Professional Documents
Culture Documents
Teamcenter 12.2
Access Controls
AW022 • 12.2
Contents
When you use Access Controls to manage users' access to your company's data, you can:
• Quickly deactivate and reactivate rules using the Active parameter.
• Control the length of access by creating a condition that determines how long the objects are
accessible.
• Evaluate your security model using the Access tab. This tab allows you to view and filter your
rules to determine who can perform what actions for a role/group/project combination.
After you have installed the application, the ACCESS CONTROLS tile displays on the Active
Workspace home page.
After defining data access, you and your end users can view object permissions for any selected
object from the Access tab. Initially, you must configure the Active Workspace stylesheet to include
the Access tab and set Business Modeler IDE conditions.
Access Controls provides many advantages over Access Manager for managing access to data:
Feature Description
Simplified access • Rules are in a flat list enabling you to focus on a specific rule without the
rule model need to consider rule precedence or order of rule evaluation.
• Access denied by default.
• Use operation groups to grant access to an entire group of actions,
achieving simplified rule configuration with fewer rules.
Simplified Manage rules, conditions and operation groups in the Active Workspace client.
administration The intuitive interface includes filters to search access rules, so you can
in the Active analyze your security model faster.
Workspace client
Create and Add and manage new conditions using the Active Workspace client.
manage new
conditions
Granular and Extend access control using meta model operations, such as Revise, SaveAs,
extensible access or any custom operation. In addition, you can write your own condition logic
control to suit your business security needs.
Note
When the number of rules in the database exceeds 100, all rules may not be searchable
using Search Filters. Siemens PLM Software recommends you change the sort order
to locate the specific rule.
For this
parameter Do this
Object Type Select the type of the object for which the rule is valid, for example, Item.
Accessor Type Select the accessor type, for example, Role_In_Project.
Accessor If required, select the accessor, for example, Designer in Project1.
Condition Select the condition, for example, isTrue.
If the condition requires an argument, the Condition Argument value must
be populated.
Condition If required, select the condition argument.
Argument
Operation Select the operation or operation group for which it is valid, for example,
READ.
Operations include legacy Access Manager access privileges and Access
Controls-enabled meta model operations.
An example of an operation group is Author_Group, which may consist of
READ, WRITE, DELETE, and DEMOTE.
Category Select the category of the rule, which is a means of classifying rules.
3. Click Add.
Modify a rule
To modify the parameters of a specific rule, do the following:
1. Select the access rule you want to modify.
2. Click Access Rule Information to display the properties of the selected rule.
4. Click Save.
Delete a rule
Caution
If you delete an access rule, the access granted by this rule for the specific users is gone if
this is the only rule to grant user access privilege for specified objects.
Instead, you can set the rule to inactive by unchecking the Active checkbox.
There are cases where you may want to delete an Access Controls rule. For example, if you
created a rule and you find you need to make access less restrictive, then you can delete the rule
and create a new one.
1. Select the access rule you want to delete.
Out-of-the-box access conditions are included with Teamcenter. You can add your own access
conditions.
1. In the Access Controls application Condition page, click New > Add Condition to display
the Add panel.
For this
parameter Do this
Name Type the name of the condition, for example, complex_condition.
Description (Optional) Type a description of the condition.
Object Type Select the business object type to which this condition will apply, for
example, WorkspaceObject.
Argument Type (Optional) Select the argument type: String, Integer, Character, Boolean,
None.
Argument Type Select from the list of values what argument value to include in your
LOV expression.
Signature Review the signature resulting from entries for the preceding parameters.
Expression Select Expression 1 to display the Add Expression Element dialog
Element box and enter the expression that this function evaluates.
The expression, which evaluates to either true or false, includes equivalence
relationships, for example, equals (=), not equals (!=), greater than (>), less
than (<), and references to other functions.
Using the Add Expression Element dialog box, enter the expression that
this function evaluates.
5. Click Add to save the complex condition that you have created.
Modify a condition
4. Click Save.
Delete a condition
Note
You cannot delete a condition that is used by another condition, rule, or operation group.
An operation group is a set of operations or operation groups that share common characteristics.
Grouping operations simplifies rule definition by allowing you to write rules that address an entire set
of user actions. An operation group is identified by a three-gear icon within a folder.
You can view the operations and operation groups using the Access Controls application
Operations page.
You can view these in different views, for example, List with Summary and Images.
In addition to the out-of-the-box operations, you can add your own operation groups.
Note
Currently, Teamcenter supports two types of operations, one for processing single objects
and one for processing multiple objects. Siemens PLM Software recommends grouping
a fnd0Operation and an operation. Use this combined group when defining your rules.
For example:
• Create an operation group, Revise_Group that contains both the Revise and the
fnd0Revise operations.
• Create an operation group, SaveAs_Group that contains both the SaveAs and the
fnd0SaveAs operations.
1. Click New > Add Operation Group to display the Add panel.
3. Click Add.
4. Click Save.
Note
You cannot delete an operation group that is used by another condition or rule.
3. Click Delete.
• Deployment Center
You must use the latest available Deployment Center to install the Access Controls microservice
and dependencies. This centralized web application for deploying software to your Teamcenter
environments simplifies the process of installing software and automates the deployment.
For instructions on using Deployment Center, see the Deployment Center help collection
available on the Siemens PLM Software Doc Center.
• (For migration scenarios only) If you customized Teamcenter Access Manager codefully for
custom conditions, accessor types, or privileges, then you need to create corresponding
conditions and accessor types and operations.
Note
For information about versions of operating systems, third-party software, and Teamcenter
software that are certified for your platform, refer to the Teamcenter Software Certifications
section of the hardware and software certifications page on GTAC.
3. Click the SOFTWARE REPOSITORIES tile and verify availability in the software repository of the
Teamcenter Foundation, Active Workspace, and the Microservice Framework software kits.
For more information about Microservice Framework, see the Deployment Center Guide.
4. From the Deployment Center home page, click the ENVIRONMENTS tile to display the
environments in Deployment Center. Select the environment on which to install Access Controls.
Note
• In case you are creating a new environment, click the Add button on the
Environments page.
a. In the Software task, select Active Workspace, Foundation, and Microservice Framework
from the Available Software list.
b. Click Update Selected Software to add them to the Selected Software list.
6. In the Options task, select the Distributed environment type and either the Java EE (default) or
the .NET architecture type. Click Save Environment Options.
Note
If you are installing on a Windows platform, you can select the Single Box environment
type.
7. In the Applications task, click Edit Selected Applications to open the Available
Applications list.
a. From the Available Applications list, select Access Controls and click Update Selected
Applications.
b. From the Selected Applications list, verify you have selected the applications you wish
to install.
8. Click Go to Components to display the Components task. Start configuring the individual
components and bring each component to a 100% complete status by supplying the required
settings for each.
While supplying settings, record values, such as installation paths, user names, and passwords,
for later reference.
• The following details are for configuring the Corporate Server component. When finished,
click Save Component Settings.
Note
Selecting this option runs the migrate_am_rules script, which
is located in the TC_ROOT /bin directory. It also creates
two additional scripts that you can use later in the migration
process: load_migrated_am_rules and regen_ac_ops.
• The following details are for configuring the Microservice Node component. When finished,
click Save Component Settings.
Note
For information about configuring the Microservice Node component, refer to the
Microservice Framework documentation in the Deployment Center Guide.
9. Once the configuration displays 100% complete in the Selected Components list, click Go to
Deploy to generate the install scripts.
10. In the Deploy task, click Generate Install Scripts to generate all the scripts necessary to install
the Teamcenter Active Workspace client and the microservice to your selected environment.
11. Copy the scripts to the target machine and run the scripts.
You must perform the following in particular for the microservice script:
a. Run the deployment script for the Access Controls microservice. As part of the microservice
Deployment Center deployment scripts, a microservice framework utility is invoked
to create signer_config information for both the microservice and the web tier. The
output of this utility puts files required by the web tier installation in the following location:
microservice-install-dir/web_tier/signer_config.
b. As instructed by the deployment script, copy the signer_config directory to the root of the
Deployment Center installation folder of the web tier host machine.
Tip
As part of the Access Controls Admin Microservice deployment, Deployment Center
looks up the Teamcenter database IP address to communicate from the microservice
to the database. In complex network situations, this lookup may fail. To resolve such
failure, update the value with the correct IP address of the Teamcenter database.
The IP address is located in the Environment section of the
access_controls-version.yml file. If this setting, -Doar.tc.db.server=IP-address is
not correct, update the value with the correct IP address of the Teamcenter database.
c. Run the following commands, where my_stack represents the name assigned to the Docker
stack. You can choose any meaningful name; however, the same name must be used for
both commands. This name can be used to stop and control the stack.
To confirm these three containers are running, use the docker ps command. If you configured
Docker to start when the system boots, the most recently deployed Docker stack is deployed
automatically at that time.
After issuing these Access Controls microservice commands, it can take a minute or two for the
Access Controls microservice to become available.
You can stop the Access Controls microservice using the docker stack rm my_stack command.
Example
ac_data_loader -u=acadmin
-pf=C:\PROGRA~1\Siemens\TEAMCE~1\security\myenv_acadmin.pwf
-g=dba -msUrl=http://dockerhost:9090/acadmin/v1/general/regenerate
Example
The following command migrates Access Manager rules, including workflow and object
ACL references, into Access Controls rules. The new Access Controls rules are in the
ac_rules.txt under the output directory. The new Access Controls functions are in the
ac_functions.txt file under the output directory.
am2ac_rule_converter -u=acadmin -p=pw_acadmin -g=dba
-outputDir=output-directory -format=CSV -rule_category=all
-honor_am_default_grant=true
-add_mm_operation_rule=true -generate_report=true
Siemens PLM Software provides the migrate_am_rules script in the TC_ROOT /bin directory
if you migrate your rules manually.
This utility produces a migration report, am2ac_migration_report.
Your migration report shows how the Access Manager rules are migrated into Access Controls
rules. The AM rule tree is displayed on the left side; migrated Access Controls rules, Access
Controls conditions, and accessor types are displayed on the right side. The report also shows
how each individual Access Manager rule is converted into Access Controls rules. Each
granting rule is converted into one or more Access Controls rules. Each deny rule, if needed, is
incorporated into the condition expression of Access Controls rules from subsequent AM rules.
If there is no granting Access Manager rule from an ACL table, there is no Access Controls
rule generated from the Access Manager rule.
Example
If you click on an access control list (ACL) name, for example, Signoff (Index 29), the
Access Controls entries are displayed on the right side of the report. The Access
Controls Entries table contains the list of accessors and the privileges granted,
denied, or not set for each accessor. The Access Controls rules and referenced
conditions that are created from this Access Manager rule are displayed below the
Access Controls Entries table.
Notice that Signoff has five operation access rules that were created and two
referenced conditions.
2. Review your created Access Controls rules, conditions, and accessor types.
Use the right-hand side of your migration report, Access Controls: Rules, to view
the Access Controls rules, conditions, and accessor types that were generated by the
am2ac_rule_converter utility.
3. Use the microservice utility, ac_data_loader, to load your default functions and your custom
functions and rules into the database.
Siemens PLM Software provides the load_migrated_am_rules script in the TC_ROOT /bin
directory if you need to run this to manually migrate your rules.
To load your custom rules and functions, run the following command:
Note
• Obtain the microservicesURL value from the Microservice component in
Deployment Center. For example:
-msUrl=http://host:port/oaradmin/v1/general/regenerate
• If you experience difficulty with your migration and need to regenerate, use the
regen_ac_ops script in the TC_ROOT /bin directory.
Before releasing Teamcenter into production, it is a best practice to test access rules. This ensures
users have access to data and are able to perform tasks. It also ensures no users are granted access
to data or can perform a task that they should not perform.
You can use the am_rule_test_harness utility to search for specified objects and evaluate whether
operations are granted or denied for a given user, group, and role combination.
1. Define the search criteria in a test input XML file, which specifies the user, group, role
combination, project, and object. This is followed by the operations, for example, READ, WRITE,
and DELETE, and the expected result (Grant or Deny).
Note
• The format for the search criteria is:
className{attrb1=value1,attrib2=value2...}
• Only single-value attributes, including those from parent classes, are supported.
• The following special characters cannot be used in class name, attribute name, or
attribute value: { } =,.
• Attribute value for the date range must be in the following format:
creation_date=\"start-date to end-date.
• For the input XML file, user_id, group, and role values are mandatory. Only
the project value is optional.
Example
Your test input file will resemble the following:
Example
5. Analyze the generated output report Access Controls Rules: Operation Test Results.
If the report indicates that corrections need to be made, correct the rules and rerun the
am_rule_test_harness utility.
Example
In the following example report, two operation tests failed. Select one of the failed tests
to see the detailed status showing the reason the test failed.
Note
The ACCESS tab is not enabled by default. For instructions on enabling the Access
tab, see Adding the Access tab.
Example
In this example, user Ed can view his access rights and associated rules for his role as
designer in the Engineering group working on a passenger aircraft project. Here Ed can
see what rule grants him copy privileges for item revisions on which he is working.
Example
For an item revision, the default summary style sheet is Awp0ItemRevSummary.
Example
• To keep indexing the newly created/modified objects with an interval of 120 seconds:
runTcFTSIndexer.bat -task=objdata:sync -interval=120
If you customized Teamcenter Access Manager codefully for custom conditions, accessor types, or
privileges, you can migrate these customizations to Access Controls with minimal effort.
1. Identify existing custom conditions and accessor types.
If you are aware of existing custom Access Manager (AM) conditions and accessor types in your
system, you can proceed to add them into Access Controls conditions and accessor types. The
migration process identifies any non-identified custom AM conditions and accessor types, and
allows you to list them for migration.
2. Add custom conditions and accessor types as base Access Controls functions.
For each identified custom condition and accessor type, add an entry to the Base Access
Controls Functions file, TC_DATA/base_oar_functions.txt. Following are example entries.
#
Access Controls Function for an AM Condition that took an argument
0|0|OAR_Function_Name|_evaluate_am_condition('custom_am_condition_name',
ARG_1)|1||Target Data|target_object_type|description
#
Access Controls Function for an AM Accessor Type that took an argument
0|0|OAR_Function_Name|_evaluate_am_accessor('custom_am_accessor_type_name',
ARG_1)|1||User Session|target_object_type|description
#
Access Controls Function for an AM Condition that did not take an argument
0|0|OAR_Function_Name|_evaluate_am_condition('custom_am_condition_name')
|0||Target Data|target_object_type|description
#
Access Controls Function for an AM Accessor Type that did not take an argument
0|0|OAR_Function_Name|_evaluate_am_accessor('custom_am_accessor_type_name')
|0||User Session|target_object_type|description
For more details on the field mapping in this file, check the header row.
After running the am2ac_rule_converter migration utility, you can review the migrated Access
Controls rules using the migration report.
Since prior Access Manager deny rules are honored through negation clauses in Access Controls
rules, Access Controls conditions could be complicated. If a condition expression has a primary
non-negation clause and a negation clause, and the primary non-negation clause and negation
clause are mutually exclusive, then you can remove the negation clause without compromising
the access rule.
Example
Consider the condition expression Has_Status('') AND !(Has_Class('SavedSearch')). If
Has_Status('') is true for an target object, Has_Class('SavedSearch') must be false for
the same object. Therefore, Has_Status('') and Has_Class('SavedSearch') are mutually
exclusive. To simplify the expression without compromising the access rule, you can
remove !(Has_Class('SavedSearch')) from the expression.
3. Add the mutual exclusive relations to the am_condition_information.xml file under $TC_DATA.
Condition Description
Administrative
HAS_BYPASS Specifies whether the user has bypass privileges set. Bypass privilege supersedes other privileges.
General
HAS_ATTRIBUTE Specifies an attribute and value associated with a particular class.
HAS_CLASS Specifies an object class. The object is evaluated to determine if it is of the specified class.
HAS_CLASSIFICATION Validates the custom classification attribute value of the object against the value specified for the
condition.
HAS_DESCRIPTION Specifies a description for the object. The object is evaluated to determine whether the description
matches this value.
HAS_DIGITAL_SIGNATURE Specifies whether a business object has a digital signature of the specified status.
HAS_FORM_ATTRIBUTE Enables access control of items and item revisions by setting conditions on attributes of the
Masterform class.
HAS_ITEM_ID Specifies an item ID against which the item is evaluated.
HAS_ITEM_KEY Specifies a multifield key identifier against which the item is evaluated.
HAS_NAME Specifies a name against which the object is evaluated.
HAS_OBJECT_ACL Specifies that an ACL is associated with an object. This condition does not expect an ACL attached
to a rule. It is a placeholder that indicates the point at which process ACLs and object ACLs are
applied in the rule tree hierarchy.
HAS_PROPERTY Specifies the value of a compound property against which an object is evaluated.
HAS_STATUS Specifies the status type against which the object is evaluated.
HAS_TYPE Specifies the object type against which the object is evaluated.
INACTIVE_SEQUENCE Specifies that previous sequences are historical and cannot be worked on independently. The latest
sequence is always the working sequence for the revision.
Note
This condition is used in conjunction with the Inactive Sequence Objects ACL.
IN_JOB Specifies whether the target object is in a workflow job (process). This condition does not expect
an ACL attached to a rule. It is a placeholder that indicates the point at which workflow ACLs are
applied in the rule tree hierarchy.
Note
No subbranches can be added below the In Job branch in the Access Manager rule
tree.
Condition Description
IS_LOCAL Specifies whether the object's residence in the local database is evaluated. This condition is used
when Multi-Site Collaboration is implemented.
IS_SPONSORED_MODE Checks whether the Teamcenter session is in sponsored mode. It enables end users to configure
rules to enforce data access control when the Teamcenter session is launched in sponsored mode.
SITE_GEOGRAPHY Checks whether the given geography matches the geography of the site being evaluated.
USER_HAS_DIGITAL_ Specifies whether a business object has a digital signature of the specified status in the context
SIGNATURE of the logged-on user.
Ownership/Accessor based
CURRENT_GROUP_IS Checks the current logged-on group that is set in the session. It enables end users to configure
access rules for the Sponsor group.
IS_GA Specifies whether the user's status as a group administrator in the current group is evaluated.
IS_SA Specifies whether the user's system administration group membership is evaluated.
OWNING_GROUP Evaluates whether the object is owned by the group under which the user is logged on to Teamcenter.
OWNING_GROUP_HAS_ Evaluates whether the owning group of the object has a security string. This condition is true only if
SECURITY the security value of the owning group is equal to the value of this condition.
OWNING_SITE Evaluates whether the object is owned by the specified site. This condition is used when Multi-Site
Collaboration is implemented.
OWNING_USER Evaluates whether the object is owned by the specified user.
Incremental Change
IN_IC_CONTEXT Enables structure edits (occurrence edits, occurrence notes, transform edits, and attachment edits) to
be controlled by the Structure Manager, Manufacturing Process Planner, Multi-Structure Manager,
or Part Planner application.
Project
IN_CURRENT_PROJECT Specifies the project ID against which the object is evaluated.
Note
This rule is not delivered with the default installation of Teamcenter. It must be added
manually.
Condition Description
CITIZENSHIP_ON_ANY_ Checks whether the citizenship of the user being evaluated matches any of the citizenships applied to
ADA_LIC the ADA licenses attached to the workspace objects.
HAS_ADA_LICENSE_ Checks whether the workspace object being evaluated has any ADA license of the given category.
OF_CATEGORY
HAS_NAMED_ADA_ LICENSE Checks whether a specific ADA license is attached to the workspace objects being evaluated.
USER_IN_ATTACH_ADA_ Checks whether the user being evaluated is listed in the ADA license attached to the workspace
LIC_OF_CTGRY objects. The given category must match that on the ADA license.
USER_IN_ATTACHED_ Checks whether the user being evaluated is listed on any or all of the ADA licenses attached to
LICENSE the workspace objects.
USER_IN_LICENSE Verifies that the user being evaluated is listed in the ADA license.
USER_IN_NAMED_ LICENSE Checks whether the user being evaluated is listed on an ADA license of the specified name. It does
not check if the license is attached to the workspace objects being evaluated.
USER-ADA_LIC_HAS_ Checks whether the user's citizenship matches the passed-in value and then sees if the user's
CITIZENSHIP citizenship is on any of the ADA licenses attached to the workspace object being evaluated.
International Traffic in Arms Regulations (ITAR)
CITIZENSHIP_ON_ANY_ Checks whether a citizenship of the user being evaluated matches any of the citizenships applied to
ITAR_LIC the ITAR licenses attached to the workspace objects.
GROUP_NATIONALITY Checks whether the given nationality matches the group nationality.
HAS_GOVERNMENT_ Validates the government classification attribute value of the workspace object against the value
CLASSIFICATION specified for the condition.
HAS_ITAR_LICENSE_ Checks whether the workspace object being evaluated has any ITAR license of the given category.
OF_CATEGORY
HAS_NAMED_ITAR_ LICENSE Checks whether a specific ITAR license is attached to the workspace objects being evaluated.
HAS_NO_GOVERNMENT_ Checks if there is no government classification value on the workspace object.
CLASSIFICATION
ITAR_LICENSE_HAS_ Checks whether the ITAR license being evaluated has the given citizenship.
CITIZENSHIP
SITE_GEOGRAPHY Checks whether the given geography matches the geography of the site being evaluated.
USER_CITIZENSHIP Checks whether the given citizenship matches the citizenships of the user being evaluated.
USER_CITIZENSHIP_OR_ Checks whether the given citizenship matches the citizenship or nationality of the user being
NATIONALITY evaluated.
USER_GEOGRAPHY Checks whether the given geography matches the geography of the user being evaluated.
USER_HAS_ GOVERNMENT_ Checks whether the government classification level of the user being evaluated is equal to, greater
CLEARANCE than, or less than the value specified in the condition.
USER_IN_ATTACH_ Checks whether the user being evaluated is listed in the ITAR licenses attached to the workspace
ITAR_LIC_OF_CTGRY objects. The given category must match that on the ITAR license.
USER_IN_ATTACHED_ Checks whether the user being evaluated is listed on any or all of the ITAR licenses attached to
ITAR_LICENSE the workspace objects.
USER_IN_NAMED_ Checks whether the user being evaluated is listed on an ITAR license of the specified name. It does
ITAR_LICENSE not check if the license is attached to the workspace objects being evaluated.
USER_IS_ITAR_ LICENSED Checks whether the user currently logged on is cited in a valid (not expired) ITAR license attached to
the workspace object either directly or by membership in a cited organization (group).
USER_NATIONALITY Checks whether the given nationality matches the nationality of the user being evaluated.
USER_TTC_EXPIRED Checks whether the current date is later than the technology transfer certification (TTC) date on
the User object.
USER-ITAR_LIC_HAS_ Checks whether the user's citizenship matches the passed-in value and then sees if the user's
CITIZENSHIP citizenship is on any of the ITAR licenses attached to the workspace object being evaluated.
Intellectual property (IP) license
Condition Description
CITIZENSHIP_ON_ANY_ Checks whether the citizenship of the user being evaluated matches any of the citizenships applied to
IP_LIC the IP licenses attached to the workspace objects.
HAS_IP_CLASSIFICATION Checks whether the IP classification of the workspace object being evaluated is equal to, greater than,
or less than the value specified in the condition.
HAS_IP_LICENSE_ Checks whether the workspace object being evaluated has any IP license of the given category.
OF_CATEGORY
HAS_NAMED_IP_ LICENSE Checks whether a specific IP license is attached to the workspace objects being evaluated.
HAS_NO_IP_ Checks whether the workspace object does not have a value specified in the IP classification attribute.
CLASSIFICATION
IP_LICENSE_HAS_ Checks whether the IP license being evaluated has the given citizenship.
CITIZENSHIP
USER_HAS_IP_ CLEARANCE Checks whether the IP clearance level of the user being evaluated is equal to, greater than, or less
than the value specified in the condition.
USER_IN_ATTACH_IP_ Checks whether the user being evaluated is listed in the IP license attached to the workspace objects.
LIC_OF_CTGRY The given category must match that on the IP license.
USER_IN_ATTACHED_ Checks whether the user being evaluated is listed on any or all of the IP licenses attached to the
IP_LICENSE workspace objects.
USER_IN_NAMED_ Checks whether the user being evaluated is listed on an IP license of the specified name. It does not
IP_LICENSE check if the license is attached to the workspace objects being evaluated.
USER_IS_IP_LICENSED Checks whether the user being evaluated is listed on an IP license attached to the workspace object.
USER-IP_LIC_HAS_ Checks whether the user's citizenship matches the passed-in value and then sees if the user's
CITIZENSHIP citizenship is on any of the IP licenses attached to the workspace object being evaluated.
Exclude licenses
CITIZENSHIP_ON_ANY_ Checks whether the citizenship of the user being evaluated matches any of the citizenships applied to
EXCLUDE_LIC the exclude licenses attached to the workspace objects.
EXCLUDE_LICENSE_ Checks whether the exclude license being evaluated has the given citizenship.
HAS_CITIZENSHIP
HAS_EXCLUDE_ Checks whether the workspace object being evaluated has any exclude license of the given category.
LICENSE_OF_CATEGORY
HAS_NAMED_EXCLUDE_ Checks whether a specific exclude license is attached to the workspace objects being evaluated.
LICENSE
USER_IN_ATTACH_EXCL_ Checks whether the user being evaluated is listed in the exclude license attached to the workspace
LIC_OF_CTGRY objects. The given category must match that on the exclude license.
USER_IN_ATTACHED_ Checks whether the user being evaluated is listed on any or all of the exclude licenses attached to
EXCLUDE_LICENSE the workspace objects.
USER_IN_NAMED_ Checks whether the user being evaluated is listed on an exclude license of the specified name. It
EXCLUDE_LICENSE does not check if the license is attached to the workspace objects being evaluated.
USER_IS_EXCLUDED Checks whether the user being evaluated is listed on an exclude license attached to the workspace
object.
USER-EXCLUDE_LIC_ Checks whether the user's citizenship matches the passed-in value and then sees if the user's
HAS_CITIZENSHIP citizenship is on any of the exclude licenses attached to the workspace object being evaluated.
ADA_LICENSE_HAS_CITIZENSHIP
CATEGORY
License by Category
DESCRIPTION
Checks whether the ADA license being evaluated has the given citizenship.
Note
Citizenships are a two-letter country code from ISO 3166 (for example,
Germany’s country code is DE). A user can have multiple citizenships.
CONDITION
EVALUATION
true If any of the citizenships of the ADA license being evaluated
match the specified citizenship, the condition evaluates to true.
false If none of the citizenships of the ADA license being evaluated
match the specified citizenship, the condition evaluates to false.
INPUT
ARGUMENTS
(Custom Two-character ISO 3166 codes identifying a country.
License:citizenship)
This condition accepts negation using a minus (–) prefix. For
example, –IR means that the user cannot have an IR citizenship.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Any workspace object.
CITIZENSHIP_ON_ANY_ADA_LIC
CATEGORY
International Traffic in Arms Regulations (ITAR)
DESCRIPTION
Checks whether any or all of the citizenships of the user being evaluated matches any
of the citizenships on the ADA licenses attached to the workspace objects.
Note
Citizenships are a two-letter country code from ISO 3166 (for example,
Germany’s country code is DE). A user can have multiple citizenships.
CONDITION
EVALUATION
true • If set to Any, the condition evaluates to true if any
citizenship of the user being evaluated matches the user
citizenships applied to any nonexpired ADA licenses
attached to the workspace object being evaluated.
INPUT
ARGUMENTS
• Any
• All
• (Custom License:{Any|All})
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
RELATED
RULE
CONDITIONS
• CITIZENSHIP_ON_ANY_EXCLUDE_LIC
• CITIZENSHIP_ON_ANY_IP_LIC
• CITIZENSHIP_ON_ANY_ITAR_LIC
CITIZENSHIP_ON_ANY_EXCLUDE_LIC
CATEGORY
International Traffic in Arms Regulations (ITAR)
DESCRIPTION
Checks whether the citizenship of the user being evaluated matches any of the
citizenships applied to the exclude licenses attached to the workspace objects.
Note
Citizenships are a two-letter country code from ISO 3166 (for example,
Germany’s country code is DE). A user can have multiple citizenships.
CONDITION
EVALUATION
true • If set to Any, the condition evaluates to true if any
citizenship of the user being evaluated matches the user
citizenships applied to any of the nonexpired exclude
licenses attached to the workspace object being evaluated.
• CITIZENSHIP_ON_ANY_IP_LIC
• CITIZENSHIP_ON_ANY_ITAR_LIC
CITIZENSHIP_ON_ANY_IP_LIC
CATEGORY
Intellectual Property (IP)
DESCRIPTION
Checks whether any or all of the citizenships of the user being evaluated matches any
of the citizenships on the IP licenses attached to the workspace objects.
Note
Citizenships are a two-letter country code from ISO 3166 (for example,
Germany’s country code is DE). A user can have multiple citizenships.
CONDITION
EVALUATION
true • If set to Any, the condition evaluates to true if any
citizenship of the user being evaluated matches the user
citizenships applied to any of the nonexpired IP licenses
attached to the workspace objects.
• CITIZENSHIP_ON_ANY_EXCLUDE_LIC
• CITIZENSHIP_ON_ANY_ITAR_LIC
CITIZENSHIP_ON_ANY_ITAR_LIC
CATEGORY
International Traffic in Arms Regulations (ITAR)
DESCRIPTION
Checks whether a citizenship of the user being evaluated matches the any of the
citizenships applied to the ITAR licenses attached to the workspace objects.
Note
Citizenships are a two-letter country code from ISO 3166 (for example,
Germany’s country code is DE). A user can have multiple citizenships.
CONDITION
EVALUATION
true • If set to Any, the condition evaluates to true if any
citizenship of the user being evaluated matches the user
citizenships applied to any of the nonexpired ITAR licenses
attached to the workspace objects.
INPUT
ARGUMENTS
Any or All
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
RELATED
RULE
CONDITIONS
• CITIZENSHIP_ON_ANY_ADA_LIC
• CITIZENSHIP_ON_ANY_EXCLUDE_LIC
• CITIZENSHIP_ON_ANY_IP_LIC
CURRENT_GROUP_IS
CATEGORY
General
DESCRIPTION
Checks the current logged-on group that is set in the session. It enables end users to
configure access rules for the Sponsor group.
Note
This condition applies to the current logged-on user only. This does not
apply to a given user and group that are different from the logged-on user
group.
INPUT
ARGUMENTS
true or false
RELATED
RULE
CONDITIONS
• IS_SPONSORED_MODE
EXCLUDE_LICENSE_HAS_CITIZENSHIP
CATEGORY
License by Category
DESCRIPTION
Checks whether the IP license being evaluated has the given citizenship.
Note
Citizenships are a two-letter country code from ISO 3166 (for example,
Germany’s country code is DE). A user can have multiple citizenships.
CONDITION
EVALUATION
true If any of the citizenships of the user being evaluated match the
specified citizenship, the condition evaluates to true.
false If none of the citizenships of the user being evaluated match the
specified citizenship, the condition evaluates to false.
INPUT
ARGUMENTS
citizenship Two-character ISO 3166 codes identifying a country.
This condition accepts negation using a minus (–) prefix. For
example, –IR means that the user cannot have an IR citizenship.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Any workspace object.
GROUP_NATIONALITY
CATEGORY
International Traffic in Arms Regulations (ITAR)
DESCRIPTION
Checks whether the given nationality matches the group nationality.
INPUT
ARGUMENTS
nationality Two-character ISO 3166 codes identifying the nationality of the
group or organization.
This condition accepts negation using a minus (–) prefix. For
example, –us indicates any user belonging to a group not from
the U.S.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to classified data.
RELATED
RULE
CONDITIONS
• USER_NATIONALITY
HAS_ADA_LICENSE_OF_CATEGORY
CATEGORY
License by Category
DESCRIPTION
Checks if any type of Authorized Data Access (ADA) license with the specified
category is attached to the workspace object being evaluated.
CONDITION
EVALUATION
true If there is any type of ADA license with the specified category
attached to the workspace object, this condition evaluates to
true.
false If there is no ADA license with the specified category or if the
license exists but is not attached to the workspace object, the
condition evaluates to false.
INPUT
ARGUMENTS
(Custom A string identifying the category of the license.
License:license_category)
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Any workspace object.
EXAMPLE
For an example, see Security Administration.
RELATED
RULE
CONDITIONS
• HAS_EXCLUDE_LICENSE_OF_CATEGORY
• HAS_IP_LICENSE_OF_CATEGORY
• HAS_ITAR_LICENSE_OF_CATEGORY
HAS_ATTRIBUTE
CATEGORY
Default
DESCRIPTION
Specifies an attribute and value associated with a particular class. The given attribute
should be a valid persistent attribute on the given class.
CONDITION
EVALUATION
If the given attribute does not exist on the class, the rule tree evaluates to false.
INPUT
ARGUMENTS
class:attribute=value
Note
This condition supports the != comparator. If != is used with the Has
Attribute rule tree condition, the condition evaluates to true if the value of
the specified attribute on the object under evaluation is not equal to the
value specified on the righthand side of the != comparator. It will not support
any other comparator like <. >. <=, or >=.
class The class of the object for which you set the rule.
attribute The attribute of the class. Supported attribute types include:
• POM_string (string)
• POM_int (integer)
• POM_float (float)
• POM_logical (logical)
• POM_untyped_reference (reference)
• POM_external_reference (reference)
• POM_typed_reference (reference)
value The value for which the attribute is evaluated. value can contain
wild cards.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• All subtypes of POM_object
EXAMPLE
The following shows how to use the Has Attribute condition with single-tag reference
attributes, in this case, owning_organization and owning_project:
The following example shows how to use the Has Attribute condition with a string
attribute:
Has Attribute(Item:object_name=test*)
The following example shows how to use the Has Attribute condition with a reference
attribute:
Has Attribute(Item:owning_organization=1)
• A value of 1 in the argument indicates that the condition expects the attribute
value to be a nonnull (nonzero) value.
• A value of 0 in the argument indicates that the condition expects the attribute
value to be a null_tag value.
The following example shows how to use the Has Attribute condition with an integer
attribute:
Has Attribute(WorkspaceObject:revision_number=2)
BEST
PRACTICES
FOR RULES
• All the strings used in the rule tree are internal values.
• References can only be checked for a null_tag (0) or nonnull (nonzero) value.
• Has Attribute supports only single value attributes. Attributes with variable-length
arrays (VLAs) are not supported.
• HAS_TYPE
• HAS_PROPERTY
HAS_BYPASS
CATEGORY
Administrative
DESCRIPTION
Specifies whether the user has bypass privileges set. Bypass privilege supersedes
other privileges.
CONDITION
EVALUATION
true If the user has bypass privileges, evaluates to true.
false If the user does not have bypass privileges, evaluates to false.
INPUT
ARGUMENTS
true or false
HAS_CLASS
CATEGORY
Default
DESCRIPTION
Specifies an object class. The object is evaluated to determine if it is of the specified
class.
INPUT
ARGUMENTS
class-name
GOOD RULE
PRACTICES
Do not use wildcard characters with the Has Class condition. For example, do not use
Has Class (Des*). Has Class requires full and correct class names.
RELATED
RULE
CONDITIONS
• HAS_ATTRIBUTE
• HAS_TYPE
• HAS_PROPERTY
HAS_CLASSIFICATION
CATEGORY
General
DESCRIPTION
Validates the custom classification attribute value of the object against the value
specified for the condition.
INPUT
ARGUMENTS
Custom Classification Property Name{operator}Custom Classification attribute value
EXAMPLE
EAR_classification>=EAR_highest
RELATED
RULE
CONDITIONS
• HAS_GOVERNMENT_CLASSIFICATION
• HAS_IP_CLASSIFICATION
HAS_DESCRIPTION
CATEGORY
General
DESCRIPTION
Specifies a description for the object. The object is evaluated to determine whether the
description matches this value.
CONDITION
EVALUATION
true Evaluates to true if the description of the object matches the
specified description.
false In all other cases, it evaluates to false.
INPUT
ARGUMENTS
text-string Text of the description to be evaluated.
Note
The description value can contain wildcard characters.
RELATED
RULE
CONDITIONS
• HAS_FORM_ATTRIBUTE
• HAS_ITEM_ID
• HAS_NAME
HAS_DIGITAL_SIGNATURE
CATEGORY
General
DESCRIPTION
Specifies whether a business object has a digital signature of the specified status.
CONDITION
EVALUATION
True Evaluates to True if the attached digital signature has specified
status.
False In all other cases, it evaluates to False.
INPUT
ARGUMENTS
Valid
Invalid
Propagated
Revoked
Voided
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• POM_APPLICATION_OBJECT and its subtypes
Note
This condition is installed only if the digital signature schema is installed.
RELATED
RULE
CONDITIONS
• USER_HAS_DIGITAL_SIGNATURE
HAS_EXCLUDE_LICENSE_OF_CATEGORY
CATEGORY
License by Category
DESCRIPTION
Checks whether the workspace object being evaluated has any exclude license of
the given category.
CONDITION
EVALUATION
true If there is an exclude license with the specified category
attached to the workspace object, evaluates to true.
false If there is no exclude license with the specified category or if the
license exists but is not attached to the workspace object, the
condition evaluates to false.
INPUT
ARGUMENTS
license_category A string identifying the category of the license.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Any workspace object.
EXAMPLE
For an example, see Security Administration.
RELATED
RULE
CONDITIONS
• HAS_ADA_LICENSE_OF_CATEGORY
• HAS_IP_LICENSE_OF_CATEGORY
• HAS_ITAR_LICENSE_OF_CATEGORY
HAS_FORM_ATTRIBUTE
CATEGORY
General
DESCRIPTION
Enables access control of items and item revisions by setting conditions on attributes
of the Masterform class. This rule can be applied to the ItemRevisionMaster form to
control access to the item.
This rule can also be used to control write access to the properties of items and item
revisions, which in turn determine who can add or remove datasets associated with
the item or item revision through a Specification relation.
This rule cannot be used to control access to the datasets, and it cannot be applied
to user-defined forms. It should be added below the Working→Item Revision/Item
Rule rule in the rule tree.
Note
The way Access Manager evaluates Master forms does not follow the
normal rules. Master forms inherit access privileges from the parent item or
item revision, so if you change access privileges to an item or item revision
you affect the privileges on the Master form.
You can use the TC_MASTERFORM_DELEGATE environment variable to
change the default behavior.
INPUT
ARGUMENTS
form-storage-class:attribute=value
form-storage-class The storage class for the form type on which you set the rule.
Note
Blank spaces are not allowed in the rule syntax.
RELATED
RULE
CONDITIONS
• HAS_DESCRIPTION
• HAS_ITEM_ID
• HAS_NAME
HAS_GOVERNMENT_CLASSIFICATION
CATEGORY
International Traffic in Arms Regulations (ITAR)
DESCRIPTION
Validates the government classification attribute value of the object against the value
specified for the condition.
The operators can be used without a clearance value in which case the government
classification attribute of the object is compared to the user’s clearance level based on
the specified operator.
Note
If the object has no government classification attribute value, this rule does
not apply.
INPUT
ARGUMENTS
gov_classification_ Specific government classification attribute values that can be
attribute prefixed by the following operators:
>
>=
<
<=
=
RELATED
RULE
CONDITIONS
• USER_HAS_GOVERNMENT_CLEARANCE
• USER_IS_EXCLUDED
• USER_IS_ITAR_LICENSED
HAS_IP_LICENSE_OF_CATEGORY
CATEGORY
License by Category
DESCRIPTION
Checks whether the workspace object being evaluated has any IP license of the given
category.
CONDITION
EVALUATION
true If there is an IP license with the specified category attached to
the workspace object, evaluates to true.
false If there is no IP license with the specified category or if the
license exists but is not attached to the workspace object, the
condition evaluates to false.
INPUT
ARGUMENTS
license_category A string identifying the category of the license.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Workspace objects
EXAMPLE
For an example, see Security Administration.
RELATED
RULE
CONDITIONS
• HAS_ADA_LICENSE_OF_CATEGORY
• HAS_EXCLUDE_LICENSE_OF_CATEGORY
• HAS_ITAR_LICENSE_OF_CATEGORY
HAS_ITAR_LICENSE_OF_CATEGORY
CATEGORY
License by Category
DESCRIPTION
Checks whether the workspace object being evaluated has any ITAR license of the
given category.
CONDITION
EVALUATION
true If there is an ITAR license with the specified category attached
to the workspace object, evaluates to true.
false If there is no ITAR license with the specified category or if the
license exists but is not attached to the workspace object, the
condition evaluates to false.
INPUT
ARGUMENTS
license_category A string identifying the category of the license.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Workspace objects
EXAMPLE
For an example, see Security Administration.
RELATED
RULE
CONDITIONS
• HAS_ADA_LICENSE_OF_CATEGORY
• HAS_EXCLUDE_LICENSE_OF_CATEGORY
• HAS_IP_LICENSE_OF_CATEGORY
HAS_ITEM_ID
CATEGORY
General
DESCRIPTION
Specifies an item ID against which the item is evaluated.
INPUT
ARGUMENTS
item-id
ID of the item.
Note
• The item ID value can contain wildcard characters.
RELATED
RULE
CONDITIONS
• HAS_DESCRIPTION
• HAS_FORM_ATTRIBUTE
• HAS_NAME
HAS_ITEM_KEY
CATEGORY
General
DESCRIPTION
Specifies a multifield key identifier against which the item is evaluated. In a multifield
key environment, multifield key identifiers are assigned to each object to ensure their
uniqueness in the database.
For assistance obtaining the multifield key identifier defined for an item, use the
following utilities:
• get_key_definition, which obtains the MFK definition for a class.
CONDITION
EVALUATION
true If the item key ID matches the multifield key of the item, it
evaluates to true.
false In all other cases, it evaluates to false.
INPUT
ARGUMENTS
item-key
Multifield key of the item.
Note
The item key value can contain wildcard characters.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Item or item revision
EXAMPLE
You have a multifield key environment set up so that an item and its related objects
have the same ID. You want to restrict access to the CAD data but allow access to the
associated Word document. Set up the Access Manager rule as follows.
The rule states that a user is allowed access if the item has a multifield key ID of
{item_id=Item001,object_type=msword}, with the World having read access.
RELATED
RULE
CONDITIONS
• HAS_ITEM_ID
HAS_NAME
CATEGORY
General
DESCRIPTION
Specifies a name against which the object is evaluated.
RELATED
RULE
CONDITIONS
• HAS_DESCRIPTION
• HAS_FORM_ATTRIBUTE
• HAS_ITEM_ID
HAS_NAMED_EXCLUDE_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the specified exclude license is attached to the workspace object
being evaluated.
CONDITION
EVALUATION
true If there is an exclude license corresponding to the license
ID and the license is attached to the workspace object, the
condition evaluates to true.
false In all other cases, the condition evaluates to false.
INPUT
ARGUMENTS
License ID ID of the license to be attached to the workspace object.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Workspace objects
EXAMPLE
For an example, see HAS_NAMED_ITAR_LICENSE.
RELATED
RULE
CONDITIONS
• HAS_NAMED_IP_LICENSE
• HAS_NAMED_ITAR_LICENSE
• HAS_NAMED_ADA_LICENSE
HAS_NAMED_IP_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether a specific intellectual property (IP) license is attached to the
workspace object being evaluated.
CONDITION
EVALUATION
true If there is an IP license corresponding to the license ID and
the license is attached to the workspace object, the condition
evaluates to true.
false In all other cases, the condition evaluates to false.
INPUT
ARGUMENTS
License ID The ID of the license to be attached to the workspace object.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Workspace objects
EXAMPLE
For an example, see HAS_NAMED_ITAR_LICENSE.
RELATED
RULE
CONDITIONS
• HAS_NAMED_EXCLUDE_LICENSE
• HAS_NAMED_ITAR_LICENSE
• HAS_NAMED_ADA_LICENSE
HAS_NAMED_ITAR_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the specified ITAR license is attached to the workspace object being
evaluated.
CONDITION
EVALUATION
true If there is an ITAR license corresponding to the license ID and
the license is attached to the workspace object, the condition
evaluates to true.
false In all other cases, the condition evaluates to false.
INPUT
ARGUMENTS
License ID ID of the license to be attached to the workspace object.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Workspace objects
EXAMPLE
The following Access Manager rule states that a user is allowed access if there is an
ITAR license by the name ITAR001 attached to an object, with the World having
read access:
RELATED
RULE
CONDITIONS
• HAS_NAMED_EXCLUDE_LICENSE
• HAS_NAMED_IP_LICENSE
• HAS_NAMED_ADA_LICENSE
HAS_NAMED_ADA_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the specified ADA license is attached to the workspace object being
evaluated.
CONDITION
EVALUATION
true If there is a license corresponding to the license ID and the
license is attached to the workspace object, the condition
evaluates to true.
false In all other cases, the condition evaluates to false.
INPUT
ARGUMENTS
(Custom ID of the license to be attached to the workspace object.
License:LicenseID)
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Workspace objects
EXAMPLE
For an example, see HAS_NAMED_ITAR_LICENSE.
RELATED
RULE
CONDITIONS
• HAS_NAMED_EXCLUDE_LICENSE
• HAS_NAMED_IP_LICENSE
• HAS_NAMED_ITAR_LICENSE
HAS_NO_CLASSIFICATION
CATEGORY
General
DESCRIPTION
Matches if the object has a null value for the custom classification attribute.
INPUT
ARGUMENTS
Custom Classification Property Name
EXAMPLE
EAR_classification
RELATED
RULE
CONDITIONS
• HAS_NO_GOVERNMENT_CLASSIFICATION
• HAS_NO_IP_CLASSIFICATION
HAS_NO_GOVERNMENT_CLASSIFICATION
CATEGORY
International Traffic in Arms Regulations (ITAR)
DESCRIPTION
Matches if the object has a null value for the government classification attribute.
RELATED
RULE
CONDITIONS
• HAS_GOVERNMENT_CLASSIFICATION
HAS_NO_STATUS
CATEGORY
Default
DESCRIPTION
Supports the negation for the existing Has Status rule tree condition.
CONDITION
EVALUATION
Condition evaluates to true if the object under evaluation does not have the defined
status.
HAS_NO_IP_CLASSIFICATION
CATEGORY
Intellectual property (IP)
DESCRIPTION
Checks whether the workspace object does not have a value specified in the IP
classification attribute.
RELATED
RULE
CONDITIONS
• USER_HAS_IP_CLEARANCE
• HAS_IP_CLASSIFICATION
• USER_IS_IP_LICENSED
HAS_OBJECT_ACL
CATEGORY
Default
DESCRIPTION
Specifies that an ACL is associated with an object. This condition does not expect an
ACL attached to a rule. It is a placeholder that indicates the point at which process
ACLs and object ACLs are applied in the rule tree hierarchy.
INPUT
ARGUMENTS
true or false
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Workspace objects
RELATED
RULE
CONDITIONS
• IN_JOB
HAS_PROPERTY
CATEGORY
Default
DESCRIPTION
Specifies the value of a compound property against which an object is evaluated.
INPUT
ARGUMENTS
The Has Property condition supports compound properties and persistent properties
on the business object type. It supports multi-value (VLA) properties.
Note
Has Property does not support the following property types:
• Runtime
• Relation
• Table
• Reference
Typename:prop_name=prop_value
Note
This condition supports the != comparator. If != is used with the Has
Property rule tree condition, the condition evaluates to true if the value of
the specified attribute on the object under evaluation is not equal to the
value specified on the righthand side of the != comparator. It will not support
any other comparator like <. >. <=, or >=.
• PROP_char (character)
• PROP_int (integer)
• PROP_float (float)
• PROP_logical (logical)
• PROP_untyped_reference (reference)
• PROP_external_reference (reference)
• PROP_typed_reference (reference)
Note
• Property value can contain wild cards.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Workspace objects
EXAMPLE
The following example shows how to use the Has Property condition with a string
property:
The following example shows how to use the Has Property condition with a reference
property:
Has Property(Item:<reference_prop_name>=1)
• A value of 1 in the argument indicates that the condition expects the attribute
value to be a nonnull (nonzero) value.
• A value of 0 in the argument indicates that the condition expects the attribute
value to be a null_tag value.
The following example shows how to use the Has Property condition with a integer
property:
Has Property(WorkspaceObject:<int_prop_name>=2)
The following example shows how to use the Has Attribute condition with a character
property:
Has Property(WorkspaceObject:<char_prop_name>=’c’)
RELATED
RULE
CONDITIONS
• HAS_ATTRIBUTE
• HAS_CLASS
• HAS_TYPE
HAS_STATUS
CATEGORY
Default
DESCRIPTION
Specifies the status type against which the object is evaluated.
INPUT
ARGUMENTS
status-name Accepts null entry null=all.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Workspace objects
RELATED
RULE
CONDITIONS
• HAS_TYPE
HAS_TYPE
CATEGORY
Default
DESCRIPTION
Specifies the object type against which the object is evaluated.
INPUT
ARGUMENTS
type-name The full object type.
Note
Do not use wildcard characters with the Has Type
condition. For example, do not use Has Type (Des*).
Has Type requires full and correct type names.
RELATED
RULE
CONDITIONS
• HAS_STATUS
IN_CURRENT_PROGRAM
CATEGORY
Program
DESCRIPTION
Specifies access based on whether the program to which the data is assigned is the
current program under which the user is logged on to Teamcenter.
INPUT
ARGUMENTS
true or false
EXAMPLE
For an example, see Security Administration.
RELATED
RULE
CONDITIONS
• IN_INACTIVE_PROGRAM
• IN_INVISIBLE_PROGRAM
• IS_OWNED_BY_PROGRAM
• IS_PROGRAM_MEMBER
IN_IC_CONTEXT
CATEGORY
Incremental Change
DESCRIPTION
Enables structure edits (occurrence edits, occurrence notes, transform edits, and
attachment edits) to be controlled by the Structure Manager, Manufacturing Process
Planner, Multi-Structure Manager, or Part Planner application. The rule does not
depend on the properties of the object.
When there is an active incremental change in the structure editor, the IC Context
(true) condition is satisfied and its associated ACL is applied.
INPUT
ARGUMENTS
true or false
Note
Always use the true value for this condition. The false value applies the
rule to all objects, regardless of whether structure edits are being made.
IN_INACTIVE_PROGRAM
CATEGORY
Program
DESCRIPTION
Controls access to data based on whether the status of the owning program is inactive.
INPUT
ARGUMENTS
true or false
EXAMPLE
For an example, see Security Administration.
RELATED
RULE
CONDITIONS
• IN_CURRENT_PROGRAM
• IN_INVISIBLE_PROGRAM
IN_INVISIBLE_PROGRAM
CATEGORY
Program
DESCRIPTION
Controls access to data based on whether the status of the owning program is
invisible.
INPUT
ARGUMENTS
true or false
EXAMPLE
For an example, see Security Administration.
RELATED
RULE
CONDITIONS
• IN_CURRENT_PROGRAM
• IN_INACTIVE_PROGRAM
• IS_OWNED_BY_PROGRAM
• IS_PROGRAM_MEMBER
IN_JOB
CATEGORY
Default
DESCRIPTION
Specifies whether the target object is in a workflow job (process). This condition does
not expect an ACL attached to a rule. It is a placeholder that indicates the point at
which workflow ACLs are applied in the rule tree hierarchy.
Note
No subbranches can be added below the In Job branch in the Access
Manager rule tree.
INPUT
ARGUMENTS
true or false
RELATED
RULE
CONDITIONS
• HAS_OBJECT_ACL
IN_PROJECT
CATEGORY
Project
DESCRIPTION
Specifies a project to which the object must be assigned. The condition is evaluated
as being true when the active project to which the object is assigned matches the
project specified for this rule condition. If you use an empty string as the value for this
condition, the condition is deemed true if the object is assigned to any active project.
INPUT
ARGUMENTS
project-ID
The syntax for this rule is:
In Project (project-ID)-project_acl
EXAMPLE
For an example, see Security Administration.
RELATED
RULE
CONDITIONS
• IN_CURRENT_PROJECT
• IS_PROJECT_MEMBER
INACTIVE_SEQUENCE
CATEGORY
General
DESCRIPTION
Specifies that previous sequences are historical and cannot be worked on
independently. The latest sequence is always the working sequence for the revision.
Note
This condition is used with the Inactive Sequence Objects ACL.
INPUT
ARGUMENTS
true or false
IP_LICENSE_HAS_CITIZENSHIP
CATEGORY
License by Category
DESCRIPTION
Checks whether the IP license being evaluated has the given citizenship.
Note
Citizenships are a two-letter country code from ISO 3166 (for example,
Germany’s country code is DE). A user can have multiple citizenships.
CONDITION
EVALUATION
true If any of the citizenships of the user being evaluated match the
specified citizenship, the condition evaluates to true.
false If none of the citizenships of the user being evaluated match the
specified citizenship, the condition evaluates to false.
INPUT
ARGUMENTS
citizenship Two-character ISO 3166 codes identifying a country.
This condition accepts negation using a minus (–) prefix. For
example, –IR means that the user cannot have an IR citizenship.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Any workspace object.
IS_ARCHIVED
CATEGORY
General
DESCRIPTION
Note
This rule condition is implemented to support a legacy feature that is now
obsolete. Siemens PLM Software does not recommend this rule condition
for new work.
IN_CURRENT_PROJECT
CATEGORY
Project
DESCRIPTION
Specifies the project ID against which the object is evaluated. The condition is
evaluated as being true when the object is in the current active project of the logged-on
user, and the project ID of the current project matches the value for this condition.
Note
This rule is not delivered with the default installation of Teamcenter. It must
be added manually.
INPUT
ARGUMENTS
project-ID
The syntax for this rule is:
In Project (project-ID)-project_acl
EXAMPLE
For an example, see Security Administration.
RELATED
RULE
CONDITIONS
• IN_PROJECT
• IS_PROJECT_MEMBER
IS_GA
CATEGORY
Ownership/Accessor based
DESCRIPTION
Specifies whether the user's status as a group administrator in the current group
is evaluated.
INPUT
ARGUMENTS
true or false
RELATED
RULE
CONDITIONS
• IS_SA
IS_LOCAL
CATEGORY
General
DESCRIPTION
Specifies whether the object's residence in the local database is evaluated. This
condition is used when Multi-Site Collaboration is implemented.
INPUT
ARGUMENTS
true or false
RELATED
RULE
CONDITIONS
• IS_ARCHIVED
IS_OWNED_BY_PROGRAM
CATEGORY
Program
DESCRIPTION
Controls access to data based on whether data is owned by the program specified as
a value for the Is Owned By Program condition.
INPUT
ARGUMENTS
true or false
EXAMPLE
For an example, see Security Administration.
RELATED
RULE
CONDITIONS
• IN_CURRENT_PROGRAM
• IN_INACTIVE_PROGRAM
• IN_INVISIBLE_PROGRAM
• IS_PROGRAM_MEMBER
IS_PROGRAM_MEMBER
CATEGORY
Program
DESCRIPTION
Specifies whether the user's membership in the program is evaluated.
Note
This does not apply to project team members who are inactive group
members.
CONDITION
EVALUATION
true Evaluates to true if the user is a member of the owning program
or a shared program.
false In all other cases, evaluates to false.
INPUT
ARGUMENTS
true or false
EXAMPLE
For an example, see Security Administration.
RELATED
RULE
CONDITIONS
• IN_CURRENT_PROGRAM
• IN_INACTIVE_PROGRAM
• IN_INVISIBLE_PROGRAM
IS_PROJECT_MEMBER
CATEGORY
Project
DESCRIPTION
Specifies whether the user's membership in the project is evaluated. This condition is
only true when the user is a current member of the project.
INPUT
ARGUMENTS
true or false
EXAMPLE
For an example, see Security Administration.
RELATED
RULE
CONDITIONS
• IN_CURRENT_PROJECT
• IN_PROJECT
• IS_OWNED_BY_PROGRAM
HAS_PROJECT_OF_CATEGORY
CATEGORY
Project
DESCRIPTION
Checks whether the workspace object being evaluated has any project assigned of
the given category.
CONDITION
EVALUATION
true Evaluates to true if a project with the specified category is
assigned to the workspace object.
false In all other cases, evaluates to false if a project with the
specified category is not assigned to the workspace object.
INPUT
ARGUMENTS
project_category, which is a string identifying the category of the project.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Workspace objects
RELATED
RULE
CONDITIONS
• IN_CURRENT_PROJECT
• IN_PROJECT
• IS_OWNED_BY_PROGRAM
IS_SA
CATEGORY
Ownership/Accessor based
DESCRIPTION
Specifies whether the user's system administration group membership is evaluated.
INPUT
ARGUMENTS
true or false
RELATED
RULE
CONDITIONS
• IS_GA
IS_SPONSORED_MODE
CATEGORY
General
DESCRIPTION
Checks whether the Teamcenter session is in sponsored mode. It enables end users
to configure rules to enforce data access control when the Teamcenter session is
launched in sponsored mode.
INPUT
ARGUMENTS
true or false
RELATED
RULE
CONDITIONS
• CURRENT_GROUP_IS
ITAR_LICENSE_HAS_CITIZENSHIP
CATEGORY
International Traffic in Arms Regulations (ITAR)
DESCRIPTION
Checks whether the ITAR license being evaluated has the given citizenship.
Note
Citizenships are a two-letter country code from ISO 3166 (for example,
Germany’s country code is DE). A user can have multiple citizenships.
CONDITION
EVALUATION
true If any of the citizenships of the user being evaluated match the
specified citizenship, the condition evaluates to true.
false If none of the citizenships of the user being evaluated match the
specified citizenship, the condition evaluates to false.
INPUT
ARGUMENTS
citizenship Two-character ISO 3166 codes identifying a country.
This condition accepts negation using a minus (–) prefix. For
example, –IR means that the user cannot have an IR citizenship.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Any workspace object.
HAS_IP_CLASSIFICATION
CATEGORY
Intellectual property (IP)
DESCRIPTION
Validates the IP classification attribute value of the object against the value specified
for the condition.
The operators can be used without a clearance value; the IP classification attribute of
the object is compared to the user's clearance level based on the specified operator.
Note
• If the object has no IP classification attribute value, this rule does not
apply.
INPUT
ARGUMENTS
IP_classification Specific IP classification attribute values that can be prefixed by
_attributes the following operators:
>
>=
<
<=
=
RELATED
RULE
CONDITIONS
• USER_HAS_IP_CLEARANCE
• HAS_NO_IP_CLASSIFICATION
• USER_IS_IP_LICENSED
OWNING_GROUP
CATEGORY
Ownership/Accessor based
DESCRIPTION
Evaluates whether the object is owned by the group specified in the group-name
argument.
INPUT
ARGUMENTS
group-name
Wildcard characters can be used with the Owning Group condition to allow you to
define rules applying to a group and all its subgroups. For example, assume that the
Design group has two subgroups: Analysis.Design and Development.Design. By
defining a value for the Owning Group condition using a wildcard, you can define
a general rule to control access to all data owned by the Design group and its
subgroups, for example:
• OWNING_SITE
• OWNING_USER
OWNING_GROUP_HAS_SECURITY
CATEGORY
Ownership/Accessor based
DESCRIPTION
Evaluates whether the owning group of the object has a security string. This condition
is true only if the security value of the owning group is equal to the value of this
condition.
INPUT
ARGUMENTS
Internal or External
EXAMPLE
For examples of managing group-level security, see Security Administration.
RELATED
RULE
CONDITIONS
• OWNING_GROUP
• OWNING_SITE
• OWNING_USER
OWNING_SITE
CATEGORY
Ownership/Accessor based
DESCRIPTION
Evaluates whether the object is owned by the specified site. This condition is used
when Multi-Site Collaboration is implemented.
INPUT
ARGUMENTS
site-name
EXAMPLE
For examples of managing group-level security, see Security Administration.
RELATED
RULE
CONDITIONS
• OWNING_GROUP
• OWNING_GROUP_HAS_SECURITY
• OWNING_USER
OWNING_USER
CATEGORY
Ownership/Accessor based
DESCRIPTION
Evaluates whether the object is owned by the specified user.
INPUT
ARGUMENTS
user-ID ID of the user.
EXAMPLE
For examples of managing group-level security, see Security Administration
RELATED
RULE
CONDITIONS
• OWNING_GROUP
• OWNING_GROUP_HAS_SECURITY
• OWNING_SITE
SITE_GEOGRAPHY
CATEGORY
International Traffic in Arms Regulations (ITAR)
DESCRIPTION
Checks whether the given geography matches the geography of the site being
evaluated.
INPUT
ARGUMENTS
country-code Two-character ISO 3166 country codes.
This condition accepts negation using a minus (–) prefix. For
example, –us indicates any user at a site outside the U.S.
RELATED
RULE
CONDITIONS
• USER_GEOGRAPHY
USER-ADA_LIC_HAS_CITIZENSHIP
CATEGORY
Licenses
DESCRIPTION
Checks whether the user's citizenship matches the passed-in value and then checks if
the user's citizenship is listed on any of the ADA licenses attached to the workspace
object being evaluated.
CONDITION
EVALUATION
true This condition evaluates to true if the user's citizenship matches
the input citizenship and that citizenship is listed on any
nonexpired ADA license attached to the workspace object.
false In all other cases, the condition evaluates to false.
INPUT
ARGUMENTS
(Custom Two-character ISO 3166 codes identifying a country.
License:citizenship)
This condition accepts negation using a minus (–) prefix. For
example, –IR means that the user cannot have an IR citizenship.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Any workspace object.
RELATED
RULE
CONDITIONS
• USER-EXCLUDE_LIC_HAS_CITIZENSHIP
• USER-IP_LIC_HAS_CITIZENSHIP
• USER-ITAR_LIC_HAS_CITIZENSHIP
USER_CITIZENSHIP
CATEGORY
International Traffic in Arms Regulations (ITAR)
DESCRIPTION
Checks whether the given citizenship matches the citizenships of the user being
evaluated.
CONDITION
EVALUATION
true If any of the citizenships of the user being evaluated match the
specified citizenship, the condition evaluates to true.
false If none of the citizenships of the user being evaluated match the
specified citizenship, the condition evaluates to false.
INPUT
ARGUMENTS
citizenship Two-character ISO 3166 codes identifying a country.
This condition accepts negation using a minus (–) prefix. For
example, –IR means that the user cannot have an IR citizenship.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Any workspace object.
RELATED
RULE
CONDITIONS
• USER_CITIZENSHIP_OR_NATIONALITY
• USER_NATIONALITY
USER_CITIZENSHIP_OR_NATIONALITY
CATEGORY
International Traffic in Arms Regulations (ITAR)
DESCRIPTION
Checks whether the given citizenship matches the citizenship or nationality of the
user being evaluated.
CONDITION
EVALUATION
true If any of the citizenships or nationality of the user being
evaluated match the specified citizenship or nationality, the
condition evaluates to true.
false If none of the citizenships or nationality of the user being
evaluated match the specified citizenship or nationality, the
condition evaluates to false.
INPUT
ARGUMENTS
citizenship Two-character ISO 3166 codes identifying a country.
This condition accepts negation using a minus (–) prefix. For
example, –IR means that the user cannot have an IR citizenship.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Any workspace object.
RELATED
RULE
CONDITIONS
• USER_CITIZENSHIP
• USER_NATIONALITY
USER-EXCLUDE_LIC_HAS_CITIZENSHIP
CATEGORY
Licenses
DESCRIPTION
Checks whether the user's citizenship matches the passed-in value and then checks if
the user's citizenship is listed on any of the exclude licenses attached to the workspace
object being evaluated.
CONDITION
EVALUATION
true This condition evaluates to true if the user's citizenship matches
the input citizenship and that citizenship is listed on any
nonexpired exclude license attached to the workspace object.
false In all other cases, the condition evaluates to false.
INPUT
ARGUMENTS
citizenship Two-character ISO 3166 codes identifying a country.
This condition accepts negation using a minus (–) prefix. For
example, –IR means that the user cannot have an IR citizenship.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Any workspace object.
RELATED
RULE
CONDITIONS
• USER-ADA_LIC_HAS_CITIZENSHIP
• USER-IP_LIC_HAS_CITIZENSHIP
• USER-ITAR_LIC_HAS_CITIZENSHIP
USER_HAS_CLEARANCE
CATEGORY
General
DESCRIPTION
Validates the user's custom clearance level (from the attached custom LOV) against
the value specified for the condition's input argument.
INPUT
ARGUMENTS
Custom Clearance Property Name {operator} Custom Classification attribute value
EXAMPLE
EAR_clear>=EAR_highest
RELATED
RULE
CONDITIONS
• USER_HAS_GOVERNMENT_CLEARANCE
• USER_HAS_IP_CLEARANCE
USER_HAS_DIGITAL_SIGNATURE
CATEGORY
General
DESCRIPTION
Specifies whether a particular business object has a digital signature of the specified
status in the context of the logged-in user.
CONDITION
EVALUATION
True Evaluates to True if the attached digital signature has specified
status in the context of the logged-on user.
False In all other cases, it evaluates to False.
INPUT
ARGUMENTS
Valid
Invalid
Propagated
Revoked
Voided
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• POM_APPLICATION_OBJECT and its subtypes
Note
This condition is installed only if the digital signature schema is installed.
RELATED
RULE
CONDITIONS
• HAS_DIGITAL_SIGNATURE
USER_HAS_GOVERNMENT_CLEARANCE
CATEGORY
International Traffic in Arms Regulations (ITAR)
DESCRIPTION
Validates the user's government clearance level (secret, super-secret, top-secret)
against the value specified for the condition’s input argument.
Teamcenter defines out-of-the-box clearance levels using the
ITAR_level_list_ordering preference as secret, super-secret, top-secret. This
list can be customized.
This condition has two modes of evaluation:
• If the input argument specifies an operator and a clearance value, the condition
compares this input value to the user’s government clearance.
Example: HasGovernmentClearance (>Secret)
• The operators can be used without a clearance value, in which case the user’s
government clearance is compared to the government classification attribute of
the object based on the specified operator.
Example: HasGovernmentClearance (>)
Note
If the object is not ITAR classified (gov_classification attribute value
is empty), the User Has Government Clearance condition always
evaluates as being true regardless of whether or not the user is assigned a
government clearance level.
CONDITION
EVALUATION
true
User’s Gov
Classification Evaluation
top-secret True
secret False
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Workspace objects
EXAMPLE
The following example shows how to use the User Has Government Clearance
condition using operators and a clearance value:
The following example shows how to use the User Has Government Clearance
condition using an operator without a clearance value:
The following example shows how to use the User Has Government Clearance
condition without any value for the condition:
RELATED
RULE
CONDITIONS
• HAS_GOVERNMENT_CLASSIFICATION
• HAS_NO_GOVERNMENT_CLASSIFICATION
• USER_IS_EXCLUDED
• USER_IS_ITAR_LICENSED
USER_HAS_IP_CLEARANCE
CATEGORY
Intellectual property (IP)
DESCRIPTION
Validates the user's clearance level against the value specified for the condition.
The Intellectual property (IP) clearance level is the level of access the user has to
sensitive (classified) information.
The operators can be used without a clearance value in which case the user's
clearance is compared to the IP classification attribute of the object based on the
specified operator.
Note
If the data is not IP classified, the User Has IP Clearance condition is
evaluated as being true regardless of whether or not the user is assigned a
clearance level.
CONDITION
EVALUATION
true Evaluates to true in the following scenarios:
• The workspace object being evaluated does not have IP
classification set on it.
User’s IP
Clearance Evaluation
top-secret True
secret True
>=
<
<=
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Workspace objects
EXAMPLE
The following example shows how to use the User Has IP Clearance condition using
operators and a clearance value:
The following example shows how to use the User Has IP Clearance condition using
an operator without a clearance value:
The following example shows how to use the User Has IP Clearance condition
without any value for the condition:
RELATED
RULE
CONDITIONS
• HAS_IP_CLASSIFICATION
• HAS_NO_IP_CLASSIFICATION
• USER_IS_IP_LICENSED
USER_IN_ATTACH_ADA_LIC_OF_CTGRY
CATEGORY
Intellectual Property (IP)
DESCRIPTION
Checks the following:
• Whether the evaluation object is a workspace object (WorkspaceObject) or one
of its subtypes.
CONDITION
EVALUATION
true Evaluates to true if:
• The evaluation object a workspace object or one of its
subtypes.
INPUT
ARGUMENTS
(Custom A string identifying the name of the license category.
License:license_category)
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Any workspace object.
If the evaluated object is not a workspace object, the condition returns false.
EXAMPLE
For an example, see Security Administration.
GOOD RULE
PRACTICES
Access control by licenses can be configured based on the license type to vary access
at a high level or based on the license name to vary the access at a granular level.
Categories offer a way to control access by licenses in between the high and granular
levels. They provide a way to have different subtypes of licenses under each type and
configure access based on each category.
To learn more about categories, see Security Administration.
RELATED
RULE
CONDITIONS
• USER_IN_ATTACH_EXCL_LIC_OF_CTGRY
• USER_IN_ATTACH_IP_LIC_OF_CTGRY
• USER_IN_ATTACH_ITAR_LIC_OF_CTGRY
• USER_IN_ATTACHED_EXCLUDE_LICENSE
• USER_IN_ATTACHED_IP_LICENSE
• USER_IN_ATTACHED_LICENSE
• USER_IN_ATTACHED_ITAR_LICENSE
USER_IN_ATTACH_EXCL_LIC_OF_CTGRY
CATEGORY
Intellectual Property (IP)
DESCRIPTION
Checks the following:
• Whether the evaluation object is a workspace object (WorkspaceObject) or one
of its subtypes.
CONDITION
EVALUATION
true Evaluates to true if:
• The evaluation object is a workspace object or one of its
subtypes.
INPUT
ARGUMENTS
license_category A string identifying the name of the license category.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Any workspace object.
If the evaluated object is not a workspace object, the condition returns false.
EXAMPLE
For an example, see Security Administration.
GOOD RULE
PRACTICES
Access control by licenses can be configured based on the license type to vary access
at a high level or based on the license name to vary the access at a granular level.
Categories offer a way to control access by licenses in between the high and granular
levels. They provide a way to have different subtypes of licenses under each type and
configure access based on each category.
To learn more about categories, see Security Administration.
RELATED
RULE
CONDITIONS
• USER_IN_ATTACH_ADA_LIC_OF_CTGRY
• USER_IN_ATTACH_IP_LIC_OF_CTGRY
• USER_IN_ATTACH_ITAR_LIC_OF_CTGRY
• USER_IN_ATTACHED_EXCLUDE_LICENSE
• USER_IN_ATTACHED_IP_LICENSE
• USER_IN_ATTACHED_LICENSE
• USER_IN_ATTACHED_ITAR_LICENSE
USER_IN_ATTACH_IP_LIC_OF_CTGRY
CATEGORY
Intellectual Property (IP)
DESCRIPTION
Checks the following:
• Whether the evaluation object is a workspace object (WorkspaceObject) or one
of its subtypes
CONDITION
EVALUATION
true Evaluates to true if:
• The evaluation object is a workspace object or one of its
subtypes.
INPUT
ARGUMENTS
license_category A string identifying the name of the license category.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Any workspace object.
If the evaluated object is not a workspace object, the condition returns false.
EXAMPLE
For an example, see Security Administration.
GOOD RULE
PRACTICES
Access control by licenses can be configured based on the license type to vary access
at a high level or based on the license name to vary the access at a granular level.
Categories offer a way to control access by licenses in between the high and granular
levels. They provide a way to have different subtypes of licenses under each type and
configure access based on each category.
To learn more about license categories, see Security Administration.
RELATED
RULE
CONDITIONS
• USER_IN_ATTACH_ADA_LIC_OF_CTGRY
• USER_IN_ATTACH_EXCL_LIC_OF_CTGRY
• USER_IN_ATTACH_ITAR_LIC_OF_CTGRY
• USER_IN_ATTACHED_EXCLUDE_LICENSE
• USER_IN_ATTACHED_IP_LICENSE
• USER_IN_ATTACHED_LICENSE
• USER_IN_ATTACHED_ITAR_LICENSE
USER_IN_ATTACH_ITAR_LIC_OF_CTGRY
CATEGORY
International Traffic in Arms Regulations (ITAR)
DESCRIPTION
Checks the following:
• Whether the evaluation object is a workspace object (Workspace Object) or
one of its subtypes.
GOOD RULE
PRACTICES
Access control by licenses can be configured based on the license type to vary access
at a high level or based on the license name to vary the access at a granular level.
Categories offer a way to control access by licenses in between the high and granular
levels. They provide a way to have different subtypes of licenses under each type and
configure access based on each category.
To learn more about license categories, see Security Administration.
RELATED
RULE
CONDITIONS
• USER_IN_ATTACH_ADA_LIC_OF_CTGRY
• USER_IN_ATTACH_EXCL_LIC_OF_CTGRY
• USER_IN_ATTACH_IP_LIC_OF_CTGRY
• USER_IN_ATTACHED_EXCLUDE_LICENSE
• USER_IN_ATTACHED_IP_LICENSE
• USER_IN_ATTACHED_LICENSE
• USER_IN_ATTACHED_ITAR_LICENSE
USER_IN_ATTACHED_ADA_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the user from the current session is listed on any or all of the custom
licenses attached to the workspace object being evaluated.
CONDITION
EVALUATION
true • If set to Any, the condition evaluates to true if the user
is listed on at least one custom license attached to the
workspace object.
• All
• (Custom License:{Any|All|None})
EXAMPLE
EAR_itarlicense:Any.
RELATED
RULE
CONDITIONS
• USER_IN_ATTACHED_IP_LICENSE
• USER_IN_ATTACHED_ITAR_LICENSE
• USER_IN_ATTACHED_EXCLUDE_LICENSE
USER_IN_ATTACHED_EXCLUDE_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the user from the current session is listed in any or all exclude
licenses attached to the workspace object being evaluated.
CONDITION
EVALUATION
true • If set to Any, the condition evaluates to true if the user is
listed on any nonexpired exclude licenses attached to the
workspace object.
EXAMPLE
For an example, see USER_IN_ATTACHED_ITAR_LICENSE.
RELATED
RULE
CONDITIONS
• USER_IN_ATTACHED_IP_LICENSE
• USER_IN_ATTACHED_ITAR_LICENSE
• USER_IN_ATTACHED_LICENSE
USER_IN_ATTACHED_IP_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the user being evaluated is listed on any or all of the IP licenses
attached to the workspace objects.
CONDITION
EVALUATION
true • If set to Any, the condition evaluates to true if the user is
listed on at least one nonexpired IP license attached to the
workspace object.
EXAMPLE
For an example, see USER_IN_ATTACHED_ITAR_LICENSE.
RELATED
RULE
CONDITIONS
• USER_IN_ATTACHED_EXCLUDE_LICENSE
• USER_IN_ATTACHED_ITAR_LICENSE
• USER_IN_ATTACHED_LICENSE
USER_IN_ATTACHED_ITAR_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the user from the current session is listed on any or all of the ITAR
licenses attached to the workspace object being evaluated.
CONDITION
EVALUATION
true • If set to Any, the condition evaluates to true if the user
is listed on any nonexpired ITAR license attached to the
workspace object.
EXAMPLE
The following Access Manager rule states that a user only needs to be on one or
more of the ITAR licenses attached to an object to be given access to that object,
with World having read access:
RELATED
RULE
CONDITIONS
• USER_IN_ATTACHED_EXCLUDE_LICENSE
• USER_IN_ATTACHED_IP_LICENSE
• USER_IN_ATTACHED_LICENSE
USER_IN_ATTACHED_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the user from the current session is listed on any or all of the licenses
attached to the workspace object being evaluated.
CONDITION
EVALUATION
true • If set to Any, the condition evaluates to true if the user
is listed on any nonexpired ADA license attached to the
workspace object.
EXAMPLE
For an example, see USER_IN_ATTACHED_ITAR_LICENSE.
RELATED
RULE
CONDITIONS
• USER_IN_ATTACHED_EXCLUDE_LICENSE
• USER_IN_ATTACHED_IP_LICENSE
• USER_IN_ATTACHED_ITAR_LICENSE
USER_IN_LICENSE
CATEGORY
ADA
DESCRIPTION
Checks whether the ADA_License object being evaluated lists the user being
evaluated, either individually or as a member of a group, so you can control the
licenses that are visible to the user in Teamcenter applications, such as when
searching for licenses, viewing licenses in the ADA License application, attaching
licenses to an object, or viewing licenses attached to an object. For example, it
determines whether Teamcenter displays a particular license in the ADA licenses
view to the user, as shown, or in the Attach an object to Licenses dialog box.
CONDITION
EVALUATION
true • If set to true, the condition returns true if the user being
evaluated is listed on the license either individually or as
a member of a group.
false • If set to true, the condition returns false if the user being
evaluated is not listed on the license either individually or as
a member of a group.
INPUT
ARGUMENTS
true or false
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• ADA_License object or any of its subclasses (ITAR_License, IP_License, or
Exclude_License)
USER_IN_NAMED_ADA_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the user being evaluated is listed on a custom license of the specified
name. It does not check if the license is attached to the workspace objects being
evaluated.
INPUT
ARGUMENTS
Custom License: License ID
EXAMPLE
EAR_itarlicense:ear_license_01
RELATED
RULE
CONDITIONS
• USER_IN_NAMED_IP_LICENSE
• USER_IN_NAMED_ITAR_LICENSE
• USER_IN_NAMED_EXCLUDE_LICENSE
USER_IN_NAMED_EXCLUDE_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether a user being evaluated is listed in an exclude license of the specified
license ID. It does not check if the license is attached to the workspace object being
evaluated.
CONDITION
EVALUATION
true If the user is in the specified license and the license is an
exclude license, the rule condition evaluates to true, regardless
of whether the license is attached to the workspace object.
false In all other cases, the condition evaluates to false.
INPUT
ARGUMENTS
License ID ID of the license.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Workspace objects
EXAMPLE
For an example, see USER_IN_NAMED_ITAR_LICENSE.
RELATED
RULE
CONDITIONS
• USER_IN_NAMED_IP_LICENSE
• USER_IN_NAMED_ITAR_LICENSE
• USER_IN_NAMED_LICENSE
USER_IN_NAMED_IP_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the user being evaluated is listed on an IP license of the specified
name. It does not check if the license is attached to the workspace objects being
evaluated.
CONDITION
EVALUATION
true If the user is in the specified license and the license is an IP
license, the rule condition evaluates to true, regardless of
whether the license is attached to the workspace object.
false In all other cases, the condition evaluates to false.
INPUT
ARGUMENTS
License ID
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Workspace objects
EXAMPLE
For an example, see USER_IN_NAMED_ITAR_LICENSE.
RELATED
RULE
CONDITIONS
• USER_IN_NAMED_EXCLUDE_LICENSE
• USER_IN_NAMED_ITAR_LICENSE
• USER_IN_NAMED_LICENSE
USER_IN_NAMED_ITAR_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether the user being evaluated is listed on an ITAR license of the specified
name. It does not check if the license is attached to the workspace objects being
evaluated.
CONDITION
EVALUATION
true If the user is in the specified license and the license is an ITAR
license, the rule condition evaluates to true, regardless of
whether the license is attached to the workspace object.
false In all other cases, the condition evaluates to false.
INPUT
ARGUMENTS
License ID ID of the license.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Workspace objects
EXAMPLE
The following Access Manager rules states that a user must be in a named ITAR
license to be given access to an object, with the World having read access:
The ITAR 001 license has three users named on it (User 1, User 2, and User 3).
In addition, the item trying to be accessed, item001, has a gov_classification set
to secret.
Using the User In Named ITAR license condition, User 1 can read item001 because
User 1 is listed on the license, while User 4 cannot read item001 because User 4 is
not listed on the license.
RELATED
RULE
CONDITIONS
• USER_IN_NAMED_EXCLUDE_LICENSE
• USER_IN_NAMED_IP_LICENSE
• USER_IN_NAMED_LICENSE
USER_IN_NAMED_LICENSE
CATEGORY
Licenses
DESCRIPTION
Checks whether a user from the current session is listed in the license of the specified
license ID. The rule condition does not check if the license is attached to the workspace
object being evaluated.
CONDITION
EVALUATION
true If the user is in the specified license, the rule condition evaluates
to true, regardless of whether the license is attached to the
workspace object.
false In all other cases, the condition evaluates to false.
INPUT
ARGUMENTS
License ID ID of the license.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Workspace objects
EXAMPLE
For an example, see USER_IN_NAMED_ITAR_LICENSE.
RELATED
RULE
CONDITIONS
• USER_IN_NAMED_EXCLUDE_LICENSE
• USER_IN_NAMED_IP_LICENSE
• USER_IN_NAMED_ITAR_LICENSE
USER-IP_LIC_HAS_CITIZENSHIP
CATEGORY
Licenses
DESCRIPTION
Checks whether the user's citizenship matches the passed-in value and then checks
if the user's citizenship is listed on any of the IP licenses attached to the workspace
object being evaluated.
CONDITION
EVALUATION
true This condition evaluates to true if the user's citizenship matches
the input citizenship and that citizenship is listed on any
nonexpired IP license attached to the workspace object.
false In all other cases, the condition evaluates to false.
INPUT
ARGUMENTS
citizenship Two-character ISO 3166 codes identifying a country.
This condition accepts negation using a minus (–) prefix. For
example, –IR means that the user cannot have an IR citizenship.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Any workspace object.
RELATED
RULE
CONDITIONS
• USER-ADA_LIC_HAS_CITIZENSHIP
• USER-EXCLUDE_LIC_HAS_CITIZENSHIP
• USER-ITAR_LIC_HAS_CITIZENSHIP
USER_IS_ADA_LICENSED
CATEGORY
General
DESCRIPTION
Checks whether the user currently logged on is cited in a valid (not expired) custom
license attached to the workspace object either directly or by membership in a cited
organization (group).
CONDITION
EVALUATION
true • If set to true, the condition returns true if the user being
evaluated is cited in any valid (not expired) ADA license
attached to the workspace object being evaluated either
directly or as a member of a group.
false • If set to true, the condition returns false if the user being
evaluated is not listed in any valid (not expired) ADA license
attached to the workspace object being evaluated either
individually or as a member of a group.
INPUT
ARGUMENTS
Custom License:{true|false}
EXAMPLE
EAR_itarlicense:true
RELATED
RULE
CONDITIONS
• USER_IS_IP_LICENSED
• USER_IS_ITAR_LICENSED
USER_IS_EXCLUDED
CATEGORY
International Traffic in Arms Regulations (ITAR)
DESCRIPTION
Tests whether the user is cited in a valid (not expired) exclude license attached to the
workspace object either directly or by membership in a cited organization (group).
CONDITION
EVALUATION
true • If the input argument is set to true, the condition evaluates
to true if the user is cited in any valid (not expired) exclude
license attached to the workspace object being evaluated
either directly or by membership in a cited organization
(group).
INPUT
ARGUMENTS
true or false
RELATED
RULE
CONDITIONS
• HAS_GOVERNMENT_CLASSIFICATION
• HAS_NO_GOVERNMENT_CLASSIFICATION
• USER_HAS_GOVERNMENT_ CLEARANCE
• USER_IS_ITAR_LICENSED
USER_IS_IP_LICENSED
CATEGORY
Intellectual property (IP)
DESCRIPTION
Checks whether the user being evaluated is listed on an IP license attached to the
workspace object.
CONDITION
EVALUATION
true • If set to true, the condition returns true if the user being
evaluated is cited in any valid (not expired) IP license
attached to the workspace object being evaluated either
directly or as a member of a group.
false • If set to true, the condition returns false if the user being
evaluated is not listed in any valid (not expired) IP license
attached to the workspace object being evaluated either
individually or as a member of a group.
INPUT
ARGUMENTS
true or false
RELATED
RULE
CONDITIONS
• USER_HAS_IP_CLEARANCE
• HAS_IP_CLASSIFICATION
• HAS_NO_IP_CLASSIFICATION
USER_IS_ITAR_LICENSED
CATEGORY
International Traffic in Arms Regulations (ITAR)
DESCRIPTION
Checks whether the user currently logged on is cited in a valid (not expired) ITAR
license attached to the workspace object either directly or by membership in a cited
organization (group).
CONDITION
EVALUATION
true • If the input argument is set to true, the condition evaluates
to true if the user is cited in any valid (not expired) ITAR
license attached to the workspace object being evaluated
either directly or by membership in a cited organization
(group).
INPUT
ARGUMENTS
true or false
RELATED
RULE
CONDITIONS
• HAS_GOVERNMENT_CLASSIFICATION
• HAS_NO_GOVERNMENT_CLASSIFICATION
• USER_HAS_GOVERNMENT_CLEARANCE
• USER_IS_EXCLUDED
USER-ITAR_LIC_HAS_CITIZENSHIP
CATEGORY
Licenses
DESCRIPTION
Checks whether the user's citizenship matches the passed-in value and then checks if
the user's citizenship is listed on any of the ITAR licenses attached to the workspace
object being evaluated.
CONDITION
EVALUATION
true This condition evaluates to true if the user's citizenship matches
the input citizenship and that citizenship is listed on any
nonexpired ITAR license attached to the workspace object.
false In all other cases, the condition evaluates to false.
INPUT
ARGUMENTS
citizenship Two-character ISO 3166 codes identifying a country.
This condition accepts negation using a minus (–) prefix. For
example, –IR means that the user cannot have an IR citizenship.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Any workspace object.
RELATED
RULE
CONDITIONS
• USER-ADA_LIC_HAS_CITIZENSHIP
• USER-EXCLUDE_LIC_HAS_CITIZENSHIP
• USER-IP_LIC_HAS_CITIZENSHIP
USER_GEOGRAPHY
CATEGORY
International Traffic in Arms Regulations (ITAR)
DESCRIPTION
Checks whether the given geography matches the geography of the user being
evaluated.
INPUT
ARGUMENTS
country-code Two-character ISO 3166 country codes.
This condition accepts negation using a minus (–) prefix. For
example, –us indicates any user at a site outside the U.S.
RELATED
RULE
CONDITIONS
• SITE_GEOGRAPHY
USER_NATIONALITY
CATEGORY
International Traffic in Arms Regulations (ITAR)
DESCRIPTION
Checks whether the given nationality matches the nationality of the user being
evaluated.
INPUT
ARGUMENTS
nationality Two-character ISO 3166 codes.
This condition accepts negation using a minus (–) prefix. For
example, –us indicates any user not from the U.S.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to classified data.
RELATED
RULE
CONDITIONS
• GROUP_NATIONALITY
USER_NOT_IN_ATTACH_ADA_LIC_CTG
CATEGORY
Intellectual Property (IP)
DESCRIPTION
Supports the negative rule tree condition for the existing
USER_IN_ATTACH_ADA_LIC_OF_CTGRY rule tree condition.
Checks the following:
CONDITION
EVALUATION
Evaluates to true if the object under evaluation:
• Is a workspace object or one of its subtypes.
• Has ADA licenses attached that do not match the license category of the input
category and the list of the current session user on the license.
INPUT
ARGUMENTS
license_category A string identifying the name of the license category.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Any workspace object.
If the evaluated object is a workspace object, the condition returns true.
GOOD RULE
PRACTICES
Access control by licenses can be configured based on the license type to vary access
at a high level or based on the license name to vary the access at a granular level.
Categories offer a way to control access by licenses in between the high and granular
levels. They provide a way to have different subtypes of licenses under each type and
configure access based on each category.
To learn more about categories, see Security Administration.
RELATED
RULE
CONDITIONS
• USER_IN_ATTACH_ADA_LIC_OF_CTGRY
USER_NOT_IN_ATTACH_EXCL_LIC_CTG
CATEGORY
Intellectual Property (IP)
DESCRIPTION
Supports the negative rule tree condition for the existing USER_IN_ATTACH_EXCL_
LIC_OF_CTGRY rule tree condition.
Checks the following:
• Whether the evaluation object is a workspace object (WorkspaceObject) or one
of its subtypes.
• The workspace object has exclude licenses attached that does not:
o Match the license category of the input category.
CONDITION
EVALUATION
true Evaluates to true if:
• The evaluation object is a workspace object or one of its
subtypes.
INPUT
ARGUMENTS
license_category A string identifying the name of the license category.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Any workspace object.
If the evaluated object is not a workspace object, the condition returns false.
GOOD RULE
PRACTICES
Access control by licenses can be configured based on the license type to vary access
at a high level or based on the license name to vary the access at a granular level.
Categories offer a way to control access by licenses in between the high and granular
levels. They provide a way to have different subtypes of licenses under each type and
configure access based on each category.
To learn more about categories, see Security Administration.
RELATED
RULE
CONDITIONS
• User Not In Attach ADA Lic of Ctgry
USER_NOT_IN_ATTACH_IP_LIC_CTG
CATEGORY
Intellectual Property (IP)
DESCRIPTION
Supports the negative rule tree condition for the existing User In Attach IP Lic of
Ctgry rule tree condition.
Checks the following:
• Whether the evaluation object is a workspace object (WorkspaceObject) or one
of its subtypes
CONDITION
EVALUATION
true Evaluates to true if:
• The evaluation object is a workspace object or one of its
subtypes.
• If ITAR licenses are attached, both of them list both the user
and match the category.
INPUT
ARGUMENTS
license_category A string identifying the name of the license category.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Any workspace object.
If the evaluated object is a workspace object, the condition returns true.
GOOD RULE
PRACTICES
Access control by licenses can be configured based on the license type to vary access
at a high level or based on the license name to vary the access at a granular level.
Categories offer a way to control access by licenses in between the high and granular
levels. They provide a way to have different subtypes of licenses under each type and
configure access based on each category.
To learn more about license categories, see Security Administration.
RELATED
RULE
CONDITIONS
• User Not In Attach ADA Lic of Ctgry
USER_NOT_IN_ATTACH_ITAR_LIC_CTG
CATEGORY
International Traffic in Arms Regulations (ITAR)
DESCRIPTION
Supports the negative rule tree condition for the existing User In Attach ITAR Lic of
Ctgry rule tree condition.
Checks the following:
• Whether the evaluation object is a workspace object (Workspace Object) or
one of its subtypes.
INPUT
ARGUMENTS
license_category A string identifying the name of the license category.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to:
• Any workspace object.
If the evaluated object is not a workspace object, the condition returns false.
GOOD RULE
PRACTICES
Access control by licenses can be configured based on the license type to vary access
at a high level or based on the license name to vary the access at a granular level.
Categories offer a way to control access by licenses in between the high and granular
levels. They provide a way to have different subtypes of licenses under each type and
configure access based on each category.
To learn more about license categories, see Security Administration.
RELATED
RULE
CONDITIONS
• User Not In Attach ADA Lic of Ctgry
USER_TTC_EXPIRED
CATEGORY
International Traffic in Arms Regulations (ITAR)
DESCRIPTION
Checks whether the current date is later than the technology transfer certification
(TTC) date on the User object.
CONDITION
EVALUATION
true • If the current date is later than the TTC value on the User
object, the condition evaluates to true.
false • If the current date is earlier than the TTC value on the User
object, the condition evaluates to false.
Note
If the TTC value on the User object is not entered, the condition evaluates
to true.
INPUT
ARGUMENTS
Current date Specifies today’s date.
Technology Transfer Specifies the technology transfer certification date, which is the
Certification (TTC) date when the user’s qualification for viewing exporting data
date marked as government classified lapses.
BUSINESS
OBJECT
SCOPE
This condition can be used to control access to classified data.
RELATED
RULE
CONDITIONS
• HAS_GOVERNMENT_CLASSIFICATION
• HAS_NO_GOVERNMENT_CLASSIFICATION
• USER_HAS_GOVERNMENT_CLEARANCE
• USER_IS_EXCLUDED
Out-of-the-box rules, conditions, and operations that are brought into Access Controls from
Access Manager are explained in detail on the Glossary tab of an Administration Data
Documentation report. You can generate an Administration Data Documentation report using the
generate_admin_data_report utility.
1. Enter the following command:
Descriptions of conditions, accessor types, and privileges are displayed. Privileges are called
Operations in Access Controls.
Headquarters
Europe
Granite Park One
Stephenson House
5800 Granite Parkway
Sir William Siemens Square
Suite 600
Frimley, Camberley
Plano, TX 75024
Surrey, GU16 8QD
USA
+44 (0) 1276 413200
+1 972 987 3000
Asia-Pacific
Americas
Suites 4301-4302, 43/F
Granite Park One
AIA Kowloon Tower, Landmark East
5800 Granite Parkway
100 How Ming Street
Suite 600
Kwun Tong, Kowloon
Plano, TX 75024
Hong Kong
USA
+852 2230 3308
+1 314 264 8499