cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Visit the PTCooler (the community lounge) to get to know your fellow community members and check out some of Dale's Friday Humor posts! X

Context-Based Agreements...uhh...what are they good for...

avillanueva
22-Sapphire II

Context-Based Agreements...uhh...what are they good for...

Please don't say absolutely nothing or I will ask you to say it again.

Reading through the help docs to configure and enable agreements. There are all these references to standard and context-based agreements but no clear definition of what makes them different, I think. It seems to rely on soft types but no clear definition on why that is necessary. If its such a best practice, it should come this way ootb no?

Here is the closest to a definition I found. Let me know if my interpretations are accurate below:

Active standard agreements provide a set of participants (users, groups, or organizations) with clearance for one or more standard security label values or custom security labels on specified security-labeled objects. An active context-based agreement also provides a set of participants with clearance for one or more standard security label values or custom security labels, but the clearance is applied to all appropriately security-labeled objects within the context in which the agreement resides.

So, what is common is a set of users and a label value. Got it. The scope page indicates that the agreement must be in the same scope as the objects. Check. It seems like a context-based agreement (if you define the soft type) does not require a specific list of objects but rather a list of contexts. This would mean that they would be created at the org level for multiple contexts. Can they be created at the product level if there was only that one product included? Wow, this could have been accomplished with a checkbox to flip the type. 

 

Thinking of my use case. Having the ability to create specific agreements on objects, I always want to have in my back pocket. However, since the number of documents is changing, you do not want to have to keep updating an agreement each time a new doc is added. This further justifies that PTC should have just made it standard instead of roll your own.

1 ACCEPTED SOLUTION

Accepted Solutions
avillanueva
22-Sapphire II
(To:avillanueva)

Progress, I think. I have added two new soft types and a few new labels. I previously had just export control labels. For those who want a reference example, here is mine:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE SecurityLabelsConfiguration
  SYSTEM "securityLabelsConfiguration.dtd">
<SecurityLabelsConfiguration enabled="true">
	<AgreementConfiguration enabled="true">
	    <AgreementManagersGroup>
	        <WTPrincipalReference>
				<ClassType>wt.org.WTGroup</ClassType>
				<OrgName>MYCOMPANY</OrgName>
				<Name>Agreement Managers</Name>
			</WTPrincipalReference>
	    </AgreementManagersGroup>
	    <AgreementLifecycleState>
	        <lifecycleState>APPROVED</lifecycleState>
	    </AgreementLifecycleState>
	    <AgreementCabinetDomain>
	        <domainPath>/Default</domainPath>
	    </AgreementCabinetDomain>
	    <ContextBasedAgreementType>
        	<logicalTypeId>com.ptc.dmt.ContextBasedAgreement</logicalTypeId>
    	</ContextBasedAgreementType>
	    <SelectAuthorizedSecurityLabelValuesStep value="show"/>
	    <AuthorizedSecurityLabelValuesDefault value="all"/>
	</AgreementConfiguration>
    <SecurityLabel name="EXPORT_CONTROL" enabled="true">
        <SecurityLabelResourceKey>WCTYPE|wt.access.SecurityLabeled~SCA|EXPORT_CONTROL</SecurityLabelResourceKey>
        <SecurityLabelValueResourceClass>wt.access.configuration.SecurityLabel1</SecurityLabelValueResourceClass>
        <SecurityLabelValue name="NO LICENSE REQUIRED-EAR99" enabled="true">       
        </SecurityLabelValue>
        <SecurityLabelValue name="LICENSE REQUIRED-STATE(ITAR)" enabled="true">
        </SecurityLabelValue>
        <SecurityLabelValue name="LICENSE REQUIRED-COMMERCIAL(EAR)" enabled="true">
        </SecurityLabelValue>
        <SecurityLabelValue name="NO TECH DATA" enabled="true">
        </SecurityLabelValue>
        <SecurityLabelValue name="DO NOT EXPORT" enabled="false">
        </SecurityLabelValue>
        <!-- The SecurityLabelParameter element contains the parameter name used by other applications to map to this
             particular security label.  This element is optional. -->
        <SecurityLabelParameter>EXPORT_CONTROL</SecurityLabelParameter>
    </SecurityLabel>
    <SecurityLabel name="CUI_CONTROL_MARKING" enabled="true">
        <SecurityLabelResourceKey>WCTYPE|wt.access.SecurityLabeled~SCA|CUI_CONTROL_MARKING</SecurityLabelResourceKey>
        <SecurityLabelValueResourceClass>wt.access.configuration.SecurityLabel2</SecurityLabelValueResourceClass>
        <SecurityLabelValue name="CUI" enabled="true">
	        <UnrestrictedPrincipal>
		        <WTPrincipalReference>
					<ClassType>wt.org.WTGroup</ClassType>
					<OrgName>MYCOMPANY</OrgName>
					<Name>Agreement Managers</Name>
				</WTPrincipalReference> 
                <AgreementType>
                    <logicalTypeId>wt.access.agreement.AuthorizationAgreement</logicalTypeId>
                </AgreementType>
	        </UnrestrictedPrincipal>       
        </SecurityLabelValue>
        <!-- The SecurityLabelParameter element contains the parameter name used by other applications to map to this
             particular security label.  This element is optional. -->
        <SecurityLabelParameter>CUI_CONTROL_MARKING</SecurityLabelParameter> 
    </SecurityLabel>
    <SecurityLabel name="CUI_CATEGORY" enabled="true">
        <SecurityLabelResourceKey>WCTYPE|wt.access.SecurityLabeled~SCA|CUI_CATEGORY</SecurityLabelResourceKey>
        <SecurityLabelValueResourceClass>wt.access.configuration.SecurityLabel3</SecurityLabelValueResourceClass>
        <SecurityLabelValue name="EXPT" enabled="true">       
        </SecurityLabelValue>
        <SecurityLabelValue name="SP-EXPT" enabled="true">       
        </SecurityLabelValue>
        <SecurityLabelValue name="SP-CTI" enabled="true">       
        </SecurityLabelValue>
        <SecurityLabelValue name="SP-GEO" enabled="true">       
        </SecurityLabelValue>
        <SecurityLabelValue name="OPSEC" enabled="true">       
        </SecurityLabelValue>
        <!-- The SecurityLabelParameter element contains the parameter name used by other applications to map to this
             particular security label.  This element is optional. -->
        <SecurityLabelParameter>CUI_CATEGORY</SecurityLabelParameter>
        <MultiValueLogicalOperator>OR</MultiValueLogicalOperator> 
    </SecurityLabel>
    <SecurityLabel name="LIMITED_DISSEM" enabled="true">
        <SecurityLabelResourceKey>WCTYPE|wt.access.SecurityLabeled~SCA|LIMITED_DISSEM</SecurityLabelResourceKey>
        <SecurityLabelValueResourceClass>wt.access.configuration.SecurityLabel4</SecurityLabelValueResourceClass>
        <SecurityLabelValue name="FEDCON" enabled="true">       
        </SecurityLabelValue>
        <SecurityLabelValue name="NOFORN" enabled="true">       
        </SecurityLabelValue>
        <!-- The SecurityLabelParameter element contains the parameter name used by other applications to map to this
             particular security label.  This element is optional. -->
        <SecurityLabelParameter>LIMITED_DISSEM</SecurityLabelParameter>
        <MultiValueLogicalOperator>OR</MultiValueLogicalOperator> 
    </SecurityLabel>
    <SecurityLabel name="RESTRICTIONS" enabled="true">
        <SecurityLabelResourceKey>WCTYPE|wt.access.SecurityLabeled~SCA|RESTRICTIONS</SecurityLabelResourceKey>
        <SecurityLabelValueResourceClass>wt.access.configuration.SecurityLabel5</SecurityLabelValueResourceClass>
        <SecurityLabelValue name="PROGRAM_PRIVATE" enabled="true">
        <UnrestrictedPrincipal>
		        <WTPrincipalReference>
					<ClassType>wt.org.WTGroup</ClassType>
					<OrgName>MYCOMPANY</OrgName>
					<Name>Agreement Managers</Name>
				</WTPrincipalReference> 
                <AgreementType>
                    <logicalTypeId>wt.access.agreement.AuthorizationAgreement</logicalTypeId>
                </AgreementType>
	        </UnrestrictedPrincipal>        
        </SecurityLabelValue>
        <SecurityLabelValue name="COMPANY_PRIVATE" enabled="true">
        <UnrestrictedPrincipal>
		        <WTPrincipalReference>
					<ClassType>wt.org.WTGroup</ClassType>
					<OrgName>MYCOMPANY</OrgName>
					<Name>Agreement Managers</Name>
				</WTPrincipalReference> 
                <AgreementType>
                    <logicalTypeId>wt.access.agreement.AuthorizationAgreement</logicalTypeId>
                </AgreementType>
	        </UnrestrictedPrincipal>        
        </SecurityLabelValue>
        <!-- The SecurityLabelParameter element contains the parameter name used by other applications to map to this
             particular security label.  This element is optional. -->
        <SecurityLabelParameter>RESTRICTIONS</SecurityLabelParameter>
    </SecurityLabel>
</SecurityLabelsConfiguration>

The initial impetus was to implement CUI tagging. I extended to tag private data in a general sense that should have restrictions for some reason or another. Next piece is custom sorting for name column.

avillanueva_0-1682540678309.png

 

View solution in original post

1 REPLY 1
avillanueva
22-Sapphire II
(To:avillanueva)

Progress, I think. I have added two new soft types and a few new labels. I previously had just export control labels. For those who want a reference example, here is mine:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE SecurityLabelsConfiguration
  SYSTEM "securityLabelsConfiguration.dtd">
<SecurityLabelsConfiguration enabled="true">
	<AgreementConfiguration enabled="true">
	    <AgreementManagersGroup>
	        <WTPrincipalReference>
				<ClassType>wt.org.WTGroup</ClassType>
				<OrgName>MYCOMPANY</OrgName>
				<Name>Agreement Managers</Name>
			</WTPrincipalReference>
	    </AgreementManagersGroup>
	    <AgreementLifecycleState>
	        <lifecycleState>APPROVED</lifecycleState>
	    </AgreementLifecycleState>
	    <AgreementCabinetDomain>
	        <domainPath>/Default</domainPath>
	    </AgreementCabinetDomain>
	    <ContextBasedAgreementType>
        	<logicalTypeId>com.ptc.dmt.ContextBasedAgreement</logicalTypeId>
    	</ContextBasedAgreementType>
	    <SelectAuthorizedSecurityLabelValuesStep value="show"/>
	    <AuthorizedSecurityLabelValuesDefault value="all"/>
	</AgreementConfiguration>
    <SecurityLabel name="EXPORT_CONTROL" enabled="true">
        <SecurityLabelResourceKey>WCTYPE|wt.access.SecurityLabeled~SCA|EXPORT_CONTROL</SecurityLabelResourceKey>
        <SecurityLabelValueResourceClass>wt.access.configuration.SecurityLabel1</SecurityLabelValueResourceClass>
        <SecurityLabelValue name="NO LICENSE REQUIRED-EAR99" enabled="true">       
        </SecurityLabelValue>
        <SecurityLabelValue name="LICENSE REQUIRED-STATE(ITAR)" enabled="true">
        </SecurityLabelValue>
        <SecurityLabelValue name="LICENSE REQUIRED-COMMERCIAL(EAR)" enabled="true">
        </SecurityLabelValue>
        <SecurityLabelValue name="NO TECH DATA" enabled="true">
        </SecurityLabelValue>
        <SecurityLabelValue name="DO NOT EXPORT" enabled="false">
        </SecurityLabelValue>
        <!-- The SecurityLabelParameter element contains the parameter name used by other applications to map to this
             particular security label.  This element is optional. -->
        <SecurityLabelParameter>EXPORT_CONTROL</SecurityLabelParameter>
    </SecurityLabel>
    <SecurityLabel name="CUI_CONTROL_MARKING" enabled="true">
        <SecurityLabelResourceKey>WCTYPE|wt.access.SecurityLabeled~SCA|CUI_CONTROL_MARKING</SecurityLabelResourceKey>
        <SecurityLabelValueResourceClass>wt.access.configuration.SecurityLabel2</SecurityLabelValueResourceClass>
        <SecurityLabelValue name="CUI" enabled="true">
	        <UnrestrictedPrincipal>
		        <WTPrincipalReference>
					<ClassType>wt.org.WTGroup</ClassType>
					<OrgName>MYCOMPANY</OrgName>
					<Name>Agreement Managers</Name>
				</WTPrincipalReference> 
                <AgreementType>
                    <logicalTypeId>wt.access.agreement.AuthorizationAgreement</logicalTypeId>
                </AgreementType>
	        </UnrestrictedPrincipal>       
        </SecurityLabelValue>
        <!-- The SecurityLabelParameter element contains the parameter name used by other applications to map to this
             particular security label.  This element is optional. -->
        <SecurityLabelParameter>CUI_CONTROL_MARKING</SecurityLabelParameter> 
    </SecurityLabel>
    <SecurityLabel name="CUI_CATEGORY" enabled="true">
        <SecurityLabelResourceKey>WCTYPE|wt.access.SecurityLabeled~SCA|CUI_CATEGORY</SecurityLabelResourceKey>
        <SecurityLabelValueResourceClass>wt.access.configuration.SecurityLabel3</SecurityLabelValueResourceClass>
        <SecurityLabelValue name="EXPT" enabled="true">       
        </SecurityLabelValue>
        <SecurityLabelValue name="SP-EXPT" enabled="true">       
        </SecurityLabelValue>
        <SecurityLabelValue name="SP-CTI" enabled="true">       
        </SecurityLabelValue>
        <SecurityLabelValue name="SP-GEO" enabled="true">       
        </SecurityLabelValue>
        <SecurityLabelValue name="OPSEC" enabled="true">       
        </SecurityLabelValue>
        <!-- The SecurityLabelParameter element contains the parameter name used by other applications to map to this
             particular security label.  This element is optional. -->
        <SecurityLabelParameter>CUI_CATEGORY</SecurityLabelParameter>
        <MultiValueLogicalOperator>OR</MultiValueLogicalOperator> 
    </SecurityLabel>
    <SecurityLabel name="LIMITED_DISSEM" enabled="true">
        <SecurityLabelResourceKey>WCTYPE|wt.access.SecurityLabeled~SCA|LIMITED_DISSEM</SecurityLabelResourceKey>
        <SecurityLabelValueResourceClass>wt.access.configuration.SecurityLabel4</SecurityLabelValueResourceClass>
        <SecurityLabelValue name="FEDCON" enabled="true">       
        </SecurityLabelValue>
        <SecurityLabelValue name="NOFORN" enabled="true">       
        </SecurityLabelValue>
        <!-- The SecurityLabelParameter element contains the parameter name used by other applications to map to this
             particular security label.  This element is optional. -->
        <SecurityLabelParameter>LIMITED_DISSEM</SecurityLabelParameter>
        <MultiValueLogicalOperator>OR</MultiValueLogicalOperator> 
    </SecurityLabel>
    <SecurityLabel name="RESTRICTIONS" enabled="true">
        <SecurityLabelResourceKey>WCTYPE|wt.access.SecurityLabeled~SCA|RESTRICTIONS</SecurityLabelResourceKey>
        <SecurityLabelValueResourceClass>wt.access.configuration.SecurityLabel5</SecurityLabelValueResourceClass>
        <SecurityLabelValue name="PROGRAM_PRIVATE" enabled="true">
        <UnrestrictedPrincipal>
		        <WTPrincipalReference>
					<ClassType>wt.org.WTGroup</ClassType>
					<OrgName>MYCOMPANY</OrgName>
					<Name>Agreement Managers</Name>
				</WTPrincipalReference> 
                <AgreementType>
                    <logicalTypeId>wt.access.agreement.AuthorizationAgreement</logicalTypeId>
                </AgreementType>
	        </UnrestrictedPrincipal>        
        </SecurityLabelValue>
        <SecurityLabelValue name="COMPANY_PRIVATE" enabled="true">
        <UnrestrictedPrincipal>
		        <WTPrincipalReference>
					<ClassType>wt.org.WTGroup</ClassType>
					<OrgName>MYCOMPANY</OrgName>
					<Name>Agreement Managers</Name>
				</WTPrincipalReference> 
                <AgreementType>
                    <logicalTypeId>wt.access.agreement.AuthorizationAgreement</logicalTypeId>
                </AgreementType>
	        </UnrestrictedPrincipal>        
        </SecurityLabelValue>
        <!-- The SecurityLabelParameter element contains the parameter name used by other applications to map to this
             particular security label.  This element is optional. -->
        <SecurityLabelParameter>RESTRICTIONS</SecurityLabelParameter>
    </SecurityLabel>
</SecurityLabelsConfiguration>

The initial impetus was to implement CUI tagging. I extended to tag private data in a general sense that should have restrictions for some reason or another. Next piece is custom sorting for name column.

avillanueva_0-1682540678309.png

 

Top Tags