Typically, in a content management system and in other contexts in which access to electronically stored content is restricted, a user (individual, system, application, process, etc.) is permitted to access a content item if the user is included, individually or by virtue of membership in a group, in an “access control list” (ACL) associated with the content item. Stated another way, the rights of a particular user to access a content item typically has been determined based on the union of the respective rights (if any) the user has by virtue of the individual's personal identity, role, group membership, etc. So, if an individual is listed by name or role, for example, as having “read” access to an item but is also a member of a “manager group” that has been delegated “write” access, in a typical system the user would be given “write” access.
In some contexts, however, it may be necessary and/or desired to control access in other and/or additional ways. For example, it may be desirable to grant “write” access to members of the “manager group” who are also associated with a particular product, division, geographic region, etc. Other examples of additional restrictions include ensuring access is limited to individuals who hold a particular level of security clearance, e.g., enforcing “security labels” such as “top secret”, and/or other security markings or restrictions, including restricting access to users who both have a required security clearance and satisfy additional criteria established to limit access to users believed to have a legitimate “need-to-know”, e.g., criteria indicated by “supplemental markings” such as “US citizens only” or “Western Europe Region only”.
Therefore, there is a need for an effective way to enforce mandatory and/or supplemental access control requirements with respect to a body of managed content.