
evaluated.
CONDITION
EVALUATION
true If the user is in the specified license and the license is an
exclude license, the rule condition evaluates to true, regardless
of whether the license is attached to the workspace object.
INPUT
ARGUMENTS
License ID ID of the license.
BUSINESS
OBJECT
SCOPE
EXAMPLE
For an example, see USER_IN_NAMED_ITAR_LICENSE.
RELATED
RULE
CONDITIONS
• USER_IN_NAMED_LICENSE

Appendix
Access Controls
Controls conditions
conditions
USER_IN_NAMED_IP_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the user being evaluated is listed on an IP license of the specified
evaluated.
CONDITION
EVALUATION
true If the user is in the specified license and the license is an IP
license, the rule condition evaluates to true, regardless of
whether the license is attached to the workspace object.
INPUT
ARGUMENTS
License ID
BUSINESS
OBJECT
SCOPE
EXAMPLE
RELATED
RULE
CONDITIONS

USER_IN_NAMED_ITAR_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the user being evaluated is listed on an ITAR license of the specified
evaluated.
CONDITION
EVALUATION
true If the user is in the specified license and the license is an ITAR
license, the rule condition evaluates to true, regardless of
whether the license is attached to the workspace object.
INPUT
ARGUMENTS
BUSINESS
OBJECT
SCOPE
EXAMPLE
The following Access Manager rules states that a user must be in a named ITAR
license to be given access to an object, with the World having read access:
Has GovClassification = Secret

User In Named ITAR License (ITAR001)
World –> Read
The ITAR 001 license has three users named on it (User 1, User 2, and User 3).
In addition, the item trying to be accessed, item001, has a gov_classification set
to secret.
Using the User In Named ITAR license condition, User 1 can read item001 because
User 1 is listed on the license, while User 4 cannot read item001 because User 4 is
not listed on the license.

Appendix
Access Controls
Controls conditions
conditions
RELATED
RULE
CONDITIONS

USER_IN_NAMED_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether a user from the current session is listed in the license of the specified
license ID. The rule condition does not check if the license is attached to the workspace
CONDITION
EVALUATION
true If the user is in the specified license, the rule condition evaluates
to true, regardless of whether the license is attached to the
workspace object.
INPUT
ARGUMENTS
BUSINESS
OBJECT
SCOPE
EXAMPLE
RELATED
RULE
CONDITIONS

Appendix
Access Controls
Controls conditions
conditions
USER-IP_LIC_HAS_CITIZENSHIP
CATEGORY
Licenses
DESCRIPTION
Checks whether the user's citizenship matches the passed-in value and then checks
if the user's citizenship is listed on any of the IP licenses attached to the workspace
CONDITION
EVALUATION
nonexpired IP license attached to the workspace object.
INPUT
ARGUMENTS
BUSINESS
OBJECT
SCOPE
RELATED
RULE
CONDITIONS

USER_IS_ADA_LICENSED
CATEGORY
General
DESCRIPTION
Checks whether the user currently logged on is cited in a valid (not expired) custom
license attached to the workspace object either directly or by membership in a cited
organization (group).
CONDITION
EVALUATION
evaluated is cited in any valid (not expired) ADA license
attached to the workspace object being evaluated either
directly or as a member of a group.

evaluated is not cited in any valid (not expired) ADA license
attached to the workplace object being evaluated either
evaluated is not listed in any valid (not expired) ADA license
individually or as a member of a group.

evaluated is listed in any valid (not expired) ADA license
INPUT
ARGUMENTS
Custom License:{true|false}
EXAMPLE
EAR_itarlicense:true
RELATED
RULE
CONDITIONS

Appendix
Access Controls
Controls conditions
conditions
USER_IS_EXCLUDED
CATEGORY
DESCRIPTION
Tests whether the user is cited in a valid (not expired) exclude license attached to the
workspace object either directly or by membership in a cited organization (group).
CONDITION
EVALUATION
true • If the input argument is set to true, the condition evaluates
to true if the user is cited in any valid (not expired) exclude
license attached to the workspace object being evaluated
either directly or by membership in a cited organization
(group).
• If the input argument is set to false, the condition evaluates

to true if the user is not cited in any valid (not expired)
exclude license attached to the workspace object being
evaluated either directly or by membership in a cited
false • If the input argument is set to true, the condition evaluates

to false if the user is not cited in any valid (not expired)
exclude license attached to the workspace object being
evaluated either directly or by membership in a cited

to false if the user is cited in any valid (not expired) exclude
(group).
INPUT
ARGUMENTS
true or false
RELATED
RULE
CONDITIONS
• USER_HAS_GOVERNMENT_ CLEARANCE

USER_IS_IP_LICENSED
CATEGORY
DESCRIPTION
Checks whether the user being evaluated is listed on an IP license attached to the
workspace object.
CONDITION
EVALUATION
evaluated is cited in any valid (not expired) IP license

evaluated is not cited in any valid (not expired) IP license
attached to the workplace object being evaluated either
evaluated is not listed in any valid (not expired) IP license

evaluated is listed in any valid (not expired) IP license
INPUT
ARGUMENTS
true or false
RELATED
RULE
CONDITIONS

Appendix
Access Controls
Controls conditions
conditions
USER_IS_ITAR_LICENSED
CATEGORY
DESCRIPTION
Checks whether the user currently logged on is cited in a valid (not expired) ITAR
license attached to the workspace object either directly or by membership in a cited
CONDITION
EVALUATION
true • If the input argument is set to true, the condition evaluates
to true if the user is cited in any valid (not expired) ITAR
(group).

to true if the user is not cited in any valid (not expired) ITAR
(group).
false • If the input argument is set to true, the condition evaluates

to false if the user is not cited in any valid (not expired) ITAR
(group).

false if the user is cited in any valid (not expired) ITAR
(group).
INPUT
ARGUMENTS
true or false
RELATED
RULE
CONDITIONS

USER-ITAR_LIC_HAS_CITIZENSHIP
CATEGORY
Licenses
DESCRIPTION
the user's citizenship is listed on any of the ITAR licenses attached to the workspace
CONDITION
EVALUATION
nonexpired ITAR license attached to the workspace object.
INPUT
ARGUMENTS
BUSINESS
OBJECT
SCOPE
RELATED
RULE
CONDITIONS

Appendix
Access Controls
Controls conditions
conditions
USER_GEOGRAPHY
CATEGORY
DESCRIPTION
Checks whether the given geography matches the geography of the user being
evaluated.
INPUT
ARGUMENTS
country-code Two-character ISO 3166 country codes.
example, –us indicates any user at a site outside the U.S.
RELATED
RULE
CONDITIONS
• SITE_GEOGRAPHY

USER_NATIONALITY
CATEGORY
DESCRIPTION
Checks whether the given nationality matches the nationality of the user being
evaluated.
INPUT
ARGUMENTS
nationality Two-character ISO 3166 codes.
example, –us indicates any user not from the U.S.
BUSINESS
OBJECT
SCOPE
RELATED
RULE
CONDITIONS
• GROUP_NATIONALITY

Appendix
Access Controls
Controls conditions
conditions
USER_NOT_IN_ATTACH_ADA_LIC_CTG
CATEGORY
DESCRIPTION
Supports the negative rule tree condition for the existing
USER_IN_ATTACH_ADA_LIC_OF_CTGRY rule tree condition.
CONDITION
EVALUATION
Evaluates to true if the object under evaluation:
• Is a workspace object or one of its subtypes.
• Has ADA licenses attached that do not match the license category of the input
category and the list of the current session user on the license.
INPUT
ARGUMENTS
BUSINESS
OBJECT
SCOPE
If the evaluated object is a workspace object, the condition returns true.
GOOD RULE
PRACTICES
RELATED
RULE
CONDITIONS

USER_NOT_IN_ATTACH_EXCL_LIC_CTG
CATEGORY
DESCRIPTION
Supports the negative rule tree condition for the existing USER_IN_ATTACH_EXCL_
LIC_OF_CTGRY rule tree condition.
of its subtypes.
• The workspace object has exclude licenses attached that does not:
CONDITION
EVALUATION
subtypes.
• The workspace object has exclude licenses attached that

do not:

• The workspace object has no exclude licenses attached.
• If exclude licenses are attached, none of them list both the

INPUT
ARGUMENTS
BUSINESS
OBJECT
SCOPE

Appendix
Access Controls
Controls conditions
conditions
GOOD RULE
PRACTICES
RELATED
RULE
CONDITIONS
• User Not In Attach ADA Lic of Ctgry
• User Not In Attach IP Lic of Ctgry

USER_NOT_IN_ATTACH_IP_LIC_CTG
CATEGORY
DESCRIPTION
Supports the negative rule tree condition for the existing User In Attach IP Lic of
Ctgry rule tree condition.
of its subtypes
• The workspace object has IP licenses attached that:

o Do not match the license category of the category input.
o Do not list the current session user on the license.
CONDITION
EVALUATION
subtypes.
• The workspace object has any IP licenses attached that:

o Does not match the license category of the input
category.
o Does not list the current session user on the license.

subtypes.
• The workspace object has IP licenses attached.
• If ITAR licenses are attached, both of them list both the user
and match the category.
INPUT
ARGUMENTS
BUSINESS
OBJECT
SCOPE
If the evaluated object is a workspace object, the condition returns true.

Appendix
Access Controls
Controls conditions
conditions
GOOD RULE
PRACTICES
RELATED
RULE
CONDITIONS
• User Not In Attach Excl Lic of Ctgry

USER_NOT_IN_ATTACH_ITAR_LIC_CTG
CATEGORY
DESCRIPTION
Supports the negative rule tree condition for the existing User In Attach ITAR Lic of
Ctgry rule tree condition.
• Whether the evaluation object is a workspace object (Workspace Object) or
one of its subtypes.
• The workspace object has ITAR licenses attached that do not:

This condition checks:

CONDITION
EVALUATION
subtypes.
• The workspace object has ITAR licenses attached that do

not:

• The workspace object has no ITAR licenses attached.

INPUT
ARGUMENTS
BUSINESS
OBJECT
SCOPE

Appendix
Access Controls
Controls conditions
conditions
GOOD RULE
PRACTICES
RELATED
RULE
CONDITIONS
• User Not In Attach IP Lic of Ctgry
• User Not In Attach Excl Lic of Ctgry

USER_TTC_EXPIRED
CATEGORY
DESCRIPTION
Checks whether the current date is later than the technology transfer certification
(TTC) date on the User object.
CONDITION
EVALUATION
true • If the current date is later than the TTC value on the User
object, the condition evaluates to true.
false • If the current date is earlier than the TTC value on the User
object, the condition evaluates to false.
Note
If the TTC value on the User object is not entered, the condition evaluates
to true.
INPUT
ARGUMENTS
Current date Specifies today’s date.
Technology Transfer Specifies the technology transfer certification date, which is the
Certification (TTC) date when the user’s qualification for viewing exporting data
date marked as government classified lapses.
BUSINESS
OBJECT
SCOPE
RELATED
RULE
CONDITIONS

Appendix D: Information about out-of-the-box rules,
conditions, and operations
Out-of-the-box rules, conditions, and operations that are brought into Access Controls from
Access Manager are explained in detail on the Glossary tab of an Administration Data
Documentation report. You can generate an Administration Data Documentation report using the
generate_admin_data_report utility.
1. Enter the following command:
generate_admin_data_report -u=admin-username -p=admin-password

-g=dba -adminDataTypes=all -outputDir=output-directory-path
2. Browse to the output location and open the index.html file.
3. Click the Access Manager tile.
4. Click the Glossary tab.
Descriptions of conditions, accessor types, and privileges are displayed. Privileges are called
Operations in Access Controls.
Name in Access Manager Name in Access Controls

Has Item ID Has_Item_ID
Groups with Security Groups_With_Security
Assign to project ASSIGN_TO_PROJECT
Example correspondence of control element names
in Access Manager and Access Controls
AW022 12.2 Access Controls D-1

Siemens Industry Software
Headquarters
Europe
Granite Park One
Stephenson House
5800 Granite Parkway
Sir William Siemens Square
Suite 600
Frimley, Camberley
Plano, TX 75024
Surrey, GU16 8QD
USA
+44 (0) 1276 413200
+1 972 987 3000
Asia-Pacific
Americas
Suites 4301-4302, 43/F
Granite Park One
AIA Kowloon Tower, Landmark East
5800 Granite Parkway
100 How Ming Street
Suite 600
Kwun Tong, Kowloon
Plano, TX 75024
Hong Kong
USA
+852 2230 3308
+1 314 264 8499
About Siemens PLM Software
© 2019 Siemens Product Lifecycle Management

Siemens PLM Software, a business unit of the Siemens
Software Inc. Siemens and the Siemens logo are
Industry Automation Division, is a leading global provider
registered trademarks of Siemens AG. D-Cubed,
of product lifecycle management (PLM) software and
Femap, Geolus, GO PLM, I-deas, Insight, JT, NX,
services with 7 million licensed seats and 71,000 customers
Parasolid, Solid Edge, Teamcenter, Tecnomatix and
worldwide. Headquartered in Plano, Texas, Siemens
Velocity Series are trademarks or registered trademarks
PLM Software works collaboratively with companies
of Siemens Product Lifecycle Management Software
to deliver open solutions that help them turn more
Inc. or its subsidiaries in the United States and in other
ideas into successful products. For more information
countries. All other trademarks, registered trademarks
on Siemens PLM Software products and services, visit
or service marks belong to their respective holders.
www.siemens.com/plm.

Xid 1614187

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Xid 1614187

Uploaded by

Copyright:

Available Formats

SIEMENS

Administering Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Installing Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Verify and test Access Controls rules with am_rule_test_harness . . . . . . . . . . . . . . . . . . 3-1

Using the Access tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1

Migrate custom conditions and accessor types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1

Access Controls conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1

Information about out-of-the-box rules, conditions, and operations . . . . . . . . . . . . . . . . . D-1

AW022 12.2 Access Controls 3

Managing your users' access to data using Access Controls

• Preventing unauthorized access, modification, or deletion of your data.

• Optimizing user access to relevant data.

You control access by defining and applying:

Features of Access Controls

AW022 12.2 Access Controls 1-1

What are Access Controls rules?

How do I view Access Controls rules?

Create, modify, or delete Access Controls rules

1-2 Access Controls AW022 12.2

2. Add values for the following parameters:

This rule... Does this...

AW022 12.2 Access Controls 1-3

3. Click Edit and modify the fields.

2. Click Edit > Delete Access Rule.

3. Click the Delete button to delete the rule.

What are Access Controls conditions?

How do I view my conditions?

1-4 Access Controls AW022 12.2

Create, modify, or delete Access Controls conditions

2. Add values for the following parameters:

3. In Append With, select an operator, either AND or OR.

4. Select Expression 2 to add a second expression.

1. Select the condition you want to modify.

2. Click Condition Information .

3. Click Edit and modify the fields.

AW022 12.2 Access Controls 1-5

1. Select the condition you want to delete.

2. Click Edit > Delete Condition.

3. Click Delete to delete the selected condition.

What are Access Controls operation groups?

How do I view operations and operation groups?

Create, modify, or delete Access Controls operation groups

1-6 Access Controls AW022 12.2

2. Add values for the following parameters:

For this parameter Do this

Modify an operation group

2. Click Operation Information .

3. Click Edit and modify the fields.

Delete an operation group

1. Select the operation group you want to delete.

2. Click Edit > Delete Operation Group.

AW022 12.2 Access Controls 1-7

1-8 Access Controls AW022 12.2

Prerequisites for installing Access Controls

• Active Workspace 4 or later.

• Docker (required for a Linux installation only)

Install the Access Controls Active Workspace application and the

2. Log on to Deployment Center.

AW022 12.2 Access Controls 2-1

• You can register an existing environment to Deployment Center, as mentioned in

5. Click the Deploy Software tab.

c. After the list updates, click Go to Options.