Minimum data access permissions

The configuration of a namespace can include minimum data access permissions for all users (that is, authenticated users and users that access the namespace anonymously) and for authenticated users only. When accessing the namespace:

Authenticated users have all the data access permissions associated with the applicable user account or group accounts and all the minimum data access permissions for authenticated users. Additionally:

oWhen using a protocol that requires authentication, authenticated users may or may not also have the minimum data access permissions for all users. This is determined by a namespace option that’s intended to support the following scenario:

Data can be written to the namespace only from within a secured environment and only from a limited number of client computers through a protocol such as NFS that does not support authentication. This requires write permission for all users.

Objects can be accessed from outside the secured environment but only through a protocol that requires authentication. This requires read permission but not write permission for authenticated users.

oWhen using a protocol that does not require authentication, authenticated users also have the all minimum data access permissions for all users.

Authenticated users also have any object-specific permissions granted to them by object ACLs (see Access control lists).

Unauthenticated users (that is, users who access the namespace anonymously) have the minimum data access permissions for all users and any object-specific permissions granted to all users by object ACLs (see Access control lists).

If you don’t set any minimum data access permissions for all users, the only operations unauthenticated users can perform in the namespace are those for which they are granted permission by ACLs.

Tip: If you enable only namespace access protocols that don’t support authentication, consider setting at least one minimum data access permission for all users.

For both all users and authenticated users, the set of minimum data access permissions can include only these permissions:

Browse — Lets users list directory contents.

Read — Lets users:

oView and retrieve objects, including system metadata and custom metadata for objects

oView and retrieve previous versions of objects

oCheck the existence of objects

oList annotations for objects

For this permission to be granted, users must also have browse permission.

Read ACL — Lets users view and retrieve object ACLs.

Write — Lets users:

oAdd objects to the namespace

oModify system metadata (except retention hold)

oAdd or replace custom metadata

Write ACL — Lets users add, replace, and delete object ACLs.

Delete — Lets users delete objects, and custom metadata, and ACLs from the namespace.

Purge — Lets users delete all versions of an object with a single operation. For this permission to be granted, users must also have delete permission.

Users with any data access permissions for a namespace can view information about that namespace.

Note: To store an object with CIFS on a Windows client, a user must have both read and write permissions.

When you create a namespace, the set of minimum data access permissions is empty for both all users and authenticated users. You can modify these sets at any time.

For information on:

Changing minimum data access permissions, see Changing minimum data access permissions

User and group accounts, their associated data access permissions, and user authentication, see About user and group accounts

Authenticated and anonymous access to namespaces, see Using a Namespace

Trademark and LegalDisclaimer

© 2015 Hitachi Data Systems Corporation. All rights reserved.