Using Access Labels
Access labels work by performing a bitwise comparison between the access label bitmask assigned to the client and the access label bitmask assigned to the document.
A document is accessible by a client only if the document bitmask 1 bits have corresponding 1 bits in the client bitmask. For example, a client with the following access label bitmask:
110001
can access a document with access label bitmask
110001 or 100001
However, it cannot access a document with the following access label bitmasks:
100100 or 000100
The following truth table describes the bitmask comparison logic:
Document bit value | Client Bit Value: 0 | Client Bit Value: 1 |
0 | 1 | 1 |
1 | 0 | 1 |
You can also describe the bitmask comparison logic with the following function:
if (document_access_label & (~client_access_label) != 0)
//FAIL
else
//PASS
In general, setting more bits in the access level bitmask creates higher access levels. For example, setting a client access label bitmask to:
1111111
provides access to any document with an access label with any combination of the 6 lowest bits (0 through 5) set.
You can also use an access label to determine if a client has the right to label a document with a certain access level during a publishing operation. It works the same as determining whether a client can access a document with a certain access level.
For example, a client with the following access level bitmask:
110001
Can label a document with one of the following access labels:
110001 or 100001
But cannot label a document with these access labels:
100100 or 000100
The access label assigned to particular document is called a control label, and it is stored in the envelope field _env.controlLabel.
A publishing client is responsible for setting this field using an API. An option is provided to have the Broker set this field for the client by using the client's access label. This option (normally disabled) is enabled by using the following API calls:
For Java API:
void BrokerClient.setAutomaticControlLabel (Boolean enabled);
For JMS API:
void WmConnectionFactory.setAutomaticControlLabel (Boolean enabled);
For C# API:
Boolean IConnectionFactory.AutomaticControlLabel;
Note:
For more information about the API calls, see the appropriate webMethods Broker Programmer's Guide.
When publishing a document, the publishing client's access label is stored in the _env.pubLabel envelope field. This field is called the source label. The Broker does not make use of this information, but the receiving clients can. One possible usage for a receiving client is to determine the type of information it will return back to the publishing client in a request/reply situation.
The client's access label is sometimes called the receipt label. The receipt label is checked only when documents are pulled from the Broker client queue for delivery to the client. The receipt label is not checked when documents are placed in the queue.