Security markings

The IBM InfoSphere Enterprise Records security implementation includes the use of marking sets, which are special property values that control access to objects. Users can access an object if they meet the criteria set by the instance security and the marking value. Marking sets apply to an entire P8 domain, and therefore are available to all object stores in that domain. For more information about marking sets, see Markings.

IBM InfoSphere Enterprise Records includes several marking sets that are created on the Content Engine server as part of the IBM InfoSphere Enterprise Records installation process. These marking sets include the following:

Prevent IBM InfoSphere Enterprise Records Entity Deletion

The Prevent RM Entity Deletion hierarchical marking set is available in the DoD and Base installations of IBM InfoSphere Enterprise Records. The PRO installation uses a different marking set named "Prevent RM Entity Deletion PRO." For DoD and Base installations, the marking set prevents users who are not Records Administrators or Records Managers from deleting entities, including file plans, record categories, record folders, volumes, and records. In PRO installations, IBM InfoSphere Enterprise Records prevents users who are not Records Administrators from deleting these entities. Because the Prevent RM Entity Deletion marking set is used internally by IBM InfoSphere Enterprise Records, do not modify this marking set.

The marking set includes the following markings:

Supplemental Marking

This is a non-hierarchical marking set that is available in the PRO and DoD installations of IBM InfoSphere Enterprise Records. The Supplemental Marking set does not contain any markings. You can create markings in this set to meet your application-specific requirements. For example, you can create markings that elaborate on or clarify document handling, such as markings for ORCON (ORiginator CONtrolled), RD (Restricted Data), and FRD (Formerly Restricted Data). The Supplemental Markings set applies to record categories, record folders, volumes, and records.

IBM InfoSphere Enterprise Records includes a report for the PRO data model that displays all of the electronic folders and records associated with a specific type of supplemental marking. For more information on generating reports, see Report Generation.

Security Categories

Security categories are hierarchical marking sets that are available in both the PRO data model and DoD Classified data model.

The PRO data model consists of these markings:

The DoD Classified data model consists of these markings:

In the PRO data model, by default, the Records Administrator is assigned to Top Secret, and inherits assignment to Secret, Confidential, and Unclassified. All other users are assigned to the Unclassified marking.

In the DoD Classified data model, initially no users are assigned to Top Secret, Secret, and Confidential. Authenticated users are assigned to the Unclassified marking.

For both data models, the Records Administrator in PRO, and the Records Manager in DoD, with GCD administrator rights can change the security settings for any of these markings. For information about the GCD administrator role, see GCD administrator role

For example, you can add groups and users to the Secret, Confidential, and Restricted markings. For information on how to modify markings, see Edit a marking.

CAUTION  If you edit the hierarchical marking set for the DoD Classified data model, note the following requirements:

Classified records will not work correctly if you do not adhere to the requirements. For example, if you add another marking below Unclassified, then records that were declared as Unclassified cannot be edited.

In the PRO data model, the Security Categories marking set applies to the following entities: record categories, record folders, volumes, and records. By default, these entities have the Unclassified marking applied to them. When you create or declare one of these entities, you can change the value of the Security Category property to a different category. The Security Category property displays on the Set Properties page when you create or declare an entity. The IBM InfoSphere Enterprise Records security wizard updates the security on the marking based on the IBM InfoSphere Enterprise Records roles.

In the DoD Classified data model, the Current Classification marking applies only to records. IBM InfoSphere Enterprise Records sets the Current Classification when a user declares the record. In addition, IBM InfoSphere Enterprise Records changes the Current Classification marking only when an authorized user changes the record's classification.

By default, a child object inherits the security markings from the parent object. The PRO data model allows a parent object to inherit settings from the child object, if the child is assigned a more secure security marking. To configure security propagation from a child object to a parent object

  1. Configure the Security Propagation COM Event.
  2. Subscribe classes to the Security Propagation COM event. IBM InfoSphere Enterprise Records uses these event subscriptions to propagate updates to the parent security marking.
  3. Configure the Propagation Security Marking setting in IBM InfoSphere Enterprise Records. For information about how to configure marking propagation, see Configure Security Marking Propagation.