To implement access control markings, you must configure them both in the file plan hierarchy and for users. You must assign users or groups the appropriate privileges to allow them to interact with access control markings.
After creating an access control marking in a picklist, you will be able to grant any user or group the Apply privilege and the Access privilege for the marking. The Apply privilege allows a user to assign the marking to any instance of any type which has that marking available for use. If the user lacks the Apply privilege for any markings that are available for use with a type, those markings will appear in gray text in the Markings list, and cannot be assigned to any instances of that type. Record administrators will be granted this privilege more often than regular users.
The Access privilege enables the user to see and to interact with instances in the system that have that marking. Users must have the Access privilege for each marking assigned to an instance to detect the instance. The Access privilege is usually associated with regular users who have specific levels of clearance.
As with standard privilege assignment, user-level privileges take higher priority in the system than group-level privileges. For instance, if a group is denied the Access privilege for a marking and one user in the group has been granted the Access privilege for that marking, then that user will be able to detect items with that marking while the rest of the users in that group will not.