Community Tip - You can change your system assigned username to something more personal in your community settings. X
I have a requirement to restrict access to the meta data and content (documents) in Windchill based on a security context.
Not only do I need to restrict access, but I need to store the content in a specific location, which will be in a different location to the application server. i.e in another country if documents
are Nationally classified.
The Windchill 11 overview states this is possible, but I would like to know more details.
There is a lot of setup involved with implementing security labels! Read the documents carefully as you are modifying core Windchill resource bundle files. Especially take note of the warning that says "Editing these files may prevent your Windchill system from starting". This definitely requires good backup and a test server to implement.
To store content in a secondary vault should not be an issue, but getting the proper settings to do it automatically may. You would need OIRs that put documents in that vault. If only certain documents of a type require this security, that is harder to do automatically without some deep programming.
Thanks Ben, I know it was quite tricky with V10. I understood it is better in V11, but possibly not.
Hi
Would you be able to share more infromation on this, I have the same requirement and will be great if you can direct me to right guides or Help.
Thanks,
Rahul
@rbhoraskar The Security Label Configuration and Implementation guide should have the information you need. You can assign a Site Principal to the Replica site you are creating. If the Principal has access to the object only in that case the object will be replicated to the site.
@yadavankur Hi Ankur,
Would you please mid looking at this requirement and suggest ?
Our customer is having Master Windchill in “UK”, they are looking to use same Windchill in “Canada” and “Netherlands” as well.
But they have an Export control and security control policies which states that:
à The data or files created in Canada, they should be vaulted to Canada and does not go to Master in UK
à Same for Netherlands, data or files created in Netherland, they should be vaulted to Netherland and does not go to Master in UK
Is this scenario is possible to achieve when UK is master server and Canada and Netherland is “File Server”.
If yes, how can we achieve this ?? for example
• Vaulting rules ?
• File Vault configuration ? Security Labels ?
• No Replication/Sync to Master in UK?
Thanks,
Rahul
This is a really interesting and relevant requirement in compartmentalizing physical datastore location by nation due to export control, sensitivity or security etc.
I am seeing such a requirement coming up in the future for our own Windchill system and this surely must be in demand by aerospace & defense windchill users who have international sites and factories.
I wonder if PTC have suggested any solutions for this?
Theoretically you could 'bodge' it using separate security labels marking 'Canada only', 'UK Only' or 'Netherlands Only' and have each replica server's site principal have access to their local 'XXX Only' security label content, and not the other countries'. This means e.g a UK replica server would not be able to duplicate/host 'Canada Only' or 'Netherlands Only' content (and vice versa). I can also imagine a lot of issues with this 'bodged' configuration...
@yadavankur wrote:
@MyFedLoan The Security Label Configuration and Implementation guide should have the information you need. You can assign a Site Principal to the Replica site you are creating. If the Principal has access to the object only in that case the object will be replicated to the site.
Especially take note of the warning that says "Editing these files may prevent your Windchill system from starting". This definitely requires good backup and a test server to implement.
To store content in a secondary vault should not be an issue, but getting the proper settings to do it automatically may. You would need OIRs that put documents in that vault.
@yadavankur wrote:
@rbhoraskar The Security Label Configuration and Implementation guide should have the information you need. You can assign a Site Principal to the Replica site you are creating. If the Principal has access to the object only in that case the object will be replicated to the site.
Your Blog is very nice. Wish to see much more like this. Thanks for sharing your information