< Previous | Contents | Next >

Data access permission masks

A data access permission mask determines which operations on objects are allowed in a bucket. If the permission mask does not include the permission to perform a particular operation, you cannot perform that operation, regardless of your data access permissions for the bucket or target object.

Data access permission masks are set at the system, tenant, and bucket level. The effective permission mask for a bucket allows only the operations that are allowed at all three levels.

For example, for you to be able to delete an object in a bucket:

The system-level permission mask must include the delete permission

The tenant-level permission mask must include the delete permissions

The permission mask for the bucket must include the delete permission

Either of these must be true:

Your data access permissions for the bucket include delete.

You have delete permission for the target object either because you are the object owner or because the object has an ACL that grants you delete permission.

Chapter 2: Bucket and object properties 37

Replication collisions

When you create a bucket, its data access permission mask allows all operations. Tenant administrators can change the data permission mask for the buckets you create. You cannot use the HS3 API to change the permission mask for a bucket.

Tenant administrators can also change the tenant-level permission mask, and HCP system administrators can change the system-level permission mask. Changes to the permission mask at any level may affect which operations you can perform with the HS3 API.