cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Have a PTC product question you need answered fast? Chances are someone has asked it before. Learn about the community search. X

Security Labels - Want to restrict editing to a group

CraigFinney
12-Amethyst

Security Labels - Want to restrict editing to a group

We have security labels setup just for the download ack message, so we have not enabled agreements (not needed - We control access by other means).  I know specific PTC license is required Base + IP Protection, or the advance (which includes IP Protection), but the PTC steps (Edit) implies restricting who can edit them without explanation.  

 

I am looking to set them so only SL_EDITORS can modified the Security Labels after creation.  Any help would be welcomed.   Thank you in advance.

ACCEPTED SOLUTION

Accepted Solutions

Another solution to prevent editing is to modify conf/exposeSecutityLabelObjects.xml  to comment out all the objects you do not want editing on.  This does not prevent the initial setting, but by editing the corresponding netmanket/jsp/<<object type>/create*.jsp*, you can prevent the setting at creation time.(comment out the jca:sizardStep action for securityLabelStep).

View solution in original post

6 REPLIES 6

You would need to create an ACL something like this with a deny or absolute deny:

jbailey_0-1715881280115.png

 

 

I attempted two policies, one at the highest level to deny (did not stop) and one at a context level to allow (again no difference), but it did not seem to make a difference.  I did have success using a  new Profile that I could attach to specific groups into. 

 

What I was wondering if there was a change to configuration files while updating / installing the SLs that could be set.

 

Between the profile and not issuing a IP Protection license I could in theory, but it becomes more to manage.

Hello @CraigFinney ,

To restrict editing of Security Labels in Windchill to a specific group like "SL_EDITORS," you typically need administrative access and possibly specific permissions set up within Windchill. Log in to Windchill with administrative privileges.

Find the section or menu in Windchill where Security Labels are managed. 

Look for options related to permissions or access control for Security Labels.
You may need to adjust settings related to who can create, view, and edit Security Labels.
Specifically, you want to set it so that only members of the group "SL_EDITORS" have permission to modify Security Labels after their creation.

Identify or create the group "SL_EDITORS" if it doesn’t exist already within Windchill. 
Save your changes and then test the setup by logging in with an account that belongs to the "SL_EDITORS" group.

Hi @CraigFinney,

 

I wanted to follow up with you on your post to see if your question has been answered. 
If so, please mark the appropriate reply as the Accepted Solution. 
Of course, if you have more to share on your issue, please let the Community know so that we can continue to help you. 

 

Thanks,
Anurag

Hi Anurag,

 

There does not seem to be a simple solution. The policies did not seem to work., However, by adding a profile, I can remove the option from menus for those with Advance licenses.  For the employees with a Base license, I can just not give them the necessary license that would allow them.  I disliked the profile solution, as new CSP updates, or Windchill upgrades in revisions, these profile choices can change.   When we went from WC 11 to 12, hundreds of additional profile choices were added to the profiles and defaulted off.  I spent weeks getting permissions back in place.  I would rather there was an XML to update that I could restrict the permissions at SL Setup.

Another solution to prevent editing is to modify conf/exposeSecutityLabelObjects.xml  to comment out all the objects you do not want editing on.  This does not prevent the initial setting, but by editing the corresponding netmanket/jsp/<<object type>/create*.jsp*, you can prevent the setting at creation time.(comment out the jca:sizardStep action for securityLabelStep).

Announcements


Top Tags