Create a Custom Java Evaluator Class

If custom evaluation is needed when determining if a participant is restricted by a security label value, or when determining if a participant is able to modify a security label value, then a custom Java evaluator class is required.

A custom Java evaluator class can be used to determine if a participant is restricted by the security label value specified and to determine if the participant is able to modify the security label value. To do this, the class must extend the wt.access.UnrestrictedPrincipalEvaluator class.

The wt.access.UnrestrictedPrincipalEvaluator class contains four methods. Any of these methods can be overridden, depending on whether the default behavior is sufficient:

• boolean isRestrictedBySecurityLabelValue(WTPrincipal principal, String label_name, String label_value) - Determines if a participant is restricted by the security label value by evaluating the participant, the security label, and the security label value.

If this method is not overridden, its default behavior evaluates the UFID provided in the security labels configuration file to determine if the participant is the user specified by the UFID or a member of the group or organization specified by the UFID. To get the default answer in your overridden method, include a call to super.isRestrictedBySecurityLabelValue(principal, label_name, label_value) in your class.

• boolean isRestrictedBySecurityLabelValue(WTPrincipal principal, SecurityLabeled object, String label_name, String label_value) - Determines if a participant is restricted by the security label value by evaluating the participant, the object, the security label, and the security label value. The object could be an AccessControlSurrogate. The AccessControlSurrogate acts as a stand-in for a persistable object, and contains all the attributes Windchill needs to determine access rights without having the full persistable object. For more information about an AccessControlSurrogate, seeHandling an AccessControlSurrogate.

If this method is not overridden, its default behavior is to call the boolean isRestrictedBySecurityLabelValue(WTPrincipal principal, String label_name, String label_value) method.

• boolean isAllowedToModifySecurityLabelValue(WTPrincipal principal, SecurityLabeled object, String label_name, String label_value) - Determines if a participant is allowed to modify the security label value by evaluating the participant, the security label, the security label value, and the object.

If this method is not overridden, its default behavior evaluates the UFID provided in the security labels configuration file to determine if the participant is the user specified by the UFID or a member of the group or organization specified by the UFID. To get the default answer in your overridden method, include a call to super.isAllowedToModifySecurityLabelValue(principal, object, label_name, label_value) in your class.

• WTKeyedHashMap isAllowedToModifySecurityLabelValues(WTPrincipal principal, WTKeyedMap objects_to_security_labels_map) - Determines if a participant is allowed to modify specified security label / value pairs on a collection of objects. A separate Boolean result is returned for each specified combination of label, value, and object.

If this method is not overridden, its default behavior is to call the single-value evaluator, isAllowedToModifySecurityLabelValue, for each of the label/value pairs, for each of the objects. This may cause performance issues if, for example, the evaluation requires separately querying an external system for each evaluation. The custom evaluator may therefore override this method with a more efficient implementation- for example, combining calls to the external system, or caching results to avoid repetitive evaluations.

An example custom Java evaluator class can be found in the <Windchill>/prog_examples/access directory. For more information about the use case and setting up Windchill to use the example, refer to the Javadoc for the custom Java evaluator class for each of the implemented methods.