I have a resource (dataset, etc.) marked with a specific marking. I will package it via devops in a marketplace product. This product will then get installed in another project. What happens with the markings ? Will they be used as inputs ? Removed ? Conserved ? What if I want the same marking on installation ? Another one ?
When you package a resource (dataset, repo, etc.) into a Marketplace product, the markings (security tags) on that resource are NOT automatically preserved in the packaged product or installation. Instead, the marking is effectively “removed” during packaging and installation, unless you take explicit steps to re-apply or parameterize it.
From a security standpoint, packaging and installation is equivalent to “moving resources”.
- During packaging, the markings on the dataset are removed. This requires the user to have the permission to “declassify” on the markings, unless the store is also marked with the same markings.
- During installation, the markings on the store are removed. This also requires “declassify” on the markings, unless the install location is also marked with the same markings.
If you don’t have enough permissions, you will see errors like “NotAuthorizedToDeclassify”.
For some resource types (e.g. transforms with stop_propagating/stop_requiring), Marketplace will surface marking inputs during installation, and you can map them to markings on the target stack.
For resources where marketplace does not surface the marking as an input at install time. You must manually re-apply the marking after installation. Upgrades won’t remove manually applied markings.