Data access permissions

Content Platform Tenant Management Help

File Size
4269 KB
Part Number

Data access permissions allow you to access bucket content through the various HCP interfaces. You get these permissions either from your user account or from the bucket configuration.

Data access permissions are granted separately for individual buckets. Each data access permission allows you to perform certain operations. However, not all operations allowed by data access permissions apply to every HCP interface. For example, you can view and retrieve ACLs through the REST API and the S3 compatible API but not through any other namespace access protocol.

Although many of the operations allowed by data access permissions are not supported by the S3 compatible API, a tenant administrator can give you permission for those operations. You can then perform the operations through other HCP interfaces that support them.

The data access permissions that you can have for a bucket are:

Lets you list bucket contents.
Lets you:
  • View and retrieve objects in the bucket, including the system and custom metadata for objects
  • View and retrieve previous versions of objects
  • List annotations for objects
  • Check the existence of objects
Users with read permission also have browse permission.
Read ACL
Lets you view and retrieve bucket and object ACLs.
Lets you:
  • Add objects to the bucket
  • Modify system metadata (except retention hold) for objects in the bucket
  • Add or replace custom metadata for objects in the bucket
Write ACL
Lets you add, replace, and delete bucket and object ACLs.
Change owner
Lets you change the bucket owner and the owners of objects in the bucket.
Lets you delete objects, custom metadata, and bucket and object ACLs.
Lets you delete all versions of an object with a single operation. Users with purge permission also have delete permission.
Lets you:
  • Delete or purge objects that are under retention, provided that you also have delete or purge permission for the bucket
  • Hold or release objects, provided that you also have write permission for the bucket
Note: All holds (a single hold and all labeled holds) must be released on the object before it can be deleted, regardless of the retention setting.
Lets you use the HCP metadata query API and the HCP Search Console to query or search the bucket for objects that meet specified criteria. Users with search permission also have read permission.

If you have any data access permissions for a bucket, you can view information about that bucket through the REST API and Namespace Browser.