The following tables list the HCP for cloud scale permissions available for system roles. The words Yes and No indicate whether or not the permission is assigned for a default role.
The set permissions override corresponding get permissions. That is, if a user has permission to set (configure) a function, the user is also granted permission to get (view) the function.
Chargeback Reporting | ||
---|---|---|
Permission name | Description | Default admin role permission? |
chargeback:system:get_report | Generate chargeback report for any bucket | Yes |
chargeback:user:get_report | Generate chargeback report for the user's buckets | Yes |
Data Service | ||
---|---|---|
Permission name | Description | Default admin role permission? |
data:bucket:encryption:get | Execute S3 API GET bucket object encryption rules | Yes |
data:bucket:encryption:set | Execute S3 API PUT bucket object or DEL bucket object encryption rules Note: Does not govern use of --x-amz-Server-side-encryption=AES256 |
Yes |
data:bucket:expirationlifecycle:get | View bucket expiration lifecycle policy configuration | Yes |
data:bucket:expirationlifecycle:set | Configure bucket expiration lifecycle policy | Yes |
data:bucket:notification:get | View bucket notification configuration | Yes |
data:bucket:notification:set | Configure bucket notification | Yes |
data:bucket:objectlock:get | View bucket object lock policy configuration | Yes |
data:bucket:objectlock:set | Configure bucket object lock policy | Yes |
data:bucket:sync:from:set | Create bucket sync-from rules for buckets the user owns or has access to | Yes |
data:bucket:sync:get | View bucket sync-from and sync-to rules for buckets the user owns or has access to | Yes |
data:bucket:sync:to:set | Create bucket sync-to rules for buckets the user owns or has access to | Yes |
KMIP | ||
---|---|---|
Permission name | Description | Default admin role permission? |
mapi:kmip:add_server | Configure an external KMIP server | Yes |
mapi:kmip:add_server | Remove configuration of an individual external KMIP server | Yes |
mapi:kmip:get_server | Get information about an individual external KMIP server | Yes |
mapi:kmip:list_servers | Get information about configured KMIP servers | Yes |
mpi:kmip:update_server | Update the configuration of an external KMIP server | Yes |
License | ||
---|---|---|
Permission name | Description | Default admin role permission? |
mapi:license:add | Add licensed feature | Yes |
mapi:license:list | List all licensed feature | Yes |
MAPI Alerts | ||
---|---|---|
Permission name | Description | Default admin role permission? |
mapi:alert:list | List all active alerts | Yes |
MAPI S3 Settings | ||
---|---|---|
Permission name | Description | Default admin role permission? |
mapi:s3_settings:get | Read S3 settings | Yes |
mapi:s3_settings:set | Modify S3 settings | Yes |
MAPI Storage Component | ||
---|---|---|
Permission name | Description | Default admin role permission? |
mapi:storage_component:​activate | Activate a storage component | Yes |
mapi:storage_component:get_​capacity | Get storage component capacity | Yes |
mapi:storage_component:create | Create a storage component | Yes |
mapi:storage_component:list | List storage component(s) | Yes |
mapi:storage_component:test | Test a storage component | Yes |
mapi:storage_component:update | Modify a storage component | Yes |
mapi:storage_component:update_state | Modify state of a storage component | Yes |
MAPI Stored Objects | ||
---|---|---|
Permission name | Description | Default admin role permission? |
mapi:client_object:lookup | List stored objects | Yes |
MAPI System | ||
---|---|---|
Permission name | Description | Default admin role permission? |
mapi:certificates:refresh | Refresh SSL certificates | |
mapi:system:info | List system information | Yes |
MAPI User | ||
---|---|---|
Permission name | Description | Default admin role permission? |
mapi:user:list | List existing users | Yes |
mapi:user:list_buckets | List user's buckets | Yes |
mapi:user:revoke_credentials | Revoke S3 credentials | Yes |
mapi:user:revoke_tokens | Revoke OAuth tokens | Yes |
S3 Encryption Setting | ||
---|---|---|
Permission name | Description | Default admin role permission? |
mapi:s3_encryption:get | Read S3 encryption settings | Yes |
mapi:s3_encryption:set | Enable global encryption | Yes |
mapi:s3_encryption:unseal | Unseal KMS service | Yes |
S3 User | ||
---|---|---|
Permission name | Description | Default admin role permission? |
s3:user:generate_credentials | Generate S3 credentials | Yes |
Serial Number | ||
---|---|---|
Permission name | Description | Default admin role permission? |
mapi:serial_number:get | Read serial number | Yes |
mapi:serial_number:set | Modify serial number | Yes |