cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Visit the PTCooler (the community lounge) to get to know your fellow community members and check out some of Dale's Friday Humor posts! X

Security Labels - Want to restrict editing to a group

Go to solution
CraigFinney
7-Bedrock
7-Bedrock
‎May 16, 2024 08:57 AM
‎May 16, 2024 08:57 AM

Security Labels - Want to restrict editing to a group

We have security labels setup just for the download ack message, so we have not enabled agreements (not needed - We control access by other means).  I know specific PTC license is required Base + IP Protection, or the advance (which includes IP Protection), but the PTC steps (Edit) implies restricting who can edit them without explanation.  

 

I am looking to set them so only SL_EDITORS can modified the Security Labels after creation.  Any help would be welcomed.   Thank you in advance.

0 Kudos
Notify Moderator
1 ACCEPTED SOLUTION

Accepted Solutions
CraigFinney
7-Bedrock
7-Bedrock
(To:CraigFinney)
‎Jun 11, 2024 07:50 AM
‎Jun 11, 2024 07:50 AM

Another solution to prevent editing is to modify conf/exposeSecutityLabelObjects.xml  to comment out all the objects you do not want editing on.  This does not prevent the initial setting, but by editing the corresponding netmanket/jsp/<<object type>/create*.jsp*, you can prevent the setting at creation time.(comment out the jca:sizardStep action for securityLabelStep).

View solution in original post

0 Kudos
Notify Moderator
6 REPLIES 6
jbailey
17-Peridot
17-Peridot
(To:CraigFinney)
‎May 16, 2024 01:42 PM
‎May 16, 2024 01:42 PM

You would need to create an ACL something like this with a deny or absolute deny:

jbailey_0-1715881280115.png

 

 

0 Kudos
Notify Moderator
CraigFinney
7-Bedrock
7-Bedrock
(To:jbailey)
‎May 16, 2024 02:25 PM
‎May 16, 2024 02:25 PM

I attempted two policies, one at the highest level to deny (did not stop) and one at a context level to allow (again no difference), but it did not seem to make a difference.  I did have success using a  new Profile that I could attach to specific groups into. 

 

What I was wondering if there was a change to configuration files while updating / installing the SLs that could be set.

 

Between the profile and not issuing a IP Protection license I could in theory, but it becomes more to manage.

0 Kudos
Notify Moderator
BS_11081198
2-Guest
2-Guest
(To:CraigFinney)
‎May 20, 2024 05:14 AM
‎May 20, 2024 05:14 AM

Hello @CraigFinney ,

To restrict editing of Security Labels in Windchill to a specific group like "SL_EDITORS," you typically need administrative access and possibly specific permissions set up within Windchill. Log in to Windchill with administrative privileges.

Find the section or menu in Windchill where Security Labels are managed. 

Look for options related to permissions or access control for Security Labels.
You may need to adjust settings related to who can create, view, and edit Security Labels.
Specifically, you want to set it so that only members of the group "SL_EDITORS" have permission to modify Security Labels after their creation.

Identify or create the group "SL_EDITORS" if it doesn’t exist already within Windchill. 
Save your changes and then test the setup by logging in with an account that belongs to the "SL_EDITORS" group.

0 Kudos
Notify Moderator
anursingh
Moderator
Moderator
(To:CraigFinney)
‎May 28, 2024 05:15 PM
‎May 28, 2024 05:15 PM

Hi @CraigFinney,

 

I wanted to follow up with you on your post to see if your question has been answered. 
If so, please mark the appropriate reply as the Accepted Solution. 
Of course, if you have more to share on your issue, please let the Community know so that we can continue to help you. 

 

Thanks,
Anurag

0 Kudos
Notify Moderator
CraigFinney
7-Bedrock
7-Bedrock
(To:anursingh)
‎May 29, 2024 08:07 AM
‎May 29, 2024 08:07 AM

Hi Anurag,

 

There does not seem to be a simple solution. The policies did not seem to work., However, by adding a profile, I can remove the option from menus for those with Advance licenses.  For the employees with a Base license, I can just not give them the necessary license that would allow them.  I disliked the profile solution, as new CSP updates, or Windchill upgrades in revisions, these profile choices can change.   When we went from WC 11 to 12, hundreds of additional profile choices were added to the profiles and defaulted off.  I spent weeks getting permissions back in place.  I would rather there was an XML to update that I could restrict the permissions at SL Setup.

0 Kudos
Notify Moderator
CraigFinney
7-Bedrock
7-Bedrock
(To:CraigFinney)
‎Jun 11, 2024 07:50 AM
‎Jun 11, 2024 07:50 AM

Another solution to prevent editing is to modify conf/exposeSecutityLabelObjects.xml  to comment out all the objects you do not want editing on.  This does not prevent the initial setting, but by editing the corresponding netmanket/jsp/<<object type>/create*.jsp*, you can prevent the setting at creation time.(comment out the jca:sizardStep action for securityLabelStep).

0 Kudos
Notify Moderator
Top Tags