aclGrant property

Content Platform Tenant Management Help

Version
9.7.x
File Size
4269 KB
Audience
anonymous
Part Number
MK-95HCPH002-19

To query for objects based on the content of ACLs, you specify the aclGrant property in an advanced query. Valid values for this property have these formats:

"permissions"

"permissions,USER[,location,username]"

"permissions,GROUP,location,(ad-group-name|all_users|authenticated)"

In these formats:

permissions
One or more of these with no space between them:
R
Read_ACL
r
Read
W
Write_ACL
w
Write
d
Delete
If you specify only permissions as the aclGrant property value, the advanced query finds objects with ACLs that grant the specified permissions to any user or group.
USER
Required when querying for objects with ACLs that grant permissions to a specified user.
If you are accessing the Metadata Query Engine Console with a tenant-level user account that’s defined in HCP, you can find objects that have ACLs that grant the specified permissions to that user account by specifying only a permissions value and USER.
GROUP
Required when querying for objects with ACLs that grant permissions to a specific group of users.
location
The location in which the specified user or group is defined. Valid values are either:
  • The name of an HCP tenant
  • The name of an AD domain preceded by an at sign (@)
If the value for the aclGrant property includes all_users or authenticated, location must be the name of an HCP tenant.
username
The name of a user to which the matching ACLs grant the specified permissions. Valid values are:
  • The username for a user account that’s defined in HCP.
  • The username for an AD user account. This can be either the user principal name or the Security Accounts Manager (SAM) account name for the AD user account.
ad-group-name
The name of an AD group to which the matching ACLs grant the specified permissions.
all_users
Represents all users.
authenticated
Represents all authenticated users.

Specifying permissions

The permissions in an aclGrant property value must be specified in this order

R, r, W, w, d

For example, to find objects that have ACLs that grant write and write_ACL permissions, and only those permissions, to the user rsilver who is defined in the europe tenant, specify this advanced query:

aclGrant:"Ww,USER,europe,rsilver"

You can replace one or more permissions with the asterisk (*) wildcard character. When you do so, you still need to specify permissions in the correct order.

When you specify both an asterisk and one or more permission values, the Console returns objects with ACLs that grant only the permissions you explicitly specify or that grant the permissions you explicitly specify and any permissions represented by the asterisk. For example, this advanced query returns objects with ACLs that grant read, read_ACL, write, and write_ACL permissions and may also grant delete permission:

aclGrant:"RrWw*"

A single asterisk represents all the missing permissions in the location where it appears. For example, in this advanced query, the wildcard character represents any combination of write, write_ACL, and delete permissions:

aclGrant:"r*"

In this advanced query, the wildcard character represents any combination of read and write_ACL permissions:

aclGrant:"R*w"

In this advanced query, the wildcard character represents only read_ACL permission:

aclGrant:"*r"

You can specify multiple asterisks in an advanced query. For example, this advanced query returns objects with ACLs that grant read permission and any combination of other permissions to the AD group named managers that is defined in the corp.widgetco.com domain:

aclGrant:"*r*,GROUP,@corp.widgetco.com,managers"

By replacing all permission values with a single asterisk, you query for objects that have ACLs that grant any combination of permissions. For example, if you are accessing the Console with a tenant-level user account, this advanced query finds objects with ACLs that grant any combination of permissions to that user account:

aclGrant:"*,USER"

aclGrant considerations

These considerations apply when you specify the aclGrant property in an advanced query:

  • The entire value for this property must be enclosed in double quotation marks (").
  • The locations and usernames you specify are not case sensitive.
  • The group names you specify, except all_users and authenticated, are not case sensitive.
  • The permission values you specify and the values USER and GROUP are case sensitive.