Skip to main content
C
CraigFinney12-Amethyst
12-Amethyst
May 16, 2024
Solved

Security Labels - Want to restrict editing to a group

  • May 16, 2024
  • 3 replies
  • 2237 views

We have security labels setup just for the download ack message, so we have not enabled agreements (not needed - We control access by other means).  I know specific PTC license is required Base + IP Protection, or the advance (which includes IP Protection), but the PTC steps (Edit) implies restricting who can edit them without explanation.  

 

I am looking to set them so only SL_EDITORS can modified the Security Labels after creation.  Any help would be welcomed.   Thank you in advance.

Best answer by CraigFinney

Another solution to prevent editing is to modify conf/exposeSecutityLabelObjects.xml  to comment out all the objects you do not want editing on.  This does not prevent the initial setting, but by editing the corresponding netmanket/jsp/<<object type>/create*.jsp*, you can prevent the setting at creation time.(comment out the jca:sizardStep action for securityLabelStep).

3 replies

jbailey
jbailey18-Opal
18-Opal
May 16, 2024

You would need to create an ACL something like this with a deny or absolute deny:

jbailey_0-1715881280115.png

 

 

C
CraigFinney12-AmethystAuthor
12-Amethyst
May 16, 2024

I attempted two policies, one at the highest level to deny (did not stop) and one at a context level to allow (again no difference), but it did not seem to make a difference.  I did have success using a  new Profile that I could attach to specific groups into. 

 

What I was wondering if there was a change to configuration files while updating / installing the SLs that could be set.

 

Between the profile and not issuing a IP Protection license I could in theory, but it becomes more to manage.

B
BS_110811981-Visitor
1-Visitor
May 20, 2024

Hello @CraigFinney ,

To restrict editing of Security Labels in Windchill to a specific group like "SL_EDITORS," you typically need administrative access and possibly specific permissions set up within Windchill. Log in to Windchill with administrative privileges.

Find the section or menu in Windchill where Security Labels are managed. 

Look for options related to permissions or access control for Security Labels.
You may need to adjust settings related to who can create, view, and edit Security Labels.
Specifically, you want to set it so that only members of the group "SL_EDITORS" have permission to modify Security Labels after their creation.

Identify or create the group "SL_EDITORS" if it doesn’t exist already within Windchill. 
Save your changes and then test the setup by logging in with an account that belongs to the "SL_EDITORS" group.

A
anursinghCommunity Manager
Community Moderator
May 28, 2024

Hi @CraigFinney,

 

I wanted to follow up with you on your post to see if your question has been answered. 
If so, please mark the appropriate reply as the Accepted Solution. 
Of course, if you have more to share on your issue, please let the Community know so that we can continue to help you. 

 

Thanks,
Anurag

C
CraigFinney12-AmethystAuthor
12-Amethyst
May 29, 2024

Hi Anurag,

 

There does not seem to be a simple solution. The policies did not seem to work., However, by adding a profile, I can remove the option from menus for those with Advance licenses.  For the employees with a Base license, I can just not give them the necessary license that would allow them.  I disliked the profile solution, as new CSP updates, or Windchill upgrades in revisions, these profile choices can change.   When we went from WC 11 to 12, hundreds of additional profile choices were added to the profiles and defaulted off.  I spent weeks getting permissions back in place.  I would rather there was an XML to update that I could restrict the permissions at SL Setup.

C
CraigFinney12-AmethystAuthorAnswer
12-Amethyst
June 11, 2024

Another solution to prevent editing is to modify conf/exposeSecutityLabelObjects.xml  to comment out all the objects you do not want editing on.  This does not prevent the initial setting, but by editing the corresponding netmanket/jsp/<<object type>/create*.jsp*, you can prevent the setting at creation time.(comment out the jca:sizardStep action for securityLabelStep).

D
DeepenRavalia13-Aquamarine
13-Aquamarine
January 29, 2026

The issue with this method is that no one can then edit or modify objects with existing security labels. Which may be what some people want however I need to stop authorised users being able to modify existing objects security labels. Will update you if I find the answer. 

Terms & ConditionsCookie settingsAccessibility statement