Community Tip - Want the oppurtunity to discuss enhancements to PTC products? Join a working group! X
I am playing around with this on my server and I am running into this issue. This article seems to point to the issue:
https://www.ptc.com/en/support/article/CS371380?source=search
So my master site is handled by the Administrator's group with I think is default OOTB. The major draw to using security labels is that we can restrict access to objects, even the administrators. This seems to be telling me that I need to include site administrators to the group that is allowed to see content with these restrictive labels. Bummer. I get publishing and I am ok with that. I can also see using wcadmin and not the group since wcadmin should not be used ever to access data as a normal user.
This was odd to stumble into this since the user that I am logged in as is part of the unrestricted principal members but not wcadmin. I just don't see how the extra check for the principal for the site mattered.
Solved! Go to Solution.
Reading docs, looks like start of trail is here:
It seems to make sense. Let's say I have ITAR restricted data but in a global system, I have a site location for vaulting that was non-US. By making the site participant not an authorized principal, it would block and accidental upload or replication of data to that location which would be a violation. I do not have such complexities here so I just need to ensure the system still functions. Looks like wvs publishing user and wcadmin would need to be added. I do have other people in Administrators group (real people) which I would to still block from restricted data if there was not a valid need to know. Yes group of groups is easiest but if it gets too complex, a custom class might be necessary. Now where is my Little Orphan Annie secret decoder ring?
Pretty much, yes. and since "Authorized Participant" is a single group, you must likely use a group of groups.
Reading docs, looks like start of trail is here:
It seems to make sense. Let's say I have ITAR restricted data but in a global system, I have a site location for vaulting that was non-US. By making the site participant not an authorized principal, it would block and accidental upload or replication of data to that location which would be a violation. I do not have such complexities here so I just need to ensure the system still functions. Looks like wvs publishing user and wcadmin would need to be added. I do have other people in Administrators group (real people) which I would to still block from restricted data if there was not a valid need to know. Yes group of groups is easiest but if it gets too complex, a custom class might be necessary. Now where is my Little Orphan Annie secret decoder ring?