Security Labels Overview

Uniquely configured by each site, security labels work with the Windchill access control policies and ad hoc permissions for an object to determine whether a user is authorized to access an object. A site can configure multiple security labels to cover various needs, such as identifying legal information, establishing export control criteria, or protecting proprietary information.

There are currently two types of security labels available: standard security labels and custom security labels. You can configure one or both types of security labels for your site. Additional information about custom security labels is available from Custom Security Labels.

Each security label has a null, or unrestricted value, and can have multiple additional values, each of which may or may not restrict access to only a specified authorized participant. Security label values that do not restrict clearance (have no defined authorized participant) can be used simply for informative purposes.

An authorized participant can be a user, user-defined group, or organization. Specifying a user-defined group as the authorized participant is most flexible, as membership in the group can be modified as needed using the Participant Administration utility or an LDAP directory service. Alternatively, you can customize your security labels to use an evaluator to determine if a participant is an authorized participant for the security label value. A participant must be an authorized participant and be granted the Modify Security Labels permission in order to modify the security label values. In order to view an object, a user must have at least Read permission on the object, but must also be an authorized participant for any security label values set on the object.

Each standard security label value or custom security label can optionally also have an associated agreement type. Users who are not otherwise authorized to access an object with a particular security label value can be granted temporary clearance through use of an appropriate agreement.

For example, a site could configure an Export Control standard security label, with values of No License Required, License Required, and Do Not Export.

• License Required restricts access to only members of the US Employees group. This value has an associated agreement type of Export Agreement. Users who are not in the US Employees group, but meet the necessary licensing requirements can be granted temporary clearance to objects marked with the License Required value through use of an Export Agreement.

• Do Not Export restricts access to only members of the US Employees group. As there is no associated agreement type for this value, there is no way to grant temporary clearance to users who are not US Employees.

Security labels should be set during object creation, before an object is checked in or made available within the system, to prevent sensitive information from being exposed. Labels can be set on the Set Security Labels step for objects which use a create window, or through defining object initialization rules to set the default security label on an object. Once an object is created, security labels can be viewed and changed using the Edit Security Labels action.