Permissions

Content Platform for Cloud Scale Administration Guide

Version
2.6.x
File Size
1950 KB
Audience
anonymous
Part Number
MK-HCPCS008-11

The following tables list the HCP for cloud scale permissions available for system roles. The words Yes and No indicate whether or not the permission is assigned for a default role.

The set permissions override corresponding get permissions. That is, if a user has permission to set (configure) a function, the user is also granted permission to get (view) the function.

Chargeback Reporting
Permission name Description Default admin role permission?
chargeback:system:get_report Generate chargeback report for any bucket Yes
chargeback:user:get_report Generate chargeback report for the user's buckets Yes
Data Service
Permission name Description Default admin role permission?
data:bucket:encryption:get Execute S3 API GET bucket object encryption rules Yes
data:bucket:encryption:set Execute S3 API PUT bucket object or DEL bucket object encryption rules

Note: Does not govern use of --x-amz-Server-side-encryption=AES256

Yes
data:bucket:expirationlifecycle:get View bucket expiration lifecycle policy configuration Yes
data:bucket:expirationlifecycle:set Configure bucket expiration lifecycle policy Yes
data:bucket:notification:get View bucket notification configuration Yes
data:bucket:notification:set Configure bucket notification Yes
data:bucket:objectlock:get View bucket object lock policy configuration Yes
data:bucket:objectlock:set Configure bucket object lock policy Yes
data:bucket:sync:from:set Create bucket sync-from rules for buckets the user owns or has access to Yes
data:bucket:sync:get View bucket sync-from and sync-to rules for buckets the user owns or has access to Yes
data:bucket:sync:to:set Create bucket sync-to rules for buckets the user owns or has access to Yes
KMIP
Permission name Description Default admin role permission?
mapi:kmip:add_server Configure an external KMIP server Yes
mapi:kmip:add_server Remove configuration of an individual external KMIP server Yes
mapi:kmip:get_server Get information about an individual external KMIP server Yes
mapi:kmip:list_servers Get information about configured KMIP servers Yes
mpi:kmip:update_server Update the configuration of an external KMIP server Yes
License
Permission name Description Default admin role permission?
mapi:license:add Add licensed feature Yes
mapi:license:list List all licensed feature Yes
MAPI Alerts
Permission name Description Default admin role permission?
mapi:alert:list List all active alerts Yes
MAPI S3 Settings
Permission name Description Default admin role permission?
mapi:s3_settings:get Read S3 settings Yes
mapi:s3_settings:set Modify S3 settings Yes
MAPI Storage Component
Permission name Description Default admin role permission?
mapi:storage_component:​activate Activate a storage component Yes
mapi:storage_component:get_​capacity Get storage component capacity Yes
mapi:storage_component:create Create a storage component Yes
mapi:storage_component:list List storage component(s) Yes
mapi:storage_component:test Test a storage component Yes
mapi:storage_component:update Modify a storage component Yes
mapi:storage_component:update_state Modify state of a storage component Yes
MAPI Stored Objects
Permission name Description Default admin role permission?
mapi:client_object:lookup List stored objects Yes
MAPI System
Permission name Description Default admin role permission?
mapi:certificates:refresh Refresh SSL certificates  
mapi:system:info List system information Yes
MAPI User
Permission name Description Default admin role permission?
mapi:user:list List existing users Yes
mapi:user:list_buckets List user's buckets Yes
mapi:user:revoke_credentials Revoke S3 credentials Yes
mapi:user:revoke_tokens Revoke OAuth tokens Yes
S3 Encryption Setting
Permission name Description Default admin role permission?
mapi:s3_encryption:get Read S3 encryption settings Yes
mapi:s3_encryption:set Enable global encryption Yes
mapi:s3_encryption:unseal Unseal KMS service Yes
S3 User
Permission name Description Default admin role permission?
s3:user:generate_credentials Generate S3 credentials Yes
Serial Number
Permission name Description Default admin role permission?
mapi:serial_number:get Read serial number Yes
mapi:serial_number:set Modify serial number Yes