When using only a UFID for the authorized participant, specifying a user-defined group to identify the authorized participants provides the most flexibility, as membership in the group can be modified as needed using the Participant Administration utility, the > page, or a third party LDAP tool to manage groups within an LDAP directory service. If a group is used as the authorized participant for a custom security label, the membership of the group can include other groups. Users who are not authorized participants for any value of the custom security label are denied access to objects with that label value applied, unless they are specifically granted temporary clearance to the value by being in the authorized participants set for an agreement. Being authorized for one security label does not automatically authorize a user for any other security label. Users must be cleared for all security labels that are set on an object to be able to access the object.