Specifying an ACL with headers

Content Platform Tenant Management

Version

9.7.x

File Size

4269 KB

Audience

anonymous

Part Number

MK-95HCPH002-19

Using request headers, you can specify either a canned ACL or individual ACL grants of permissions. You cannot specify both a canned ACL and individual grants in the same request.

Using a canned ACL

To specify a canned ACL, you use the x-amz-acl request header. The value of this header can be the name of any one of the canned ACLs. These names are case sensitive.

Here’s a sample x-amz-acl header that specifies the canned ACL named authenticated-read:

x-amz-acl: authenticated-read

Using individual grant headers

To grant specific permissions to specific users or groups, you use these headers:

x-amz-grant-read
x-amz-grant-read-acp
x-amz-grant-write
x-amz-grant-write-acp
x-amz-grant-full-control

Each header grants the permission indicated by the header itself.

The value for any of these headers is a comma-separated list of one or more grantees, in this format:

identifier-type=grantee-identifier

The list below lists the identifier types and indicates how you identify the grantee with each type.

id

User ID of an HCP user account or, for object ACLs only, SID of an AD user account.

To learn the ID or SID for a user account, see your tenant administrator.

emailAddress

One of these:

Username of an HCP user account
For object ACLs only, username of an AD user account followed by an at sign (@) and the AD domain name
authenticated
all_users

When specifying a username, percent-encode non-ASCII characters and reserved special characters such as ampersands (&), commas (,) and equal signs (=). If a username contains spaces, enclose it in quotation marks.

Third-party tools that are compatible with the Hitachi API for Amazon S3 may not be able to handle usernames with non-ASCII characters, special characters, or spaces. When using such tools, identify the user by user ID rather than by username.

uri

URI for the group of all authenticated users or the group of all users

Identifier types are case sensitive.

Here’s a sample x-amz-grant-write header that grants write permission to two users who are identified by their HCP user account IDs:

x-amz-grant-write: id=53344e3b-00de-4941-962e-827ac143fa84,
     id=53344e3b-00de-494e-962e-827ac143fa84

Here's a sample x-amz-grant-read header that grants read permission to all users:

x-amz-grant-read: uri=http://acs.amazonaws.com/groups/global/AllUsers

If you include the same header multiple times in a single request, HCP uses only the first one.