Step 24. Define Object Initialization Rules for Security Labels - Optional
It is important that security labels are set appropriately on objects before the objects are made available within your system. For example, security labels should be set when the object is initially checked in to prevent exposing sensitive information to unintended audiences. If a security label is not set when an object is created, the security label automatically defaults to its null value. The object is then unrestricted and can be viewed by any user with Read access to the object. It is your responsibility to define object initialization rules where non-null default security label values are necessary.
Some objects do not have a user interface for creation. For example, there is no interface for promotion notices and documents created using the Upload Documents from Compressed File action. If these objects should be restricted, then they must have object initialization rules defined so that the appropriate security label values are set when the objects are created.
Object initialization rules can also be used to set default security label values for object types that do use a creation user interface. For a list of objects that can be security labeled, see the <Windchill>/conf/exposedSecurityLabelObjects.xml file, where <Windchill> is the location where your Windchill solution is installed.
The following attribute constraints are available for setting security label values on a new object window:
• GetHiddenConstraint: Hides the security label and security label value from the new object window.
• GetDiscreteSetConstraint: Displays only the label values specified in the object initialization rule in a drop-down list.
|
If you are using custom security labels, setting an object initialization rule with the GetDiscreteSetConstraint attribute constraint allows you to limit the values a user can specify for the custom security label.
|
• GetImmutableConstraint: Prevents the user from changing the displayed value.
• GetServerAssignedConstraint: Displays the label name, but not the label values. The text displayed in place of the value is (Generated).
• GetServerPreGeneratedValue: Displays the specified value as the default value for the label.
Object initialization rules are created and edited through the
Object Initialization Rules Administration utility. The following procedure provides the general steps for creating or updating an object initialization rule for an object type. For detailed information on using the
Object Initialization Rules Administration utility, see
Object Initialization Rules Table.
1. Open the Object Initialization Rules Administration utility from the Utilities page of the context for which you want to define the rule. Object initialization rules can be specified at any context level. This means that you can set a default rule for all objects of a type in the site level context, and specify a different rule in an organization context, or in a particular application context, such as a product or a project. For example, you could specify an object initialization rule such that any document created in your site has a default Corporate Proprietary security label value of Private, but specify that all documents in a particular project have a default Corporate Proprietary security label value of Company Most Private.
2. If a rule exists for the object type, download the existing rule to your local machine, and open the XML file in a text editor. If you are creating a new rule, PTC recommends that you download an existing rule and save it as a new file to use as a template for the new rule.
3. Edit the XML file to add the desired default value for a security label. While only one object initialization rule can exist for an object in a particular context, that rule can contain multiple elements.
For example, to specify that the Export Control security label should default to License Required - State, and that this value is selected by default if a list of values is displayed, add the following:
<!--set default security label values-->
<AttrValue id="EXPORT_CONTROL" algorithm=
"wt.rule.algorithm.StringConstant">
<Arg>LNS</Arg>
</AttrValue>
<AttrConstraint id="EXPORT_CONTROL" algorithm="com.ptc.core.
rule.server.impl.GatherAttributeConstraints">
<Value algorithm="com.ptc.core.rule.server.impl.
GetServerPreGeneratedValue"/>
</AttrConstraint>
The algorithm to use for default security label values needs to produce a string containing the security label value name as described for the <Arg> element. For example, the wt.rule.algorithm.StringConstant algorithm can be used.
The value for the AttrValue element id attribute is the security label name defined in the security labels configuration file.
An AttrValue element can be added for each security label on your system.
The Arg element should be the security label value name specified in the securityLabelsConfiguration.xml file for a standard security label and the external value of the security label value for a custom security label.
4. Save the XML file to a known location on your machine. If desired, you can give the file a meaningful name.
5. If you edited an existing rule, select Edit from the actions list for the rule in the Object Initialization Rules Administration table. Browse to the XML file you just edited.
If you are creating a new rule, click the new object initialization rule icon
. Enter the name and type identifier for the object and browse to the XML file that you just edited.
6. Click OK. The rule immediately takes effect. There is no need to restart the method server.
Examples
The following examples illustrate how attribute constraints can be applied to security label value selection for the Corporate Proprietary example security label. For more information about the example label and the available values, see
Corporate Proprietary—Example Security Label.
• Desired behavior: Set the security label to a default value and hide the security label so the user cannot change the value. If a default value is not specified, the null (unrestricted) value is set.
Attribute constraints: GetHiddenConstraint
Example:
<AttrValue id="CORPORATE_PROPRIETARY" algorithm=
"wt.rule.algorithm.StringConstant">
<Arg>INT</Arg>
</AttrValue>
<AttrConstraint id="CORPORATE_PROPRIETARY" algorithm="com.ptc.core.
rule.server.impl.GatherAttributeConstraints">
<Value algorithm="com.ptc.core.rule.server.impl.
GetHiddenConstraint"/>
</AttrConstraint>
• Desired behavior: Set the security label to a default value and make the value visible, but read-only.
Attribute constraints: GetServerPreGeneratedValue and GetImmutableConstraint
Example:
<AttrValue id="CORPORATE_PROPRIETARY" algorithm=
"wt.rule.algorithm.StringConstant">
<Arg>INT</Arg>
</AttrValue>
<AttrConstraint id="CORPORATE_PROPRIETARY" algorithm="com.ptc.core.
rule.server.impl.GatherAttributeConstraints">
<Value algorithm="com.ptc.core.rule.server.impl.
GetServerPreGeneratedValue"/>
<Value algorithm="com.ptc.core.rule.server.impl.
GetImmutableConstraint"/>
</AttrConstraint>
• Desired behavior: Display (Generated) and set the value when the object is created.
Attribute constraints: GetServerAssignedConstraint and GetImmutableConstraint
Example:
<AttrValue id="CORPORATE_PROPRIETARY" algorithm=
"wt.rule.algorithm.StringConstant">
<Arg>INT</Arg>
</AttrValue>
<AttrConstraint id="CORPORATE_PROPRIETARY" algorithm="com.ptc.core.
rule.server.impl.GatherAttributeConstraints">
<Value algorithm="com.ptc.core.rule.server.impl.
GetServerAssignedConstraint"/>
<Value algorithm="com.ptc.core.rule.server.impl.
GetImmutableConstraint"/>
</AttrConstraint>
• Desired behavior: For standard security labels, limit the values that appear in the drop-down list to the specified values. For custom security labels, list only certain values in a drop-down list rather than allowing any value in a text box.
Attribute constraints: GetDiscreteSetConstraint
Example:
<AttrValue id="CORPORATE_PROPRIETARY" algorithm=
"wt.rule.algorithm.StringConstant">
<Arg>NULL</Arg>
<Arg>INT</Arg>
</AttrValue>
<AttrConstraint id="CORPORATE_PROPRIETARY" algorithm="com.ptc.core.
rule.server.impl.GatherAttributeConstraints">
<Value algorithm="com.ptc.core.rule.server.impl.
GetDiscreteSetConstraint">
<Arg>INT</Arg>
</Value>
</AttrConstraint>
• Desired behavior: For standard security labels, display a default value in the drop-down list other than the null (unrestricted) value. For custom security labels, list a default value in the text box.
Attribute constraints: GetServerPreGeneratedValue
Example:
<AttrValue id="CORPORATE_PROPRIETARY" algorithm=
"wt.rule.algorithm.StringConstant">
<Arg>INT</Arg>
</AttrValue>
<AttrConstraint id="CORPORATE_PROPRIETARY" algorithm="com.ptc.core.
rule.server.impl.GatherAttributeConstraints">
<Value algorithm="com.ptc.core.rule.server.impl.
GetServerPreGeneratedValue"/>
</AttrConstraint>
• Desired behavior: For a standard security label supporting multiple values, set default values and make the values visible, but read-only. Note that the multiple values defined for a standard security label are always separated by a comma in the argument tag.
Attribute constraints: GetServerPreGeneratedValue and GetImmutableConstraint
Example:
<AttrValue algorithm="wt.rule.algorithm.StringConstant" id="Secrecy_Label">
<Arg>Secret,NotSecret</Arg>
</AttrValue>
<AttrConstraint id="Secrecy_Label"
algorithm="com.ptc.core.rule.server.impl.GatherAttributeConstraints">
<Value algorithm="com.ptc.core.rule.server.impl.GetServerPreGeneratedValue"/>
<Value algorithm="com.ptc.core.rule.server.impl.GetImmutableConstraint"/>
</AttrConstraint>
• Desired behavior: For a standard security label supporting multiple values, display default values in the drop-down lists other than the null (unrestricted) value. Note that the multiple values defined for a standard security label are always separated by a comma in the argument tag.
Attribute constraints: GetServerPreGeneratedValue
Example:
<AttrValue algorithm="wt.rule.algorithm.StringConstant" id="Secrecy_Label">
<Arg>Secret,NotSecret</Arg>
</AttrValue>
<AttrConstraint id="Secrecy_Label"
algorithm="com.ptc.core.rule.server.impl.GatherAttributeConstraints">
<Value algorithm="com.ptc.core.rule.server.impl.GetServerPreGeneratedValue"/>
</AttrConstraint>
• Desired behavior: For a standard security label supporting multiple values, display (Generated) and set the value when the object is created. Note that the multiple values defined for a standard security label are always separated by a comma in the argument tag.
Attribute constraints: GetServerAssignedConstraint
<AttrValue algorithm="wt.rule.algorithm.StringConstant" id="Secrecy_Label">
<Arg>Secret,NotSecret</Arg>
</AttrValue>
<AttrConstraint id="Secrecy_Label"
algorithm="com.ptc.core.rule.server.impl.GatherAttributeConstraints">
<Value algorithm="com.ptc.core.rule.server.impl.GetServerAssignedConstraint"/>
</AttrConstraint>