Specifying Authorized Participants for Custom Security Labels
A custom security label can have multiple label values. For custom security labels, authorized participants can be configured for all non-null security label values, not for individual security label values. For both standard and custom security labels, there are multiple ways to specify the authorized participants:
• Unspecified
If neither a UFID nor an EvaluatorClass is specified, the label value does not limit access to the objects with the label value applied and it becomes an informative marking.
• UFID Only
If an authorized participant is specified using a UFID, whether the participant (user, user-defined group, or organization) is cleared for access to the objects with the label value applied is indicated by the UFID value.
• EvaluatorClass Only
If an evaluator class is specified, its boolean isRestrictedBySecurityLabelValue (WTPrincipal principal, SecurityLabeled object, String label_name, String label_value) method is called when the access rights of a participant are evaluated to determine whether the participant is cleared for access to objects with the label value applied.
• Both UFID and EvaluatorClass
If both a UFID and an evaluator class are specified, the UFID is only used if the super.isRestrictedBySecurityLabelValue(principal, label_name, label_value) method is called and the result is used (i.e., the isRestrictedBySecurityLabelValue methods are not overridden in the evaluator class or an overridden method calls super.isRestrictedBySecurityLabelValue and makes use of the result).
|
|
Although authorized participants cannot be configured for individual custom security label values, the users that are authorized for each value can still be different when an evaluator class is configured. The evaluator class can return a different answer for each value applied to the object.
|
Using a UFID to Specify the Authorized Participants
When using only a UFID for the authorized participant, specifying a user-defined group to identify the authorized participants provides the most flexibility, as membership in the group can be modified as needed using the Participant Administration utility, the > page, or a third party LDAP tool to manage groups within an LDAP directory service. If a group is used as the authorized participant for a custom security label, the membership of the group can include other groups. Users who are not authorized participants for any value of the custom security label are denied access to objects with that label value applied, unless they are specifically granted temporary clearance to the value by being in the authorized participants set for an agreement. Being authorized for one security label does not automatically authorize a user for any other security label. Users must be cleared for all security labels that are set on an object to be able to access the object.
For example, a site might have a system outside of Windchill that tracks whether a user has completed ITAR training. The ITAR Clearance security label value on the Export Control standard security label value is configured with a custom evaluator. The custom evaluator queries the external system to determine if the user has completed the training. The evaluator method returns false for a user who has completed the training (when Yes is returned by the external system) and the user is cleared for the security label value.
Using a Custom Evaluator to Specify the Authorized Participants
When using a custom evaluator class to determine if a user is an authorized participant for a custom security label or standard security label value, the boolean isRestrictedBySecurityLabelValue (WTPrincipal principal, SecurityLabeled object, String label_name, String label_value) method is called. Windchilluses the boolean answer to determine if a user is an authorized participant for the security label value applied to the object.
For example, a site might have a system outside of Windchill that tracks whether a user has completed ITAR training. The ITAR Clearance security label value on the Export Control standard security label value is configured with a custom evaluator. The custom evaluator queries the external system to determine if the user has completed the training. The evaluator method returns false for a user who has completed the training (when Yes is returned by the external system) and the user is cleared for the security label value.
Using a Custom Evaluator and UFID to Specify the Authorized Participants
When using a custom evaluator class to determine if a user is an authorized participant for a security label value, the boolean isRestrictedBySecurityLabelValue(WTPrincipal principal, SecurityLabeled object, String label_name, String label_value) method is called, but this method can call the super.isRestrictedBySecurityLabelValue(principal, label_name, label_value) method to also incorporate the UFID specified in the security labels configuration file. If the super.isRestrictedBySecurityLabelValue method is called, then it is up to the evaluator to use the answer from super.isRestrictedBySecurityLabelValue in whatever way is desired.
For example, a site may have a system outside of Windchill that tracks whether a user has completed ITAR training. The ITAR Clearance-US security label value on the Export Control standard security label is configured with a custom evaluator. The custom evaluator queries the external system to determine if the user has completed the training. If the user has completed the training, the external system returns a value of Yes to the custom evaluator method. Then, the super.isRestrictedBySecurityLabelValue method is called and the user is evaluated to determine if they are a member of the US Persons group. If that is true, the user is cleared for the security label value and the method returns false. If the user has not completed the training, the external system returns a value of No to the custom evaluator method and the super.isRestrictedBySecurityLabelValue method is not called, the method returns true and the user is not cleared for the security label.
> page, or a third party LDAP tool to manage groups within an LDAP directory service. If a group is used as the authorized participant for a custom security label, the membership of the group can include other groups. Users who are not authorized participants for any value of the custom security label are denied access to objects with that label value applied, unless they are specifically granted temporary clearance to the value by being in the authorized participants set for an agreement. Being authorized for one security label does not automatically authorize a user for any other security label. Users must be cleared for all security labels that are set on an object to be able to access the object.
