SecurityLabel element
The SecurityLabel element contains the data for defining a standard security label, including possible security label values, the authorized participant for each value (if not all users), the agreement type (if any) associated with the label value, and various mappings used by applications and services to process security labels. There should be one SecurityLabel element for each standard security label you configure. For example:
<SecurityLabel name="EXPORT_CONTROL" enabled="true">
<SecurityLabelResourceKey>WCTYPE|wt.access.SecurityLabeled~SCA|
EXPORT_CONTROL</SecurityLabelResourceKey>
<SecurityLabelValueResourceClass>wt.access.configuration.SecurityLabel1
</SecurityLabelValueResourceClass>
<SecurityLabelValue name="LNS" enabled="true" downloadAckMessageKey=
"LNS_DownloadAck" downloadAckUsers="AgreementAuthorized">
<UnrestrictedPrincipal>
<ufid>cn=US Persons,cn=Public,ou=people,cn=AdministrativeLdap,
cn=Windchill_9.1,o=ptc|Ldap.ptcnet.ptc.com|
Ldap.ptcnet.ptc.com</ufid>
<AgreementType>
<logicalTypeId>com.ptc.security.SEA</logicalTypeId>
</AgreementType>
</UnrestrictedPrincipal>
</SecurityLabelValue>
.
.
.
.
<SecurityLabelParameter>EXPORT_CONTROL</SecurityLabelParameter>
</SecurityLabel>
The name attribute of the SecurityLabel element is the string that is stored in the database for this security label, in this case, EXPORT_CONTROL. For this security label to be available in your Windchill solution, the enabled attribute must be set to true. This name value does not generally show in the user interface; the display name for this security label was defined in Step 1 of this configuration.
The SecurityLabelResourceKey element represents the resource key for the label, and is specified in the following format:
WCTYPE|wt.access.SecurityLabeled~SCA|<SECURITY_LABEL>
where
<SECURITY_LABEL> is the value of the
name attribute on the
SecurityLabel element. This resource key must be present in the
accessModelRB.rbInfo resource file edited in
Define Security Labels.
|
Even if security labels are globally disabled, the security label resource keys specified in the configuration file must exist in the accessModelRB.rbInfo file in order for the method server to start. For more information on disabling security labels, see Administering Security Labels.
|
The
SecurityLabelValueResourceClass element represents the resource file where the resource keys for the label value localized strings (such as name and description) are stored. These resource keys were defined in
Define Security Label Values. This element contains the resource file class name.
The name attribute of the SecurityLabelValue element specifies the string that is stored in the database for this label value. The same value is used in the resource file associated with the SecurityLabelValueResourceClass as the resource key for the security label value localized strings. For the label value to be available in your Windchill solution, the enabled attribute must be set to true. The null value for the security label is automatically present and is not specified here.
|
The name attribute of the SecurityLabel element and the name attribute of the SecurityLabelValue element are stored together as a name/value pair in the database. Although the system allows you to specify as many security labels as desired, the name/value pairs are stored in a single database column. The number of security labels that can be set is limited by the column size (4000). As these values are generally not seen in the user interface, it is recommended that the values be kept as short as possible, but still be meaningful.
|
If you are using download acknowledgement, include the downloadAckMessageKey attribute and the downloadAckUsers attribute. The value for the downloadAckMessageKey attribute is the key specified in the securityLabelDownloadAckResource.rbInfo file. The value for the downloadAckUsers attribute can be one of the following:
• None: no users are shown the download confirmation message
• AgreementAuthorized: only users authorized through an agreement are shown the download confirmation message
• AllAuthorized: all authorized users are shown the download confirmation message
Each SecurityLabelValue element can have a single UnrestrictedPrincipal subelement, which specifies the authorized participant for this security label value. The authorized participant is cleared for the security label value. If the UnrestrictedPrincipal subelement is omitted, all users are cleared for access to objects with the label value.
Each
UnrestrictedPrincipal subelement can have a
ufid sublement. The UFID, or Unique Federation Identifier, specifies a participant, which can be a user, user-defined group, or organization. For information on how to specify a UFID, see
Specifying a UFID. Each
UnrestrictedPrincipal element can also have an
evaluatorClass subelement, which specifies the evaluator class created in
Create a Custom Java Evaluator Class. The
ufid subelement and the
evaluatorClass subelement can either be used together or individually under the
UnrestrictedPrincipal element. For more information about the differences between using a
ufid subelement, an
evaluatorClass subelement, or both, see
Specifying Authorized Participants.
The order in which the SecurityLabelValue elements are specified is the order in which the non-null values display in selection lists.
Each UnrestrictedPrincipal element can optionally have an AgreementType subelement. An agreement can be used to grant temporary clearance to users who are not authorized participants for this security label value. The content for the AgreementType element is specified in the following format:
<logicalTypeId><AGREEMENT_NAME></logicalTypeId>
where <AGREEMENT_NAME> is the internal name of the agreement type or subtype.
For more information about the agreement type, see
Agreement Type and Subtypes.
The optional
SecurityLabelParameter element contains the parameter name used by various authoring applications as a file attribute to map to this security label.
SecurityLabelParameter is always the last element within the
SecurityLabel element. The parameter name must follow any restrictions for parameter names that exist for the authoring applications. For information on how this element is used, see
Security Label Parameter for CAD Application Clients.