Whenever you attempt to access an object, the Security Manager allows or disallows the access, subject to the following sequence of clearance checks:
From within the Security Manager, a security administrator assigns a clearance level when defining your user IDs to TIBCO Object Service Broker. This clearance level, which is hierarchically evaluated, is used for each TIBCO Object Service Broker session initiated by your user ID. Only three clearance levels are supported:
When you create an object, the object is assigned the clearance level of your creating user ID. This is known as a mandatory classification level. If you are the owner of the object, you can change this classification level for the object. For more information about changing classification levels, refer to
Task C: Modify the Classification Level.
If your user ID has a clearance level of 1, you cannot access an object with a classification level of 7. A user ID with a clearance level of 7 can modify an object with a classification level of 1 and the modified object maintains its classification level of 1.
After creating an object, you can assign permissions for particular types of access to the object. For example, you could assign other users READ access to the object but not INSERT or REPLACE access. These discretionary permissions, which are non-hierarchical, are then evaluated each time an access is made to the object.
Access permissions are properties of individual objects. As part of defining the composition of an object set, you indicate the access permissions for each individual object in the object set. When you give a user ID or a security group access to an object set, you are allowing access to all objects in the set, based on the accesses specified for each object. Refer to
Chapter 7, Managing Object Set Security for more detail about the use of object sets and security on object sets.