Access control lists

A namespace can be configured to allow users to associate ACLs with objects. An ACL consists of access control entries. Each access control entry grants a user or group of users (the grantee) one or more data access permissions for the applicable object.

ACL permissions

The permissions that can be included in an access control entry are:

Read — Lets the grantee read and retrieve the object, including the system metadata and any custom metadata for the object, and list annotations for the object.

To read or retrieve the object through CIFS or NFS, the grantee must also have browse permission.

Read ACL— Lets the grantee read and retrieve the object ACL.

Write — Lets the grantee modify system metadata and add and replace custom metadata for the object.

Write ACL — Lets the grantee add, replace, or delete the object ACL.

Delete — Lets the grantee delete or purge the object and delete the object ACL.

For information on working with ACLs, see Using a Namespace.

Use of ACLs

When you create a namespace, the use of ACLs is disabled. You can enable this feature for the namespace at any time. However, once this feature is enabled, you cannot disable it.

Users can add and replace ACLs only with the HTTP protocol. Therefore, if you enable the use of ACLs for a namespace, you should also enable that protocol.

For information on enabling the user of ACLS, see Enabling the use of ACLs.

Enforcing ACLs

While the use of ACLs is enabled for a namespace, you can specify whether HCP should enforce ACLs in that namespace. While HCP is enforcing ACLs, the operations that a given user can perform on a given object are those permitted by any of:

The data access permissions associated with the applicable user account or group accounts

The applicable minimum data access permissions specified in the namespace configuration

The object ACL

When not enforcing ACLs, HCP allows only the operations permitted by the first two items above.

You can change the specification of whether HCP should enforce ACLs at any time while the use of ACLs is enabled.

More information

For more information on:

Specifying whether HCP enforces ACLs, see Changing the option to enforce ACLs

User and group accounts and their associated data access permissions, see About user and group accounts

Minimum data access permissions, see Minimum data access permissions

Trademarks and Legal Disclaimer

© 2016 Hitachi Data Systems Corporation. All rights reserved.