FileNet P8 Platform, Version 5.2.1            

Allow, Deny permissions

Each access control entry listed on a marking value's security page is marked either Allow or Deny.

Allow
Allow is the default setting for each new security added to a marking's security list. It is also the most common way to set up marking security behavior. Unless clearly stated, this topic describes Allow security types.
Deny

Typically markings are used to determine who will be denied access to evaluate the security rights of the object. Users who have the Use Marked Objects access right will not be limited by the constraint mask of the marking. However, an administrator can set up deny rights on the marking which will override any allow access otherwise granted to the marking. For example:

  1. The security on a document grants #AUTHENTICATED-USERS full control access.
  2. The document has a single-valued property associated with a marking set with possible values of Chicago, New York, and Boston.
  3. The property value is set to Boston.
  4. The Boston marking has a constraint mask of full control allow (all permissions selected).
  5. The group Everyone_Boston has Use/Allow rights to the Boston marking.
  6. The Sales group has Use/Deny rights to the Boston marking.

    In this scenario:

    • Users who are not members of Everyone_Boston cannot access the document.
    • Users who are members Everyone_Boston can access the document, unless they are also members of Sales.
    • Users who are members of Everyone_Boston and Sales cannot access the document. The deny setting on the marking overrides the allow setting and ensures that no one in Sales sees the document even if they are in the Boston office.


Last updated: March 2016
p8psa063.htm

© Copyright IBM Corporation 2016.