Setting the systemwide permission mask
A data access permission mask determines which of these operations are allowed in a namespace: read, write, delete, purge (delete all versions of an object), privileged delete (delete an object that’s under retention), and search. Data access permission masks are set at the system, tenant, and namespace levels:
- The system-level mask applies across all namespaces (that is, systemwide).
- The tenant-level mask is set individually for each tenant. This mask applies only to the namespaces owned by that tenant.
- The namespace-level mask is set individually for each namespace and applies only to that namespace.
The effective permissions for a tenant are the operations allowed by both the system-level and tenant-level permission masks. That is, to be in effect for a tenant, a permission must be included in the system-level permission mask and in the tenant-level permission mask.
The effective permissions for a namespace are the operations that are allowed by the masks at all three levels. That is, to be in effect for a namespace, a permission must be included in the system-level permission mask, the tenant-level permission mask, and the namespace-level permission mask.
The following table shows an example of the effective permissions for a namespace given a set of data access permission masks.
Permission Mask | Permissions | |||||
Read | Write | Delete | Purge | Priv. delete | Search | |
Systemwide permission mask | ✓ | ✓ | ✓ | ✓ | ✓ | |
Tenant permission mask | ✓ | ✓ | ✓ | ✓ | ✓ | |
Namespace permission mask | ✓ | ✓ | ✓ | ✓ | ✓ | |
Effective permission mask | ✓ | ✓ | ✓ |
What an individual user can do in a namespace is also limited by the permissions the user has from the applicable user or group accounts and, for HCP namespaces, the minimum data access permissions for the namespace.
The Permissions page in the HCP System Management Console lets you set the systemwide permission mask. You can change this mask at any time.
To display the Permissions page, in the top-level menu of the System Management Console, select .
To view the Permissions page, you need the monitor or administrator role. To set the systemwide permission mask, you need the administrator role.