By default, all the rights are checked, meaning all constraints
are masked and only those that have the Use Marked Objects access
rights on the marking will be able to view and access the object.
When one of the rights in the constraint mask is cleared, it indicates
that users with this privilege on that object are allowed through
the marking restriction even if they do not have the Use Marked Objects
access right on the marking. In this way, the constraint mask can
be used to design more granular control at the marking level.
Here are some examples to illustrate the security behavior of the
constraint mask:
- If the constraint mask has all permissions selected (turned on),
and if Alice does not have Use Marked Objects rights to that marking,
then Alice will have no access and will not see the object, even if
she has Full Control on the object's ACL.
- If the constraint mask has all permissions selected (turned on)
except View All Properties and Delete which are deselected (turned
off), and if Bob does not have Use Marked Objects rights to that marking,
then Bob can see and delete the object, provided that he is granted
those permissions on the object's ACL.
- If the constraint mask has all permissions deselected (turned
off), and even if Carol does not have Use Marked Objects rights to
the marking, then Carol can do everything to that object granted her
by the object's ACL. (Deselecting all permissions in the constraint
mask effectively renders the marking inactive.)
- If Dave has Use Marked Objects rights to the marking, the constraint
mask has no effect on his resulting access. His access will be solely
determined by the object's ACL.
In the following graphic:
- Alice and Bob are members of the Authors group. The only property
selected in the constraint mask is Modify all properties. The ACL
on the document gives Authors the Delete permission.
- Alice has the Use Marked Objects right, and therefore the marking's
constraint mask does not apply. She can delete the document (and anything
else that the ACL grants to Authors).
- Bob does not have the Use Marked Object, and therefore the marking's
constraint mask applies to him. The constraint mask specifies Modify
all properties and that means that Bob does not have the Modify
all properties right on any object to which this marking is applied,
even if it is explicitly granted to him by the ACL. The document has
not granted the Modify all properties right to Bob in the first place
since he is not a member of the Editors group and therefore the marking
has no impact on him. Also, Bob can delete the document (regardless
of whether or not he has the Use marked objects right) since the marking
constraint mask does not affect the Delete right, and because it has
been granted to him by virtue of his membership in the Authors group.
- Alice and Bob are not members of the Editors group. Because the
Editors group is not listed on the marking, Editors do not have the
Modify all properties right despite being granted Full Control by
the document itself. The reason for this is the constraint mask in
the example only specifies the Modify all properties right. As a result,
either having or not having the Use marked object right on the marking
can only affect the Modify all properties right on any given object
marked with this marking.
