To access a namespace and take action in it, clients must have the necessary permissions. The list below describes the possible permissions and the operations they allow.
- Browse
-
- List directory contents.
- Check for directory existence.
- Read
-
- Retrieve objects and system metadata.
- Check for object existence.
- List annotations.
- Check for and retrieve annotations.
- Read operations also require browse permission.
- Read ACL
- Check for and retrieve ACLs.
- Write
-
- Store objects.
- Create directories.
- Modify system metadata.
- Add and replace annotations.
- Write ACL
- Add, replace, and delete ACLs.
- Delete
- Delete objects, empty directories, annotations, and ACLs.
- Purge
- Delete objects and their old versions (also requires delete permission).
- Privileged
-
- Delete or purge objects regardless of retention (also requires delete or purge permissions).
- Place objects on hold or release objects from hold (also requires write permission).
- Change owner
- Change object owners.
- Search
- Search for objects (also requires browse and read permissions).
Data access permission mask
The operations allowed in a namespace are determined by a data access permission mask for the namespace. Data access permission masks are set at the system, tenant, and namespace levels.
The effective permissions for a namespace are the operations that are allowed by the mask at all three levels. That is, to be in effect for a namespace, a permission must be included in the system-level permission mask, the tenant-level permission mask, and the namespace-level permission mask.
User permissions
To perform an operation in a namespace, the operation must be allowed by the effective permission mask and by your user permissions. The permissions for what you can do in a namespace come from your user account (if you’re an authenticated user), the namespace configuration, and, for individual objects, the object ACL.