FileNet P8 Platform, Version 5.2.1            

Hierarchical and Non-hierarchical

There are two types of marking sets: hierarchical and non-hierarchical.

In the following, the user Alice has been granted the Use Marked Objects right by the Top Secret marking. Since this is a hierarchical marking set, the effect of this is that she not only has the Use Marked Objects right for the Top Secret marking, she also implicitly has it for the Secret and the Restricted markings as well. This means that for Alice, objects that are marked with either the Restricted or Secret markings behave as if they are marked with the Top Secret marking. Similarly, Bob has implicit Use Marked Objects right to the Restricted marking, because it is lower in the hierarchy than Secret.

Hierarchical markings

There is an exception to the rule that permissions granted on superior markings are implicitly granted on inferior markings. Recall that there are two types of access permissions:

Deny permissions always take precedence over allow permissions. The way this works for hierarchical marking sets is that deny permissions on inferior markings always take precedence over allow permissions on superior markings. This behavior is illustrated in the example below:

Hierarchical marking with Deny

In this example Bob is implicitly granted access to objects marked Secret or Restricted as well as being explicitly granted access to objects marked Top Secret due to the fact that he is granted the Use Marked Objects access right on the Top Secret marking which is superior to both Secret and Restricted.

Alice, on the other hand, is denied access to objects marked Top Secret or Secret but is granted access to objects marked Restricted. The reason for the difference is that Alice is explicitly denied the Use Marked Objects right by the Secret marking. Since Deny permissions are implicitly present on all superior markings, it is implicitly present on the Top Secret marking. She is also explicitly allowed access by the Top Secret marking, but since Deny permissions take precedence over Allow permissions, she is still denied access to objects marked with Top Secret. What can be less clear is why she is granted access to objects marked with Restricted.

The reason is because she implicitly obtains access rights to objects marked Restricted by being granted Use Marked Objects rights by the Top Secret marking which is superior to Restricted. The Deny permission on the Secret marking has no affect on the Restricted marking because the Restricted marking is inferior to the Secret marking.

From this example three general rules can be observed:

  1. Allow permissions affect markings downward in the hierarchy; that is, an Allow Permission placed on a superior marking is implicitly present on inferior markings.
  2. Deny permissions affect markings upward in the hierarchy; that is, a Deny Permission placed on an inferior marking is implicitly present on superior markings.
  3. Deny permissions take precedence over Allow permissions.


Last updated: March 2016
p8psa064.htm

© Copyright IBM Corporation 2016.