Security to Objects

Normally, an object's security is controlled or determined in four ways. (Markings, if they are used, would be a fifth way)

1. Security parent and inheritance: Permissions can also be inherited from a parent object. Inheritance can take place between a class and its subclass, and between a folder and its containable objects (documents, custom objects, and other folders).
    
2. Direct Security: Users who have sufficient permission can edit an object's security by directly adding or removing security principals, or by changing the existing permissions already granted.
    
3. Default Instance Security : As an integral part of the class and instance design, objects such as documents, folders, and events are instances of their class. The class includes, among other things, a property containing the default security permissions that will be applied to all instances of the class. This is the simplest method of applying security: the security design sets up the default security that all instances of a class should have, and then all objects based on that class will have the same default security.
    
4. Security Policy and security templates : Security policies contain security templates which let you automatically apply security to documents, folders, and custom objects. In the case of documents, security templates can be associated with one of the several versioning states that documents pass through (Released, Superseded, In Process, or Reservation). This powerful feature provides efficient application of fine-tuned security across many objects.
    
5. Marking Sets : FileNet Content Engine (CE) Markings or Marking Sets provides a way to define a level of security on objects (i.e. documents) in addition to the normal FileNet P8 object security model. By using markings, access to objects can be controlled based on specific property value. Marking set's are collection of CE objects known as marking objects. Marking sets allows setting up security on an object with means of property template. When a marking is applied to an object, the resulting access permissions for the object are a combination of the settings of its original access permissions (through ACL) and the settings of the markings 'Constraint Mask' for each marking that is applied to it. The result of this combination is the effective security mask.