Disabling Security Labels and Values
If a security label or standard security label value is no longer needed, then it should be disabled in the security labels configuration file. Disabled security labels and security label values are still enforced until the label or value is deleted.
A disabled security label:
• is not displayed on new object creation windows.
• is displayed as a column on the Object List table, which is available from the Edit Security Labels window. For standard security labels, only the current non-null value and the null value of the security label are displayed, and only the null value is selectable. For custom security labels, only the current non-null value and a blank value are displayed, and only the blank value is selectable. Once the label has a null value, the column for the disabled label can no longer be edited.
A disabled standard security label value:
• is not displayed in the list of selectable values for the security label on new object creation windows.
• is displayed on the Edit Security Labels window for existing objects only if it is the current value for the security label. Once the label value is changed, the disabled value is no longer displayed or selectable.
Disabling a Security Label or Label Value
To disable a security label or a standard security label value, complete the following steps:
1. Mark the security label or standard security label value as disabled in the security labels configuration file.
◦ For a security label, change the enabled parameter of the SecurityLabel or CustomSecurityLabel tag from true to false, for example:
<SecurityLabel name="EXPORT_CONTROL" enabled="false">
◦ For a standard security label value, change the enabled parameter of the SecurityLabelValue tag from true to false, for example:
<SecurityLabelValue name="UNK" enabled="false">
2. Change or remove any object initialization rules specifying the disabled security labels or label values.
3. Restart the method server to make the configuration changes effective.
|
If you chose to allow individual security labels to be configured as optional columns in custom table views, users who added the disabled security label as a column to their table view must remove the disabled security label column from their table view. If the user does not remove the column, the internal name of the security label displays rather than the display name. For more information about the optional configuration, see Step 17: Display Individual Security Labels in Table Views - Optional.
|
Removing Disabled Security Labels or Label Values
If you choose to remove a security label or standard security label value from the security labels configuration file entirely, rather than simply disabling it, you must first ensure that all uses of the security label or standard security label value are removed, object initialization rules, project or program templates, load files, and import files. If the security label settings on an object include labels or standard security label values that are not present in the security labels configuration file, an exception will be thrown any time that object is accessed.
To remove uses of a security label, change all uses of the security label to its null value.
To remove uses of a security label value, change all uses of that label value to the null value for the security label, or to a label value that will remain enabled.
To ensure that you have found and removed all uses of the security label or label value set on security-labeled objects, query the database. For example, you could run the following SQL query:
For security labels:
SELECT classnameA2A2, idA2A2, securityLabels FROM <TABLE_NAME> WHERE
securityLabels LIKE '%<SECURITY_LABEL_NAME>%';
For security label values:
SELECT classnameA2A2, idA2A2, securityLabels FROM <TABLE_NAME> WHERE
securityLabels LIKE '%<SECURITY_LABEL_VALUE>%';
where
• <SECURITY_LABEL_NAME> is the name of the security label for which you are querying. This value should match the name attribute value of the SecurityLabel element used in the security labels configuration file.
• <SECURITY_LABEL_VALUE> is the name of the security label value for which you are querying. This value should match the name attribute value of the SecurityLabelValue element used in the security labels configuration file.
• <TABLE_NAME> represents the table name for a security-labeled object type. Find the corresponding table name for the object type using the following procedure:
1. From within a windchill shell, run the following command:
infoReport <CLASS>
where <CLASS> is the class name of the object as found in the <Windchill>/conf/exposedSecurityLabelObjects.xml configuration file. For example, if the class name for the object is wt.doc.WTDocument, then run the following command:
infoReport wt.doc.WTDocument
2. Open the report output in a text editor.
3. In the report output, find the line that begins:
getBaseTableInfo().getTablename()
The value of this entry is the table name to be used in place of <TABLE_NAME> in the database query above. For example, from the output the wt.doc.WTDocument, the line reads:
getBaseTableInfo().getTablename() : WTDocument
|
In the database, all of the security label names and values applied to an object are concatenated into a single string. The % wild card characters allow the query to find each database table row containing the security label name or value being queried.
|
Run the SQL query against the table for each object type and for each security label or label value to be deleted.
After all uses of the security label name or standard security label value are removed, delete the security label or standard security label value from the security labels configuration file. You should also remove any reference to the security label or standard security label value from resource information files and other files where the security label or standard security label value were referenced during configuration. For the specific files and location where this information is specified, see
Configuring Security Labels.
Disabling Security Labels Functionality
The security labels functionality can be globally disabled by changing the enabled parameter of the SecurityLabelsConfiguration tag from true to false in the security labels configuration file, and restarting the method server. Existing security label settings can remain set, even with the functionality disabled.
|
Even if the security labels functionality is globally disabled, the resource key specified for each security label in the configuration file must exist in the accessModelRB.rbInfo file for the method server to start. The security labels and standard security label values set on any existing objects must also be present in the security labels configuration file in order for the objects to be accessed. If the security labels functionality is disabled, security labels are not enforced and security labels and agreements are not exposed in the Windchill user interface.
|