Advanced Customization > Business Logic Customization > Customizing Security Labels > Customizing Security Labels > Setting Up Custom Security Labels > Enabling Custom Security Labels > Handling an AccessControlSurrogate
  
Handling an AccessControlSurrogate
When Windchill access control service methods are called to evaluate a user's access rights to information, the methods may be given a persistable object or a wt.access.AccessControlSurrogate. The AccessControlSurrogate acts as a stand-in for a persistable object, to evaluate access rights for the information returned when a database query is performed requesting specific attributes of an object rather than a full persistable. The surrogate contains attributes from the class it is representing and includes all possible attributes necessary for making the access control decision.
The boolean isRestrictedBySecurityLabelValue(WTPrincipal principal, SecurityLabeled object, String label_name, String label_value) method defined by the wt.access.UnrestrictedPrincipalEvaluator class could be given an AccessControlSurrogate object. If you override this method in a custom Java evaluator class, your custom code should check if the object is an instance of AccessControlSurrogate before trying to check various attributes.
The wt.fc.ObjectIdentifier method getId() can be used to get the unique identifier of the represented persistable object. The class name in the ObjectIdentifier is wt.access.AccessControlSurrogate. The surrogate has a getTargetClassName method which can be used to get the class name of the represented persistable object. For example:
Class targetClass = Object.class;
if (object instanceof AccessControlSurrogate) {
try {
targetClass = Class.forName(((AccessControlSurrogate)
object).getTargetClassName());
}
catch (ClassNotFoundException cnfe) {
...
}
long id = PersistenceHelper.getObjectIdentifier(object).getId();
}
The attributes that are available on the AccessControlSurrogate depend on the type of the represented persistable object and whether Agreements are enabled on your system.
The following attributes are available and have supported APIs to access them.:
If the wt.admin.DomainAdministered interface is a superinterface of the target class, the wt.admin.DomainAdministeredHelper method getAdminDomainRef(DomainAdministered obj) can be used to get the object's domain reference.
If the wt.lifecycle.LifeCycleManaged interface is a superinterface of the target class, its getState() method can be used to get the object's life cycle state.
If the wt.access.SecurityLabeled interface is a superinterface of the target class, the wt.access.AccessControlManager method getSecurityLabels(SecurityLabeled object) can be used to get a map of the object's security labels and their values.
If Agreements are enabled on your system in addition to the SecurityLabeled interface being a superinterface of the target class:
If the wt.inf.container.WTContained interface is a superinterface of the target class, the wt.inf.container.WTContainerHelper method getContainer(WTContained contained) can be used to get the context of the object
If the wt.vc.Iterated interface is a superinterface of the target class, its getMasterReference() method can be used to get the ObjectReference of the iteration's master. Also, the wt.vc.VersionControlHelper method getBranchIdentifier(Iterated iteration) can be used to get the iteration's branch id
If the wt.vc.wip.Workable interface is a superinterface of the target class, the wt.vc.wip.WorkInProgressHelper method getState(Workable object) can be used to get the work-in-progress state of the object and its APIs such as isCheckedOut(Workable object), isReservedWorkingCopy(Workable object) and isPrivateWorkingCopy(Workable object) can be used to evaluate the state