Configuration
      Back to home
      1. Help Center
      2. SOLIDWORKS PDM
      3. Configuration

      What is PDM Attach and Administrative Access?

      Gain understanding of SOLIDWORKS PDM archive server attach and administrative access roles including suggested setup.

      Have you ever seen a dialog appear like the one shown below when attaching to or creating a vault through the administrative utility? The first instinct is to put in the credentials for the SOLIDWORKS PDM administrator. The software isn’t expecting the user to enter SOLIDWORKS PDM account credentials. On the contrary, the application needs Microsoft Windows credentials. Why and how do you know?

      Background

      SOLIDWORKS PDM Standard and Professional editions both have an archive server component within the software server architecture. The archive server has an application called Archive Server Configuration. Part of the archive server setup during installation of the SOLIDWORKS PDM software is to choose Microsoft Windows accounts (domain and/or local) for administering and attaching to vaults. 

      Attachment vs. Administrative Access

      Windows user accounts with administrative access can create, remove, upgrade, and attach to file vaults. Attach access allows the user to create a local view. The SOLIDWORKS PDM local view is the gateway to the files and data stored within the application. Both roles can create local views but the people with administrative access can be much more dangerous. Extreme caution must be made for which users should have administrative permission. 

       Configuring Administrative and Attach Access

      1. Open the SOLIDWORKS PDM Archive Server Configuration application. You must have direct access to the archive server.
      2. Click on “Tools” in the menu bar at the top of the form.
      3. Choose “Default Settings” from the submenu.
      4.  Click on the “Security” tab 

      Default user setup

      Notice in the previous figure, both Administrative and Attach access has three local/built-in accounts: Administrators, Power Users, and Users. Do you see the security flaw here? The local group called “Users” is referenced under the administrative access role. This means that any user added to the local “Users” group on the archive server can do things like remove a vault. On the other hand, the local “Administrators” group already has attached access within the administrative access list. It does not hurt to put the “Administrators” group under both administrative and attach access roles, but it is not necessary and redundant. 

       Power Users 

      Have you ever used Windows NT or Windows 2000? Many of you reading this blog currently probably weren’t born yet. The Power Users group is currently a remnant of the past. Think of the Power Users group as Administrators light. They had most of the permissions of an Administrator. Power Users could do the following:

      • Install programs that do not modify operating system files or install system services.
      • Set up various system resources like power options, date, time, and/or printers.
      • Manage local user accounts and groups.
      • Stop and start system services.
      • Run legacy applications.

      From Windows Vista version to now, Power Users group is no longer used and made obsolete due to User Account Control (UAC). It was a casualty of Microsoft’s initiative to consolidate privilege elevation. Currently the Power Users group has privileges no different than a standard user account and shouldn’t be used for anything more due to security risks. Some organizations may still choose to use the Power Users group for elevated rights today, but this is not recommended.

       Suggested Setup 

      Summary:

      • Delete Administrators, Power Users, and Users groups from both Administrative Access and Attach Access roles.
      • Create two local groups: “Pdm_Admins” and “Pdm_Users”.
      • Assign “Pdm_Admins” to the Administrators Access role.
      • Add “Pdm_Users” to the Attach Access role.

      The main benefit of this suggestion is to make it easier to set up SOLIDWORKS PDM on a new server during a move. The person responsible for setting up the new archive server doesn’t require the IT department to immediately populate the groups with domain groups and/or users. Often the person installing the software has local administrative privileges and they can create groups without adding accounts to them. 


      Part of the archive server installation procedure involves restoring a backup of the settings from the original server. If the source archive server had the same groups established, then no changes are required to the roles on the target server. Simply create the local groups only. Either IT or the installation expert can add assignees to the local groups later. 


      Other reasons for applying the suggested procedure are for readability, ease of maintenance, and better security. There is little question about the purpose of each group and their corresponding role. 

      Creating Local Groups

      The user must have Windows privileges to perform this procedure. 


      1)    Open Computer Management. 

      a.    Simultaneously click Win (Windows key) + “R”. 
      b.    In the Run dialog, type “compmgmt.msc”. 

      2)    Click “Local Users and Groups” on the left side of the Computer Management form.

             

      3)    Right click on “Groups” and choose “New Group…” from the context menu. 

      4)    Create group name and optionally add description (strongly recommended) and members.

             

      Adding a group to Administrative or Attach Access

      The process of adding a group to one of the two access roles is the same. For this demonstration, we will focus on Administrative Access and adding the "Pdm_Admins" group to it.

      1. Go to "Default Settings" per instructions earlier.
      2. Click on the "Security" tab followed by clicking the "Add..." button.
      3. Enter the name of the group into the text box and click the "Add" button. 


       Window login credentials 

      If the person witnesses the dialog box shown in figure below, then they are likely not a member of the Administrative Access or Attach Access roles pending on action taken. For example, if the person is trying to create a new vault and they aren’t a member of the suggested Pdm_Admins local group, then the login form will appear requesting credentials for a user who is an administrator.

      What are the key elements of the dialog that identifies it as requiring Windows credentials? At first glance, it looks like a normal SOLIDWORKS PDM login form; however, there are some key characteristics that prove the dialog is not trying to authenticate the user for PDM.  


      There are two things to look for in the login screen: archive server name and where to authenticate through. The user might see something similar upon logging into Microsoft Windows. See figure below. The Domain value is likely the same one applied during initial computer login. Please consult your IT administrator for more information.

       Closing thoughts 

      The goal of this article is to provide more insight into Administrative Access and Attach Access roles. This should also clarify when a user would be prompted for Windows credentials and how to quickly identify this.

      The local groups suggested herein are not required. Before making any security-related changes to the archive server, please contact your IT administrator for the best practices and company policy.

      CADimensions does offer services for SOLIDWORKS PDM installations and server moves. If you want to learn more about our consulting services, please click on the following link:  

      https://www.cadimensions.com/services/consulting/cad-administration-services/