Accessing Objects Through an Agreement
Active agreements provide a set of participants (users, groups, or organizations) with clearance for one or more security label values on authorized security-labeled objects. Depending on how security labels were configured and if the Select Authorized Security Label Values step was enabled, the agreement may only clear the participants for certain custom security labels or standard security label values. The participants cleared by the agreement are not authorized participants for that security label value, but are selected as authorized participants for the agreement. Once a user has been cleared for the security label value, whether through the agreement's authorized participants list or configuration of the security label value’s authorized participants, the user must have the appropriate permissions on the object to access it. In the example below, the user is a member of the authorized participants group for an agreement of the State Export Agreement type, which is a standard agreement that authorizes access to objects with the License Required - State security label value. Because she is an authorized participant, she is able to access object A for the duration of the agreement. Her ability to access the object assumes that she has the appropriate access control permissions.
If, however, an object has more than one security label applied, the user must be an authorized participant for all security label values whether through configuration of a UFID for the security label value’s authorized participants, through the configuration of a custom evaluator, through both a UFID and custom evaluator, or through an active agreement’s authorized participants list. Depending on how your security labels are configured and if the Select Authorized Security Label Values step was enabled, one type of agreement could cover multiple security label values. In the example below, the user is cleared for the License Required - State value through a State Export Agreement. However, she is denied access because she is not an authorized participant for the Internal security label value or for another agreement. If the user is added to an additional agreement authorizing her for the Internal security label value, and she has the appropriate access control permissions for object A, then she will be able to access the object.
For more information about accessing objects with multiple security labels set, see
Non-Null Label Values and Their Authorized Participants.