Each access control entry listed on a marking value's security
page is marked either Allow or Deny.
- Allow
- Allow is the default setting for each new security added to a
marking's security list. It is also the most common way to set up
marking security behavior. Unless clearly stated, this topic describes
Allow security types.
- Deny
Typically markings are used to determine who will be denied
access to evaluate the security rights of the object. Users who have
the Use Marked Objects access right will not be limited by the constraint
mask of the marking. However, an administrator can set up deny rights
on the marking which will override any allow access otherwise granted
to the marking. For example:
- The security on a document grants #AUTHENTICATED-USERS full control
access.
- The document has a single-valued property associated with a marking
set with possible values of Chicago, New York, and Boston.
- The property value is set to Boston.
- The Boston marking has a constraint mask of full control allow
(all permissions selected).
- The group Everyone_Boston has Use/Allow rights to the Boston marking.
- The Sales group has Use/Deny rights to the Boston marking.
In
this scenario:
- Users who are not members of Everyone_Boston cannot access the
document.
- Users who are members Everyone_Boston can access the document,
unless they are also members of Sales.
- Users who are members of Everyone_Boston and Sales cannot access
the document. The deny setting on the marking overrides the allow
setting and ensures that no one in Sales sees the document even if
they are in the Boston office.