Skip to main content
Outside service Partner
Hitachi Vantara Knowledge

Setting the systemwide permission mask


A data access permission mask determines which of these operations are allowed in a namespace: read, write, delete, purge (delete all versions of an object), privileged delete (delete an object that’s under retention), and search. Data access permission masks are set at the system, tenant, and namespace levels:

The system-level mask applies across all namespaces (that is, systemwide).

The tenant-level mask is set individually for each tenant. This mask applies only to the namespaces owned by that tenant.

The namespace-level mask is set individually for each namespace and applies only to that namespace.

The effective permissions for a tenant are the operations allowed by both the system-level and tenant-level permission masks. That is, to be in effect for a tenant, a permission must be included in the system-level permission mask and in the tenant-level permission mask.

The effective permissions for a namespace are the operations that are allowed by the masks at all three levels. That is, to be in effect for a namespace, a permission must be included in the system-level permission mask, the tenant-level permission mask, and the namespace-level permission mask.

The table below shows an example of the effective permissions for a namespace given a set of data access permission masks.

Permission Mask

Permissions

Read

Write Delete Purge

Priv. delete

Search

Systemwide permission mask

 

Tenant permission mask

 

Namespace permission mask

 
Effective permission mask      

What an individual user can do in a namespace is also limited by the permissions the user has from the applicable user or group accounts and, for HCP namespaces, the minimum data access permissions for the namespace.

For information on system-level user and group accounts, see About user and group accounts. For more information on tenant-level user and group accounts and minimum data access permissions, see Managing a Tenant and Its Namespaces.

The Permissions page in the HCP System Management Console lets you set the systemwide permission mask. You can change this mask at any time.

TipWebHelp.png

Tip: Before changing the systemwide permission mask, you should notify your tenant contacts.

To display the Permissions page, in the top-level menu of the System Management Console, select Security Permissions.

RoleWebHelp.png

Roles: To view the Permissions page, you need the monitor or administrator role. To set the systemwide permission mask, you need the administrator role.

To set the systemwide permission mask for an HCP system:

1.On the Permissions page, select the permissions you want to include in the systemwide permission mask:

oRead — Lets users:

Read and retrieve objects, including object metadata (system metadata, custom metadata, and ACLs)

List directory contents

View namespace information

oWrite — Lets users:

Add objects to a namespace.

Modify system metadata. For the default namespace, this includes holding and releasing objects. For HCP namespaces, these operations also require privileged permission.

Add or replace custom metadata.

Add or replace ACLs.

Change object owners.

View namespace information

oDelete — Lets users:

Delete objects, custom metadata, and ACLs from a namespace

View namespace information

oPurge — Lets users:

Delete all versions of an object with a single operation. For users to perform purge operations, delete operations must also be allowed.

View namespace information.

Selecting Purge automatically selects Delete.

oPrivileged — Lets users:

Delete or purge objects that are under retention. For users to perform privileged delete operations, delete operations must also be allowed. For users to perform privileged purge operations, delete and purge operations must also be allowed.

Hold and release objects in HCP namespaces. For users to perform hold and release operations in these namespaces, write operations must also be allowed.

View namespace information.

oSearch — Lets users use the HCP metadata query API and the HCP Search Console to query or search namespaces. For users to query or search a namespace, read operations must also be allowed.

Selecting Search automatically selects Read.

2.Click on Update Settings.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.