SecurityLabel Element
The SecurityLabel element contains the data for defining a standard security label, including possible security label values, the authorized participant for each value (if not all users), the agreement type (if any) associated with the label value, and various mappings used by applications and services to process security labels. There should be one SecurityLabel element for each standard security label you configure. For example:
<SecurityLabel name="EXPORT_CONTROL" enabled="true">
<SecurityLabelResourceKey>WCTYPE|wt.access.SecurityLabeled~SCA|
EXPORT_CONTROL</SecurityLabelResourceKey>
<SecurityLabelValueResourceClass>wt.access.configuration.SecurityLabel1
</SecurityLabelValueResourceClass>
<SecurityLabelValue name="LNS" enabled="true"
<UnrestrictedPrincipal>
<ufid>cn=US Persons,cn=Public,ou=people,cn=AdministrativeLdap,
cn=Windchill_9.1,o=ptc|Ldap.ptcnet.ptc.com|
Ldap.ptcnet.ptc.com</ufid>
<AgreementType>
<logicalTypeId>com.ptc.security.SEA</logicalTypeId>
</AgreementType>
</UnrestrictedPrincipal>
</SecurityLabelValue>
.
.
.
.
<SecurityLabelParameter>EXPORT_CONTROL</SecurityLabelParameter>
<MultiValueLogicalOperator>OR</MultiValueLogicalOperator>
</SecurityLabel>
<SecurityLabelResourceKey>WCTYPE|wt.access.SecurityLabeled~SCA|
EXPORT_CONTROL</SecurityLabelResourceKey>
<SecurityLabelValueResourceClass>wt.access.configuration.SecurityLabel1
</SecurityLabelValueResourceClass>
<SecurityLabelValue name="LNS" enabled="true"
<UnrestrictedPrincipal>
<ufid>cn=US Persons,cn=Public,ou=people,cn=AdministrativeLdap,
cn=Windchill_9.1,o=ptc|Ldap.ptcnet.ptc.com|
Ldap.ptcnet.ptc.com</ufid>
<AgreementType>
<logicalTypeId>com.ptc.security.SEA</logicalTypeId>
</AgreementType>
</UnrestrictedPrincipal>
</SecurityLabelValue>
.
.
.
.
<SecurityLabelParameter>EXPORT_CONTROL</SecurityLabelParameter>
<MultiValueLogicalOperator>OR</MultiValueLogicalOperator>
</SecurityLabel>
The name attribute of the SecurityLabel element must match the internal name of the security label specified in Step 1 of this configuration. In this case, it is EXPORT_CONTROL. For this security label to be available in your Windchill solution, the enabled attribute must be set to true. This internal name will not be displayed in the user interface. The corresponding display name specified in Step 1 will be displayed in the user interface.
For this security label to be available in your Windchill solution, the enabled attribute must be set to true.
The SecurityLabelResourceKey element represents the resource key for the label, and is specified in the following format:
WCTYPE|wt.access.SecurityLabeled~SCA|<SECURITY_LABEL>
where <SECURITY_LABEL> is the internal name of the security label as specified in Step 1.
 |
Even if security labels are globally disabled, the security label within the resource key must match with the internal name of the security label created in Step 1 of this configuration. For more information on disabling security labels, see Administering Security Labels.
|
The SecurityLabelValueResourceClass element represents the resource file that contains the localized strings for the properties of each security label value. The name of this resource file can be determined using the internal name of the enumeration that you customized in Step 2 when defining the security label values.
As per the example, the internal name of the enumeration that holds the values for Export Control security label is wt.access.configuration.SecurityLabel1RB. So the value that must be specified for SecurityLabelValueResourceClass is wt.access.configuration.SecurityLabel1.
The name attribute of the SecurityLabelValue element specifies the internal name of the security label value. For the label value to be available in your Windchill solution, the enabled attribute must be set to true. The null value for the security label is automatically present and is not specified here.
|
|
The name attribute of the SecurityLabel element and the name attribute of the SecurityLabelValue element are stored together as a name/value pair in the database. Although the system allows you to specify as many security labels as desired, the name/value pairs are stored in a single database column. The number of security labels that can be set is limited by the column size (4000). As these values are generally not seen in the user interface, it is recommended that the values be kept as short as possible, but still be meaningful.
|
Each SecurityLabelValue element can have a single UnrestrictedPrincipal subelement, which specifies the authorized participant for this security label value. The authorized participant is cleared for the security label value. If the UnrestrictedPrincipal subelement is omitted, all users are cleared for access to objects with the label value.
Each UnrestrictedPrincipal subelement can have a ufid sublement. The UFID, or Unique Federation Identifier, specifies a participant, which can be a user, user-defined group, or organization. For information on how to specify a UFID, see Specifying a UFID.
The order in which the SecurityLabelValue elements are specified is the order in which the non-null values display in selection lists.
Each UnrestrictedPrincipal element can optionally have an AgreementType subelement. An agreement can be used to grant temporary clearance to users who are not authorized participants for this security label value. The content for the AgreementType element is specified in the following format:
<logicalTypeId><AGREEMENT_NAME></logicalTypeId>
where <AGREEMENT_NAME> is the internal name of the agreement type or subtype.
For more information about the agreement type, see Agreement Type and Subtypes.
The optional MultiValueLogicalOperator element is used for configuring the standard security label to have multiple values. MultiValueLogicalOperator is always the last element within the SecurityLabel element. This element contains the OR or AND condition which determines the evaluation method for allowing a user to access a security labelled object. For more information, see Security Label with Multiple Values.