Specifying Authorized Participants for Custom Security Labels
A custom security label can have multiple label values. For custom security labels, authorized participants can be configured for all non-null security label values, not for individual security label values. For both standard and custom security labels, there are multiple ways to specify the authorized participants:
• Unspecified
If neither a UFID nor an EvaluatorClass is specified, the label value does not limit access to the objects with the label value applied and it becomes an informative marking.
• UFID Only
If an authorized participant is specified using a UFID, whether the participant (user, user-defined group, or organization) is cleared for access to the objects with the label value applied is indicated by the UFID value.
• EvaluatorClass Only
If an evaluator class is specified, its boolean isRestrictedBySecurityLabelValue (WTPrincipal principal, SecurityLabeled object, String label_name, String label_value) method is called when the access rights of a participant are evaluated to determine whether the participant is cleared for access to objects with the label value applied.
• Both UFID and EvaluatorClass
If both a UFID and an evaluator class are specified, the UFID is only used if the super.isRestrictedBySecurityLabelValue(principal, label_name, label_value) method is called and the result is used (i.e., the isRestrictedBySecurityLabelValue methods are not overridden in the evaluator class or an overridden method calls super.isRestrictedBySecurityLabelValue and makes use of the result).
|
|
Although authorized participants cannot be configured for individual custom security label values, the users that are authorized for each value can still be different when an evaluator class is configured. The evaluator class can return a different answer for each value applied to the object.
|
