Data access permission masks

Content Platform Tenant Management Help

File Size
4269 KB
Part Number

A data access permission mask determines which operations on objects are allowed in a bucket. If the permission mask does not include the permission to perform a particular operation, you cannot perform that operation, regardless of your data access permissions for the bucket or target object.

Data access permission masks are set at the system, tenant, and bucket level. The effective permission mask for a bucket allows only the operations that are allowed at all three levels.

For example, for you to be able to delete an object in a bucket:

  • The system-level permission mask must include the delete permission
  • The tenant-level permission mask must include the delete permissions
  • The permission mask for the bucket must include the delete permission
  • Either of these must be true:
    • Your data access permissions for the bucket include delete.
    • You have delete permission for the target object either because you are the object owner or because the object has an ACL that grants you delete permission.

When you create a bucket, its data access permission mask allows all operations. Tenant administrators can change the data permission mask for the buckets you create. You cannot use the S3 compatible API to change the permission mask for a bucket.

Tenant administrators can also change the tenant-level permission mask, and HCP system administrators can change the system-level permission mask. Changes to the permission mask at any level may affect which operations you can perform with the S3 compatible API.