Modify Security Labels Permission
Product: Windchill
Release: 11.0 F000
Benefit
The new Modify Security Labels permission provides more precise control to administrators when specifying which users can modify security labels.
Additional Details
Previously, a security label could be modified by participants who were granted the Modify permission, provided they were also an authorized participant for the security label value on the object. Modify Security Labels is a new permission that determines which participants can change security labels values. This allows administrators to separately manage access controls for modifying security labels and other object attributes. Now, participants must have the Modify Security Labels permission instead of the Modify permission in order to modify security labels; however, the participant must still be an authorized participant for the object’s security label value that the participant wants to modify.
Modify Security Labels permission has been added to permission tables throughout Windchill, including the following areas: Policy Administration utility; Edit Access Control window; workflow, life cycle, and container templates; and object creation windows.
Visibility of the Modify Security Labels permission can be controlled with two Security preferences in the Preference Management utility. Access Permission Configuration and Access Permission Configuration (PDM) determine if users can see or update permissions throughout Windchill.
Four data migrators have been introduced in the upgrade process that by default grant the new Modify Security Labels permission to participants in Windchill 11.0 who were granted Modify permission in previous releases. Previously, if a participant had either the Modify or Full Control (All) access control permission on an object and they were an authorized participant for an object’s security labels, then the participant was able to modify security labels on that object. Similarly, if the participants were denied or absolutely denied Modify permission, then they are denied or absolutely denied the new Modify Security Labels permission.
The migrators check for access control rules in the following areas in Windchill:
• Policy access control rules defined in the Windchill system
• Ad hoc access control rules defined for individual objects in the Windchill system
• Policy and ad hoc access control rules specified by container templates
• Ad hoc access control rules specified by variables in workflow templates
• Ad hoc access control rules specified by life cycle templates
| Optionally, you can configure the migrators to check for access control rules with a permission other than Modify, when adding the new Modify Security Labels permission. |
