Skip to main content

We've Moved!

Product Documentation has moved to docs.hitachivantara.com
Hitachi Vantara Knowledge

Setting the systemwide permission mask

A data access permission mask determines which of these operations are allowed in a namespace: read, write, delete, purge (delete all versions of an object), privileged delete (delete an object that’s under retention), and search. Data access permission masks are set at the system, tenant, and namespace levels:

  • The system-level mask applies across all namespaces (that is, systemwide).
  • The tenant-level mask is set individually for each tenant. This mask applies only to the namespaces owned by that tenant.
  • The namespace-level mask is set individually for each namespace and applies only to that namespace.

The effective permissions for a tenant are the operations allowed by both the system-level and tenant-level permission masks. That is, to be in effect for a tenant, a permission must be included in the system-level permission mask and in the tenant-level permission mask.

The effective permissions for a namespace are the operations that are allowed by the masks at all three levels. That is, to be in effect for a namespace, a permission must be included in the system-level permission mask, the tenant-level permission mask, and the namespace-level permission mask.

The following table shows an example of the effective permissions for a namespace given a set of data access permission masks.

Permission MaskPermissions
ReadWriteDeletePurgePriv. deleteSearch
Systemwide permission mask
Tenant permission mask
Namespace permission mask
Effective permission mask

What an individual user can do in a namespace is also limited by the permissions the user has from the applicable user or group accounts and, for HCP namespaces, the minimum data access permissions for the namespace.

The Permissions page in the HCP System Management Console lets you set the systemwide permission mask. You can change this mask at any time.

TipBefore changing the systemwide permission mask, you should notify your tenant contacts.

To display the Permissions page, in the top-level menu of the System Management Console, select Security Permissions.

To view the Permissions page, you need the monitor or administrator role. To set the systemwide permission mask, you need the administrator role.

Setting the systemwide permission mask for an HCP system

Before you begin

To view the Permissions page, you need the monitor or administrator role. To set the systemwide permission mask, you need the administrator role.

Procedure

  1. On the Permissions page, select the permissions you want to include in the systemwide permission mask:

    • Read

      Lets users:

      • Read and retrieve objects, including object metadata (system metadata, custom metadata, and ACLs)
      • List directory contents
      • View namespace information
    • Write

      Lets users:

      • Add objects to a namespace.
      • Modify system metadata. For the default namespace, this includes holding and releasing objects. For HCP namespaces, these operations also require privileged permission.
      • Add or replace custom metadata.
      • Add or replace ACLs.
      • Change object owners.
      • View namespace information
    • Delete

      Lets users:

      • Delete objects, custom metadata, and ACLs from a namespace
      • View namespace information
    • Purge

      Lets users:

      • Delete all versions of an object with a single operation. For users to perform purge operations, delete operations must also be allowed.
      • View namespace information.

      Selecting Purge automatically selects Delete.

    • Privileged

      Lets users:

      • Delete or purge objects that are under retention. For users to perform privileged delete operations, delete operations must also be allowed. For users to perform privileged purge operations, delete and purge operations must also be allowed.
      • Hold and release objects in HCP namespaces. For users to perform hold and release operations in these namespaces, write operations must also be allowed.
      • View namespace information.
    • Search

      Lets users use the HCP metadata query API and the HCP System Management Console to query or search namespaces. For users to query or search a namespace, read operations must also be allowed.

      Selecting Search automatically selects Read.

  2. Click Update Settings.

 

  • Was this article helpful?