Minimum data access permissions
The configuration of a namespace can include minimum data access permissions for all users (that is, authenticated users and users that access the namespace anonymously) and for authenticated users only. When accessing the namespace:
- Authenticated users have all the data access permissions associated with the applicable user account or group accounts and all the minimum data access permissions for authenticated users. Additionally:
- When using a protocol that requires authentication, authenticated users may or may not also have the minimum data access permissions for all users. This is determined by a namespace option that’s intended to support the following scenario:
- Data can be written to the namespace only from within a secured environment and only from a limited number of client computers through a protocol such as NFS that does not support authentication. This requires write permission for all users.
- Objects can be accessed from outside the secured environment but only through a protocol that requires authentication. This requires read permission but not write permission for authenticated users.
- When using a protocol that does not require authentication, authenticated users also have the all minimum data access permissions for all users.
Authenticated users also have any object-specific permissions granted to them by object ACLs.
- When using a protocol that requires authentication, authenticated users may or may not also have the minimum data access permissions for all users. This is determined by a namespace option that’s intended to support the following scenario:
- Unauthenticated users (that is, users who access the namespace anonymously) have the minimum data access permissions for all users and any object-specific permissions granted to all users by object ACLs.
If you don’t set any minimum data access permissions for all users, the only operations unauthenticated users can perform in the namespace are those for which they are granted permission by ACLs.
For both all users and authenticated users, the set of minimum data access permissions can include only these permissions:
Browse
Lets users list directory contents.
Read
Lets users:
- View and retrieve objects, including system metadata and custom metadata for objects
- View and retrieve previous versions of objects
- Check the existence of objects
- List annotations for objects
For this permission to be granted, users must also have browse permission.
Read ACL
Lets users view and retrieve object ACLs.
Write
Lets users:
- Add objects to the namespace
- Modify system metadata (except retention hold)
- Add or replace custom metadata
Write ACL
Lets users add, replace, and delete object ACLs.
Delete
Lets users delete objects, and custom metadata, and ACLs from the namespace.
Purge
Lets users delete all versions of an object with a single operation. For this permission to be granted, users must also have delete permission.
Users with any data access permissions for a namespace can view information about that namespace.
When you create a namespace, the set of minimum data access permissions is empty for both all users and authenticated users. You can modify these sets at any time.