The IBM® Enterprise
Records security
implementation includes the use of marking sets, which are special
property values that control access to objects. Users can access an
object if they meet the criteria set by the instance security and
the marking value. Marking sets apply to an entire FileNet® P8 domain, and therefore
are available to all object stores in that domain.
IBM Enterprise
Records includes several
marking sets that are created on the
Content Engine server as part of the
IBM Enterprise
Records installation process.
These marking sets include the following:
- Prevent IBM Enterprise
Records Entity
Deletion
- Supplemental Marking (DoD and PRO)
- Security Categories (PRO)
- Security Categories (DoD Classified)
Prevent IBM Enterprise
Records Entity
Deletion
The
Prevent RM Entity Deletion hierarchical
marking set is available in the DoD and Base installations of
IBM Enterprise
Records. The PRO installation
uses a different marking set named
Prevent RM Entity Deletion
PRO. For DoD and Base installations, the marking set prevents
users who are not Records Administrators or Records Managers from
deleting entities, including file plans, record categories, record
folders, volumes, and records. In PRO installations,
IBM Enterprise
Records prevents users who are
not Records Administrators from deleting these entities. Because the
Prevent
RM Entity Deletion marking set is used internally by
IBM Enterprise
Records, do not modify this marking
set.
The marking set includes the following markings:
- Default: This is the default marking that IBM Enterprise
Records applies to the above-mentioned
entities.
- Prevent Delete: IBM Enterprise
Records applies this marking when
an entity is placed on hold. When this marking is applied, the entity
cannot be deleted by anyone, including Records Administrators and
Records Managers.
Supplemental Marking
This is a non-hierarchical
marking set that is available in the PRO and DoD installations of
IBM Enterprise
Records. The
Supplemental
Marking set does not contain any markings. You can create
markings in this set to meet your application-specific requirements.
For example, you can create markings that elaborate on or clarify
document handling, such as markings for ORCON (ORiginator CONtrolled),
RD (Restricted Data), and FRD (Formerly Restricted Data). The
Supplemental
Markings set applies to record categories, record folders,
volumes, and records.
- To use this marking set, add markings to the marking set.
- To display the Supplemental Markings List property in the IBM Enterprise
Records user interfaces for creating
containers, use Enterprise Manager to
deselect the Hidden checkbox of the Supplemental Markings List property
template.
- To display the Supplemental Markings List property in a Declare
as Record entry template, add the property to the entry template.
IBM Enterprise
Records includes
a report for the PRO data model that displays all of the electronic
folders and records associated with a specific type of supplemental
marking. For more information on generating reports, see Report generation.
Security Categories
Security categories are
hierarchical marking sets that are available in both the PRO data
model and DoD Classified data model.
The PRO data model consists
of these markings:
- Top Secret (highest in the hierarchy)
- Secret
- Confidential
- Restricted
- Unclassified (lowest in the hierarchy)
The DoD Classified data model consists of these markings:
- Top Secret (highest in the hierarchy)
- Secret
- Confidential
- Unclassified (lowest in the hierarchy)
In the PRO data model, by default, the Records Administrator
is assigned to Top Secret, and inherits assignment to Secret, Confidential,
and Unclassified. All other users are assigned to the Unclassified
marking.
In the DoD Classified data model, initially no users
are assigned to Top Secret, Secret, and Confidential. Authenticated
users are assigned to the Unclassified marking.
For both data
models, the Records Administrator in PRO, and the Records Manager
in DoD, with GCD administrator rights can change the security settings
for any of these markings.
For example, you can add groups and
users to the Secret, Confidential, and Restricted markings.
If
you edit the hierarchical marking set for the DoD Classified data
model, note the following requirements:
- The Unclassified marking must be the lowest level in the hierarchy.
- The name of that marking must be Unclassified.
Classified records will not work correctly if you do not
adhere to the requirements. For example, if you add another marking
below Unclassified, then records that were declared as Unclassified
cannot be edited.
In the PRO data model, the Security
Categories marking set applies to the following entities:
record categories, record folders, volumes, and records. By default,
these entities have the Unclassified marking applied to them. When
you create or declare one of these entities, you can change the value
of the Security Category property to a different category. The Security
Category property displays on the Set Properties page
when you create or declare an entity. The IBM Enterprise
Records security wizard updates
the security on the marking based on the IBM Enterprise
Records roles.
In the DoD
Classified data model, the Current Classification marking
applies only to records. IBM Enterprise
Records sets
the Current Classification when a user declares the record. In addition, IBM Enterprise
Records changes the Current
Classification marking only when an authorized user changes
the record's classification.
By default, a child object inherits
the security markings from the parent object. The PRO data model allows
a parent object to inherit settings from the child object, if the
child is assigned a more secure security marking. To configure security
propagation from a child object to a parent object:
- Configure the Security Propagation COM Event.
- Subscribe classes to the Security Propagation COM event. IBM Enterprise
Records uses these event subscriptions
to propagate updates to the parent security marking.
- Configure the Propagation Security Marking setting in IBM Enterprise
Records. For information about
how to configure marking propagation, see Configuring security marking propagation.