FileNet P8 Platform, Version 5.2.1            

Markings overview

Markings allow access to objects to be controlled based on specific property values.

When a marking is applied to an object, the resulting access permissions for the object are a combination of the settings of its original access permissions and the settings of the marking's Constraint Mask for each marking that is applied to it. The result of this combination is the effective security mask.

In general terms the way the markings works is:

  1. A marking set is defined, containing several possible values called markings.
  2. Each marking value contains a set of access permissions which define who can assign that specific value to an object property, who can modify or remove that specific value, and, once it is assigned, who will have access to the object it is assigned to.
  3. The marking set is assigned to a property definition on a class such that the value of that property on instances of the class must be one of the markings defined by the marking set.
  4. Values can only be assigned by users authorized by the associated marking and access to the object is restricted based on the marking once it is applied.

Markings do not replace conventional access permissions on an object, but rather are co-equal with them in determining access rights. In other words, if an object has one or more markings applied to it in addition to one or more permissions in its permissions collection (ACL), then access to that object is only granted if it is granted by the permissions and by the markings. Another way to think about how this works is:

  1. A user or process tries to access an object.
  2. First, Content Platform Engine resolves the object's ACL to determine who can access the object and what those users can do.
  3. Then it computes the markings applied to the object to see which users to stop (defined by the marking's Security list) and what they should be stopped from doing (defined by the marking's constraint mask).

You can have multiple properties assigned to a single class with marking sets associated, and they will all be used to determine the final access to the object. The collection of all markings being actually applied to a particular object is displayed by Administration Console for Content Platform Engine as the object's "active markings".

Active markings is the term Administration Console for Content Platform Engine uses in its security editor on its Active Markings/Owner button. You will see this button text on object instances whether or not there are actually active markings applied to the object. This button will just say Owner for those objects that cannot have markings applied, which include all class definitions.

Modifications to markings or marking sets are subject to the Marking Set Cache Entry TTL setting, which affects how often the marking set cache is updated on the server and the current Administration Console for Content Platform Engine machine.

However, the marking set cache is updated whenever any change or addition is made to markings or marking sets. Therefore, the cache is most likely up-to-date by the time the MarkingSetsTTL forces a refresh of the cache.

Markings and marking sets are persisted in the FileNet P8 domain resource, the GCD. This gives them FileNet® P8 domain-wide scope, that is, they are available and have the same meaning across all object stores in a FileNet P8 domain served by a common GCD. The marking-enabled property templates and the actual properties based on these templates are, however, specific to the object store in which the property template was created.

The number or size of markings in a single marking set is limited by available system memory. To perform an access check on a marked object, the entire marking set and all its markings must be loaded into memory. This is not going to work if there are millions of markings. For this reason, you should limit the number of markings in a marking set to no more than 100.

Markings cannot be used in conjunction with choice lists.



Last updated: March 2016
p8psa058.htm

© Copyright IBM Corporation 2016.