A namespace can be configured to allow users to associate ACLs with objects. An ACL consists of access control entries. Each access control entry grants a user or group of users (the grantee) one or more data access permissions for the applicable object.
The permissions that can be included in an access control entry are:
Lets the grantee read and retrieve the object, including the system metadata and any custom metadata for the object, and list annotations for the object.
To read or retrieve the object through CIFS or NFS, the grantee must also have browse permission.
Lets the grantee read and retrieve the object ACL.
Lets the grantee modify system metadata and add and replace custom metadata for the object.
Lets the grantee add, replace, or delete the object ACL.
Lets the grantee delete or purge the object and delete the object ACL.
When you create a namespace, the use of ACLs is disabled. You can enable this feature for the namespace at any time. However, once this feature is enabled, you cannot disable it.
Users can add and replace ACLs only with the HTTP protocol. Therefore, if you enable the use of ACLs for a namespace, you should also enable that protocol.
While the use of ACLs is enabled for a namespace, you can specify whether HCP should enforce ACLs in that namespace. While HCP is enforcing ACLs, the operations that a given user can perform on a given object are those permitted by any of:
- The data access permissions associated with the applicable user account or group accounts
- The applicable minimum data access permissions specified in the namespace configuration
- The object ACL
When not enforcing ACLs, HCP allows only the operations permitted by the first two items above.
You can change the specification of whether HCP should enforce ACLs at any time while the use of ACLs is enabled.