Constraint Mask
By default, all the rights are checked, meaning all constraints are masked and only those that have the Use Marked Objects access rights on the marking will be able to view and access the object.
When one of the rights in the constraint mask is cleared, it indicates that users with this privilege on that object are allowed through the marking restriction even if they do not have the Use Marked Objects access right on the marking. In this way, the constraint mask can be used to design more granular control at the marking level.
Here are some examples to illustrate the security behavior of the constraint mask:
- If the constraint mask has all permissions selected (turned on), and if Alice does not have Use Marked Objects rights to that marking, then Alice will have no access and will not see the object, even if she has Full Control on the object's ACL.
- If the constraint mask has all permissions selected (turned on) except View All Properties and Delete which are deselected (turned off), and if Bob does not have Use Marked Objects rights to that marking, then Bob can see and delete the object, provided that he is granted those permissions on the object's ACL.
- If the constraint mask has all permissions deselected (turned off), and even if Carol does not have Use Marked Objects rights to the marking, then Carol can do everything to that object granted her by the object's ACL. (Deselecting all permissions in the constraint mask effectively renders the marking inactive.)
- If Dave has Use Marked Objects rights to the marking, the constraint mask has no effect on his resulting access. His access will be solely determined by the object's ACL.
In the following graphic:
- Alice and Bob are members of the Authors group. The only property selected in the constraint mask is Modify all properties. The ACL on the document gives Authors the Delete permission.
- Alice has the Use Marked Objects right, and therefore the marking's constraint mask does not apply. She can delete the document (and anything else that the ACL grants to Authors).
- Bob does not have the Use Marked Object, and therefore the marking's constraint mask applies to him. The constraint mask specifies Modify all properties and that means that Bob does not have the Modify all properties right on any object to which this marking is applied, even if it is explicitly granted to him by the ACL. The document has not granted the Modify all properties right to Bob in the first place since he is not a member of the Editors group and therefore the marking has no impact on him. Also, Bob can delete the document (regardless of whether or not he has the Use marked objects right) since the marking constraint mask does not affect the Delete right, and because it has been granted to him by virtue of his membership in the Authors group.
- Alice and Bob are not members of the Editors group. Because the Editors group is not listed on the marking, Editors do not have the Modify all properties right despite being granted Full Control by the document itself. The reason for this is the constraint mask in the example only specifies the Modify all properties right. As a result, either having or not having the Use marked object right on the marking can only affect the Modify all properties right on any given object marked with this marking.