IBM Enterprise Records, Version 5.1.2    

Security markings

The IBM® Enterprise Records security implementation includes the use of marking sets, which are special property values that control access to objects. Users can access an object if they meet the criteria set by the instance security and the marking value. Marking sets apply to an entire FileNet® P8 domain, and therefore are available to all object stores in that domain.

IBM Enterprise Records includes several marking sets that are created on the Content Platform Engine server as part of the IBM Enterprise Records installation process. These marking sets include the following types:

Prevent IBM Enterprise Records Entity Deletion

The Prevent RM Entity Deletion hierarchical marking set is available in the DoD and Base installations of IBM Enterprise Records. The PRO installation uses a different marking set named Prevent RM Entity Deletion PRO. For DoD and Base installations, the marking set prevents users who are not Records Administrators or Records Managers from deleting entities. The entities impacted are file plans, record categories, record folders, volumes, and records. In PRO installations, IBM Enterprise Records prevents users who are not Records Administrators from deleting these entities. Because the Prevent RM Entity Deletion marking set is used internally by IBM Enterprise Records, do not modify this marking set.
The marking set includes the following markings:
  • Default: This marking set is the default marking that IBM Enterprise Records applies to the above-mentioned entities.
  • Prevent Delete: IBM Enterprise Records applies this marking when an entity is placed on hold. When this marking is applied, the entity cannot be deleted by anyone, including Records Administrators and Records Managers.

Supplemental Marking

This marking set is a non-hierarchical marking set that is available in the PRO and DoD installations of IBM Enterprise Records. The Supplemental Marking set does not contain any markings. You can create markings in this set to meet your application-specific requirements. For example, you can create markings that elaborate on or clarify document handling. This set applies to markings for ORCON (ORiginator CONtrolled), RD (Restricted Data), and FRD (Formerly Restricted Data). The Supplemental Markings set applies to record categories, record folders, volumes, and records.

IBM Enterprise Records includes a report for the PRO data model that shows all of the electronic folders and records associated with a specific type of supplemental marking. For more information about generating reports, see the report generation topic.

Security Categories

Security categories are hierarchical marking sets that are available in both the PRO data model and DoD Classified data model.
The PRO data model consists of these markings:
  • Top Secret (highest in the hierarchy)
  • Secret
  • Confidential
  • Restricted
  • Unclassified (lowest in the hierarchy)
The DoD Classified data model consists of these markings:
  • Top Secret (highest in the hierarchy)
  • Secret
  • Confidential
  • Unclassified (lowest in the hierarchy)

In the PRO data model, by default, the Records Administrator is assigned to Top Secret, and inherits assignment to Secret, Confidential, and Unclassified. All other users are assigned to the Unclassified marking.

In the DoD Classified data model, initially no users are assigned to Top Secret, Secret, and Confidential. Authenticated users are assigned to the Unclassified marking.

The Records Administrator in PRO and the Records Manager in DoD, with GCD administrator rights, can change the security settings for any of these markings.

For example, you can add groups and users to the Secret, Confidential, and Restricted markings.

If you edit the hierarchical marking set for the DoD Classified data model, note the following requirements:
  • The Unclassified marking must be the lowest level in the hierarchy.
  • The name of that marking must be Unclassified.

Classified records do not work correctly if you do not adhere to the requirements. For example, if you add another marking underneath Unclassified, then records that are declared as Unclassified cannot be edited.

In the PRO data model, the Security Categories marking set applies to the following entities: record categories, record folders, volumes, and records. By default, these entities have the Unclassified marking applied to them. When you create or declare one of these entities, you can change the value of the Security Category property to a different category. You see the Security Category property on the Set Properties page when you create or declare an entity. The IBM Enterprise Records security wizard updates the security on the marking based on the IBM Enterprise Records roles.

In the DoD Classified data model, the Current Classification marking applies only to records. IBM Enterprise Records sets the Current Classification when a user declares the record. In addition, IBM Enterprise Records changes the Current Classification marking only when an authorized user changes the classification of the record.

By default, a child object inherits the security markings from the parent object. The PRO data model allows a parent object to inherit settings from the child object, if the child is assigned a more secure security marking. To configure security propagation from a child object to a parent object:
  1. Configure the Security Propagation COM Event.
  2. Subscribe classes to the Security Propagation COM event. IBM Enterprise Records uses these event subscriptions to propagate updates to the parent security marking.
  3. Configure the Propagation Security Marking setting in IBM Enterprise Records. For information about how to configure marking propagation, see the configure security markings propagation topic.


Feedback

Last updated: November 2013
security_markings.htm

© Copyright IBM Corporation 2013