Permissions

To access a namespace and take action in it, clients must have the necessary permissions. The table below describes the possible permissions and the operations they allow.

Permission

Operations

Browse

List directory contents.

Check for directory existence.

Read

Retrieve objects and system metadata.

Check for object existence.

List annotations.

Check for and retrieve annotations.

Read ACL

Check for and retrieve ACLs.

Write

Store objects.

Create directories.

Modify system metadata.

Add and replace annotations.

Write ACL

Add, replace, and delete ACLs.

Delete

Delete objects, empty directories, annotations, and ACLs.

Purge

Delete objects and their old versions.

Privileged

Delete or purge objects regardless of retention.

Place objects on hold or release objects from hold.

Change owner

Change object owners.

Search

Search for objects. For information on searching for objects, see HCP Metadata Query API Reference and Searching Namespaces.

Some operations require multiple permissions. For example, to place an object on hold or release an object from hold, you need to have both write and privileged permissions. Similarly, to perform a privileged purge, you need delete, privileged, and purge permissions.

Note: When using the CIFS protocol with a Windows client, you need both read and write permissions to store objects.

Data access permission mask

The operations allowed in a namespace are determined by a data access permission mask for the namespace. Data access permission masks are set at the system, tenant, and namespace levels.

The effective permissions for a namespace are the operations that are allowed by the mask at all three levels. That is, to be in effect for a namespace, a permission must be included in the system-level permission mask, the tenant-level permission mask, and the namespace-level permission mask.

User permissions

To perform an operation in a namespace, the operation must be allowed by the effective permission mask and by your user permissions. The permissions for what you can do in a namespace come from your user account (if you’re an authenticated user), the namespace configuration, and, for individual objects, the object ACL.

For information on the permissions that can be granted by an ACL, see ACL permissions.

Note: ACLs are enabled on a per-namespace basis. In namespaces where ACLs are enabled, the namespace can be configured to either enforce or ignore the permissions granted by ACL. To find out the ACLs settings for a namespace, contact your tenant administrator.

Trademark and LegalDisclaimer

© 2015 Hitachi Data Systems Corporation. All rights reserved.