Curious if anyone is leveraging Active Directory groups for access control in Windchill. I am evaluating it right now and one of the hangups I'm running into is the inability to set permissions based on the combined membership of two different groups.
For example, let's say I have two groups in Active Directory:
- Windchill_Users
- Product_ABC_Users
The first group contains everyone in the company that is allowed to access Windchill. The second group contains everyone one in the company who is allowed access to one particular product. (Could be department, division, product team, whatever.) This group has MANY more people in it - many who should never appear in Windchill.
In a perfect world, I would like to define access based on a join of these two groups.
- If a user exists in both groups then they are allowed access.
- If a user only exists in Windchill_Users, they can log in but they won't be able to access Product_ABC.
- If a user only exists in Product_ABC_Users, but not in Windchill_Users, then they can't log in at all (or even be listed in Windchill).
From my testing so far, I can prevent users from logging in via complex Apache filters, but ALL members of the Product_ABC_Users group are showing up in Windchill even though both the Info*Engine and Apache user filters are set to only allow users in the Windchill_Users group.
I really would like to avoid recreating a bunch of context specific groups in Windchill and then manually having to maintain membership on them individually. Having the ability to check membership in multiple groups at the same time would really simplify things. Has anyone figured out a way to accomplish something like this?
Thanks!