Specialized Administration > Ensuring Data Security > Security Labels and Agreements > Agreements
  
Agreements
Agreements are available in Windchill solutions that have security labels enabled. You can use an agreement to authorize access to objects otherwise restricted by security labels. Depending on your configuration, your site may have standard agreements, context-based agreements, or both. Active standard agreements provide a set of participants (users, groups, or organizations) with clearance for one or more standard security label values or custom security labels on specified security-labeled objects. An active context-based agreement also provides a set of participants with clearance for one or more standard security label values or custom security labels, but the clearance is applied to all appropriately security-labeled objects within the context in which the agreement resides. Though the participants are authorized for the standard security label values or custom security labels applied to the objects, the participants still must have the appropriate access control permissions for the objects. Only members of an agreement managers group can create, modify, and delete agreements. Additionally, only members of the agreement managers group can see the Agreements page.
Agreement managers can access the Agreements page from the Site, Organization, Product, Program, Project, and Library contexts. The agreement folders and their contents are only accessible from the Agreements page and are not available on the Folders page for a context.
The scope of a standard agreement is limited to the context in which the agreement is defined and any descendent contexts. For example, if an agreement is created in a project context, it can only provide clearance for objects within that project. If a standard agreement is created in an organization context, it can provide clearance for objects in any project, program, product, or library created from the organization context. For more information about the scope of an agreement, see Scope of an Agreement.
* 
The scope of an agreement only applies to standard agreements. Context-based agreements apply only to the context in which they currently reside.
An agreement is only active for a particular span of time, which limits the participant's access to the specified objects to the time specified in the attributes of the agreement. When an agreement is created, a start date and end date are applied to determine the time that the agreement is active and will provide clearance for the authorized objects. For more information, see Agreement Status.
An agreement does not hold content, but can be associated with an authorization document. Each authorization document (or contract) is a textual explanation of the details of the agreement. Documents existing in Windchill and of the Document type or a subtype of Document can be associated with an agreement. For more information about associating an authorization document with an agreement, see Creating Agreements or Editing Agreements. For more information about creating a document in Windchill, see Adding a New Document.
The security-labeled objects associated with an agreement are called authorized objects. For standard agreements, the authorized objects must be specified for the agreement and are viewable from the agreement information page on the Authorized Objects table. Any security-labeled object can be associated with a standard agreement. For context-based agreements, all objects within the context in which the agreement resides are authorized objects and therefore are not displayed on the agreement information page. Objects in both a standard and context-based agreement are authorized by the agreement when they are in a specified life cycle state. Objects in a standard agreement must also be in a specified revision or range of revisions. For more information about authorized objects, see Agreement Authorized Objects.
Participants associated with an agreement are called authorized participants and are viewable from the agreement information page. Authorized participants can be users, groups, or organizations. For more information about authorized participants, see Authorized Participants Table.
For a participant to be cleared for a standard security label value or custom security label on a security-labeled object through an agreement, the following criteria must be met:
The agreement must be in the appropriate life cycle state as configured in the security labels configuration file.
The current date must be within the range of the start and end dates of the agreement.
At least one standard security label value of the object or one custom security label applied to the object must be associated with an agreement type and the agreement must be of that type or a subtype of the agreement type. If the Select Authorized Security Label Values step is enabled, the standard security label value or custom security label applied to the object also must be one of the authorized security label values selected for the agreement.
The object must be in one of the approved life cycle states.
The participant or a group of which the participant is a member must be one of the participants associated with the agreement.
The object must exist in the correct context.
Standard agreements: The object must exist in the same context as the agreement or in a descendent context.
Context-based agreements: The object must exist in the same context as the agreement.
The object must be an authorized object for the agreement.
Standard agreements: The object must be an associated authorized object for the agreement.
For versioned objects, a specific revision or range of revisions are associated with the agreement.
For iterated objects that are not versioned, all iterations are associated.
For all other objects, the object is associated with the agreement.
Context-based agreements: All objects in the same context as the agreement are authorized objects.