Permissions

To access a namespace and take action in it, clients must have the necessary permissions. The list below describes the possible permissions and the operations they allow.

  • Browse

    • List directory contents.
    • Check for directory existence.

  • Read

    • Retrieve objects and system metadata.
    • Check for object existence.
    • List annotations.
    • Check for and retrieve annotations.

    Read operations also require browse permission.

  • Read ACL

    Check for and retrieve ACLs.

  • Write

    • Store objects.
    • Create directories.
    • Modify system metadata.
    • Add and replace annotations.

  • Write ACL

    Add, replace, and delete ACLs.

  • Delete

    Delete objects, empty directories, annotations, and ACLs.

  • Purge

    Delete objects and their old versions (also requires delete permission).

  • Privileged

    • Delete or purge objects regardless of retention (also requires delete or purge permissions).
    • Place objects on hold or release objects from hold (also requires write permission).

  • Change owner

    Change object owners.

  • Search

    Search for objects (also requires browse and read permissions).

NoteWhen using the CIFS protocol with a Windows client, you need both read and write permissions to store objects.

Data access permission mask

The operations allowed in a namespace are determined by a data access permission mask for the namespace. Data access permission masks are set at the system, tenant, and namespace levels.

The effective permissions for a namespace are the operations that are allowed by the mask at all three levels. That is, to be in effect for a namespace, a permission must be included in the system-level permission mask, the tenant-level permission mask, and the namespace-level permission mask.

User permissions

To perform an operation in a namespace, the operation must be allowed by the effective permission mask and by your user permissions. The permissions for what you can do in a namespace come from your user account (if you’re an authenticated user), the namespace configuration, and, for individual objects, the object ACL.

NoteACLs are enabled on a per-namespace basis. In namespaces where ACLs are enabled, the namespace can be configured to either enforce or ignore the permissions granted by ACL. To find out the ACLs settings for a namespace, contact your tenant administrator.