Specifying an ACL with headers

Content Platform Tenant Management Help

File Size
4269 KB
Part Number

Using request headers, you can specify either a canned ACL or individual ACL grants of permissions. You cannot specify both a canned ACL and individual grants in the same request.

Using a canned ACL

To specify a canned ACL, you use the x-amz-acl request header. The value of this header can be the name of any one of the canned ACLs. These names are case sensitive.

Here’s a sample x-amz-acl header that specifies the canned ACL named authenticated-read:

x-amz-acl: authenticated-read

Using individual grant headers

To grant specific permissions to specific users or groups, you use these headers:


Each header grants the permission indicated by the header itself.

The value for any of these headers is a comma-separated list of one or more grantees, in this format:


The list below lists the identifier types and indicates how you identify the grantee with each type.

User ID of an HCP user account or, for object ACLs only, SID of an AD user account.
To learn the ID or SID for a user account, see your tenant administrator.
One of these:
  • Username of an HCP user account
  • For object ACLs only, username of an AD user account followed by an at sign (@) and the AD domain name
  • authenticated
  • all_users
When specifying a username, percent-encode non-ASCII characters and reserved special characters such as ampersands (&), commas (,) and equal signs (=). If a username contains spaces, enclose it in quotation marks.
Third-party tools that are compatible with the Hitachi API for Amazon S3 may not be able to handle usernames with non-ASCII characters, special characters, or spaces. When using such tools, identify the user by user ID rather than by username.
URI for the group of all authenticated users or the group of all users

Identifier types are case sensitive.

Here’s a sample x-amz-grant-write header that grants write permission to two users who are identified by their HCP user account IDs:

x-amz-grant-write: id=53344e3b-00de-4941-962e-827ac143fa84,

Here's a sample x-amz-grant-read header that grants read permission to all users:

x-amz-grant-read: uri=http://acs.amazonaws.com/groups/global/AllUsers

If you include the same header multiple times in a single request, HCP uses only the first one.