Granting a permission in an ACL for a bucket gives the grantee certain data access permissions for that bucket. Granting a permission in an ACL for an individual object gives the user certain data access permissions just for that object.
The list below lists the permissions you can grant in an ACL and shows the data access permissions that correspond to each ACL permission.
- Read
- Browse and read
- Read ACP
- Read ACL
- Write
- Write and delete
- Write ACP
- Write ACL
- Full control
- Browse, read, read ACL, write, write ACL, and delete
By default, a bucket or object owner that corresponds to an HCP user account or an object owner that corresponds to an AD user account has full control over the applicable bucket or object. For a bucket owner that corresponds to an AD user account, the permissions depend on the tenant configuration.
When adding an ACL to a bucket or object, you can grant only the permissions you already have for that bucket or object. For example, suppose you have read, read ACP, and write ACP permissions for an object. In this case, you can grant read, read ACP, and write ACP permissions for the object to other users, but you cannot grant write permission or full control.
Tenant administrators can change the permissions that users, including the bucket owner, have for a bucket. They cannot change the permissions users have for objects.