Skip to main content
Hitachi Vantara Knowledge

Access control lists

A namespace can be configured to allow users to associate ACLs with objects. An ACL consists of access control entries. Each access control entry grants a user or group of users (the grantee) one or more data access permissions for the applicable object.

ACL permissions

The permissions that can be included in an access control entry are:

  • Read

    Lets the grantee read and retrieve the object, including the system metadata and any custom metadata for the object, and list annotations for the object.

    To read or retrieve the object through CIFS or NFS, the grantee must also have browse permission.

  • Read ACL

    Lets the grantee read and retrieve the object ACL.

  • Write

    Lets the grantee modify system metadata and add and replace custom metadata for the object.

  • Write ACL

    Lets the grantee add, replace, or delete the object ACL.

  • Delete

    Lets the grantee delete or purge the object and delete the object ACL.

Use of ACLs

When you create a namespace, the use of ACLs is disabled. You can enable this feature for the namespace at any time. However, once this feature is enabled, you cannot disable it.

Users can add and replace ACLs only with the HTTP protocol. Therefore, if you enable the use of ACLs for a namespace, you should also enable that protocol.

Enforcing ACLs

While the use of ACLs is enabled for a namespace, you can specify whether HCP should enforce ACLs in that namespace. While HCP is enforcing ACLs, the operations that a given user can perform on a given object are those permitted by any of:

  • The data access permissions associated with the applicable user account or group accounts
  • The applicable minimum data access permissions specified in the namespace configuration
  • The object ACL

When not enforcing ACLs, HCP allows only the operations permitted by the first two items above.

You can change the specification of whether HCP should enforce ACLs at any time while the use of ACLs is enabled.

 

  • Was this article helpful?