HCP Tenant Management Help


Access control lists

An access control list (ACL) grants permissions to perform operations on an individual object to specified users or groups of users. An ACL can be specified as either XML or JSON. You add, replace, or delete an ACL in its entirety. You cannot modify it in place.

An ACL contains up to one thousand access control entries (ACEs). Each ACE specifies one user or one group of users and the permissions granted to that user or group. In the ACL body, an ACE is represented by the grant entry.

Note: This book uses the term entry to refer to an XML element and the equivalent JSON object and the term property for an XML attribute or the equivalent JSON name/value pair.

When you specify an ACL for an object, you can grant only the permissions you already have. That is, you cannot use an ACL to grant permissions that exceed your own.

To add, replace, or delete an ACL, you use the HTTP protocol.

With HTTP, you use a GET request to retrieve an ACL for an object. With WebDAV, CIFS, and NFS, you view the ACL for an object in the acl.xml metafile.

HCP provides two predefined ACLs that you can specify when storing an object:

all_read — Allows any user, authenticated or anonymous, to view and retrieve the object

auth_read — Allows any authenticated user to view and retrieve the object

For more information about specifying predefined ACLs, see Specifying metadata on object creation. For an example of storing an ACL on an object, see Example: Storing an ACL for an object.

The use of ACLs is enabled on a per-namespace basis. In namespaces where ACLs are enabled, the namespace can be configured to either enforce or ignore the permissions granted by ACLs. To find out the ACL settings for a namespace, contact your tenant administrator.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.