Markings allow access to objects to be controlled based on specific property values.
When a marking is applied to an object, the resulting access permissions for the object are a combination of the settings of its original access permissions and the settings of the marking's Constraint Mask for each marking that is applied to it. The result of this combination is the effective security mask.
In general terms the way the markings works is:
Markings do not replace conventional access permissions on an object, but rather are co-equal with them in determining access rights. In other words, if an object has one or more markings applied to it in addition to one or more permissions in its permissions collection (ACL), then access to that object is only granted if it is granted by the permissions and by the markings. Another way to think about how this works is:
You can have multiple properties assigned to a single class with marking sets associated, and they will all be used to determine the final access to the object. The collection of all markings being actually applied to a particular object is displayed by Administration Console for Content Platform Engine as the object's "active markings".
Active markings is the term Administration Console for Content Platform Engine uses in its security editor on its Active Markings/Owner button. You will see this button text on object instances whether or not there are actually active markings applied to the object. This button will just say Owner for those objects that cannot have markings applied, which include all class definitions.
Modifications to markings or marking sets are subject to the Marking Set Cache Entry TTL setting, which affects how often the marking set cache is updated on the server and the current Administration Console for Content Platform Engine machine.
However, the marking set cache is updated whenever any change or addition is made to markings or marking sets. Therefore, the cache is most likely up-to-date by the time the MarkingSetsTTL forces a refresh of the cache.
Markings and marking sets are persisted in the FileNet P8 domain resource, the GCD. This gives them FileNet® P8 domain-wide scope, that is, they are available and have the same meaning across all object stores in a FileNet P8 domain served by a common GCD. The marking-enabled property templates and the actual properties based on these templates are, however, specific to the object store in which the property template was created.
The number or size of markings in a single marking set is limited by available system memory. To perform an access check on a marked object, the entire marking set and all its markings must be loaded into memory. This is not going to work if there are millions of markings. For this reason, you should limit the number of markings in a marking set to no more than 100.
Markings cannot be used in conjunction with choice lists.