Product DocsMenu

Configuring a PTC Windchill Security Provider

The PTC Windchill connector needs a security provider to manage the user permissions on PTC Windchill entities. The PTC Windchill security provider performs tasks such as expanding groups to users and mapping PTC Windchill users to emails or to Active Directory users. The connector creates and sets several virtual groups on indexed documents to support the access policies defined in PTC Windchill.

Note: You can get familiar with how Coveo components deal with permissions on documents both at indexing and query time (see Security) .

To Configure a PTC Windchill security provider

  1. On the Coveo server, access the Administration Tool (see Opening the Administration Tool).

  2. Select Configuration > Security.

  3. In the Security page, in the navigation panel on the left, click Security Providers.

  4. In the Security Providers page, click Add to create a new security provider.

  5. In the Modify Security Provider page:

    1. In the Name box, enter a name to identify this security provider.

      Example: PTC Windchill Security Provider

    2. In the Security Provider Type drop-down list, select Windchill.

    3. In the User Identity section:

      1. In the drop-down list, select the user identity that you created previously with the PTC Windchill crawling account credentials (see PTC Windchill Connector Deployment Overview).

      2. When needed, click Add, Edit, or Manage user identities respectively to create, modify, or manage user identities.

    4. In the Coveo plug-in Web Service Url box, enter the URL in the following format: 


      where you replace [myWindchillServer] with the name of your PTC Windchill server.

    5. In the Client Certificate Path and Server Certificate Path boxes, enter the path and file name where you copied these files on the Coveo Master server (see Copying the PTC Windchill Certificates to the Coveo Master Server).

      Example: When the files were copied with their original names in the D:\CES7\CertStore\PTC_Windchill\ folder, respectively enter: 

      • D:\CES7\CertStore\PTC_Windchill\client.cer
      • D:\CES7\CertStore\PTC_Windchill\server.cer
    6. In the Cache Entry Absolute Expiration box, leave the 30 seconds default value unless instructed to change it by Coveo Support.

      This parameter indicates at what interval the security provider cache is reset. The use of this cache minimizes calls made to the plugin to retrieve policies. A value of 0 means no cache is used.

    7. Select the Viewing Application Data Only Requires Download Permission check box only when you want the security provider to allow access to ApplicationData type documents (Windchill local files) when a user has only the Download permission, rather than by default, when the user has the Read+Download permissions.

      Note: When you select this parameter, you must also add the ViewingApplicationDataOnlyRequiresDownloadPermission source parameter and set it to true (see Modifying Hidden PTC Windchill Source Parameters).

    8. In the Security Provider section, optionally select another security provider to allow the PTC Windchill security provider to map PTC Windchill accounts to another user type with which people are authenticated when they perform a search: 

      • Select None when you do not want to map PTC Windchill users to another user type.

        The security provider creates user members with the LDAP distinguished name (DN) retrieved from PTC Windchill.

      • When the Windchill LDAP is synchronized with an Active Directory, select the out-of-the-box Active Directory security provider to map PTC Windchill users to AD users.

        The PTC Windchill security provider maps users to Active Directory by extracting the UID of the LDAP distinguished name (DN) provided by Windchill.

        Example: When a PTC Windchill user distinguished name (DN) is uid=jbaker,ou=people,cn=administrativeldap,cn=windchill_10.1,o=ptc, the security provider outputs a SID declarator with the name jbaker by extracting the UID of this DN.

        Note: When a user exists in PTC Windchill, but does not exist in the Active Directory, a SID declarator is still created, but the Active Directory security provider will throw a SecurityInvalidUserGroupException because no mapping exists between this account and Active Directory.

      • When the email property is defined for all users in PTC Windchill and your users authenticated with this email when they perform a search, you can click Add to create, and then select an Email security provider (see Configuring an Email Security Provider).

      Note: When none of the above security provider types fulfill your needs, it may be possible to use a custom security provider like the REGEX Transform Member Name to bridge the gap between PTC Windchill accounts and another type of users (see Configuring a REGEX Transformation Security Provider).

    9. (Optional) In the Parameters section, click Add Parameter and then use the following hidden parameter when you want to map your PTC Windchill usernames to their Windows usernames:

      ActiveDirectoryDomainNameForMappings CES 7.0.7433+ (February 2015)

      Enter the Active Directory domain name used to map users in the Active Directory security provider. The default value is null. Consider changing the value when the Active Directory domain on which CES runs is not the desired domain.

      Example: When the ActiveDirectoryDomainNameForMappings parameter value is MyCompany and you expand the PTC Windchill user John, the security provider will expand this user to the AD user MyCompany\John.

      Note: This parameter is only used if you selected Active Directory in the Security Provider section (see step h).

    10. Leave the Allow Complex Identities option cleared as it does not apply to this type of security provider.

    11. Click Apply Changes.

What's Next?

Configure and index your PTC Windchill source (see Configuring and Indexing a PTC Windchill Source).

People who viewed this topic also viewed