From 1a5feefb019a5686015077499f4f2a5dde6a612f Mon Sep 17 00:00:00 2001
From: cproudlock <cproudlock@localhost>
Date: Thu, 16 Apr 2026 10:38:24 -0400
Subject: [PATCH] CMM: grant Users Modify on PC-DMIS install dirs for non-admin
 launch

PC-DMIS writes settings, probe configs, and measurement data to its own
Program Files install directory at runtime. Without Modify permission
for BUILTIN\Users, non-admin accounts (ShopFloor) get a UAC elevation
prompt on every launch. The "run as admin once" workaround can't be
automated because PC-DMIS shows a license dialog on first run that
blocks silently.

Fix: grant BUILTIN\Users Modify with inheritance on:
  - C:\Program Files\Hexagon\PC-DMIS 2016.0 64-bit
  - C:\Program Files\Hexagon\PC-DMIS 2019 R2 64-bit
  - C:\ProgramData\Hexagon

Runs as Step 2.5 in 09-Setup-CMM.ps1 after Install-FromManifest
completes. If the exe also has an embedded requireAdministrator manifest
(separate from the file-permission issue), that will need an additional
fix after testing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 playbook/shopfloor-setup/CMM/09-Setup-CMM.ps1 | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/playbook/shopfloor-setup/CMM/09-Setup-CMM.ps1 b/playbook/shopfloor-setup/CMM/09-Setup-CMM.ps1
index c341d5f..5300dea 100644
--- a/playbook/shopfloor-setup/CMM/09-Setup-CMM.ps1
+++ b/playbook/shopfloor-setup/CMM/09-Setup-CMM.ps1
@@ -124,6 +124,42 @@ else {
     Write-CMMLog "Install-FromManifest returned $rc"
 }
 
+# ============================================================================
+# Step 2.5: Grant Users write access to PC-DMIS install directories
+# ============================================================================
+# PC-DMIS writes settings, probe configs, and measurement data to its own
+# install directory at runtime. Without Modify permission for BUILTIN\Users,
+# non-admin accounts get a UAC elevation prompt on every launch. Granting
+# the ACL here is the Hexagon-documented approach for non-admin deployment
+# and avoids the need for a first-run-as-admin (which hits a license dialog
+# and can't be automated silently).
+$pcdmisDirs = @(
+    'C:\Program Files\Hexagon\PC-DMIS 2016.0 64-bit',
+    'C:\Program Files\Hexagon\PC-DMIS 2019 R2 64-bit',
+    'C:\ProgramData\Hexagon'
+)
+foreach ($dir in $pcdmisDirs) {
+    if (-not (Test-Path -LiteralPath $dir)) {
+        Write-CMMLog "PC-DMIS dir not found: $dir - skipping ACL"
+        continue
+    }
+    try {
+        $acl = Get-Acl -LiteralPath $dir
+        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
+            'BUILTIN\Users',
+            'Modify',
+            'ContainerInherit,ObjectInherit',
+            'None',
+            'Allow'
+        )
+        $acl.AddAccessRule($rule)
+        Set-Acl -LiteralPath $dir -AclObject $acl -ErrorAction Stop
+        Write-CMMLog "Granted BUILTIN\Users Modify on $dir"
+    } catch {
+        Write-CMMLog "Failed to set ACL on $dir : $_" "WARN"
+    }
+}
+
 # ============================================================================
 # Step 3: Stage runtime scripts to C:\Program Files\GE\CMM
 # ============================================================================