The context roles of a user in an access control context define per object type (for example, product family or derived object types, product item) the actions, which the user may carry out on product structure objects belonging to this context or are assigned to this context. The product structure objects delivered in SAP PLM Web UI are not accessible for a user when they belong to contexts that are not related to the user. When a user tries to access a product structure object and the object is owned by a context, the system grants access only when the user has a context role in the owning context or in a compound context that allows an activity for the object type (assuming that no ACL exists for the user).

Access control contexts are a natural way to reflect the organizational structure of a business company along with the responsibilities of users within this structure.

ACLs grant or deny access rights individually for every product structure object and for every user. Authorizations defined by ACLs override authorizations within an access control context. ACLs apply to one product structure object only and the inheritance of ACLs is not supported.

ACL authorizations are intended for exceptional cases where contexts are not appropriate.

You can specify an owning context on the initial screen when you create a product structure object. This owning context is displayed in the specific product structure object screen. When you create a new product structure object, specifying the context is mandatory if you are not a trusted user.

When you choose  Assign Access Control Context on the product structure or the product assembly screen, you can specify the ACC for the all the subordinate objects that you create from the current object in the future. This ACC does not apply to the current object or to the previously created subordinate objects. This ACC is only active for the current session and is not active when you reload the product structure or the product assembly.

When you choose  Additional Functions Change Authorization(s) , you can transfer object ownership or assign the selected object to another context. This change of authorization is not limited to the current session and is valid when you reload the object. You can display the owning context in the Authorizations tab and the Administrative Data tab.

You can assign product structure objects to a context from the ACC screen. You can change the ownership of a product structure object. On the Transfer Object Ownership or Assign Objects to Other Context screen, you can use the explosion feature for a product structure object to add linked objects and objects from subhierarchies. You can assign a product structure object to another context without giving up ownership so that other members of the owning context have access to the product structure object. For more information, see Administration of Object Transfers.

Search results in the PLM Web UI only list those product structure objects that a user is authorized to access. In case you do not have the Read activity for an object type (for example a product item variant) from a PFCG role, the search does not include these objects in the search result list. A PFCG role grants the possible activities for an object type in the system, whereas a context role restricts the granted activities to specific access control contexts (for example, the Change activity granted by a PFCG role can be restricted to Read activity with a context role).

The object navigator is the standard user interface for all users who do not have administrative rights for access control contexts. These users cannot access the ACC screen. For more information, see View Layout for Product Structure and View Layout for Product Assembly. The object navigator only displays specific information and objects, related to a context, corresponding to the user's authorizations. The full display of information and objects is only available to users with the Context Administrator context role.