Setting Permissions

Permissions are determined by the active ACL (access control list) policy, which is a list of rules that grant or deny users and groups the ability to perform specific actions.

Default (Owner only) access applies automatically, referring to the owner of the current tenant, domain, or bucket. The owner has access unless a parent scope grants additional permissions to other users and groups in the absence of an access control policy.

See https://perifery.atlassian.net/wiki/spaces/public/pages/2443816967 for the usage and components of policies.

An interactive policy editor expands so a policy for the current tenant, domain, or bucket can be created when unchecking Default (Owner only). (v9.4)

The editor includes templates for adding the most commonly needed policies (such as public read-only and authorized user full access) as well as options for designing granular access for users and groups. Safeguards help protect from unintended consequences, such as denying access to All Authorized Users, which has the effect of locking out the Owner as well.

Note these behaviors and cautions:

Add Statement

From the + Add Statement dialog, copy existing definitions to alter (changes do not affect the originals). Select the template that is closest to the desired policy, and edit it for any needs.

Tip

Rename the default statement name to describe the new effect: click the Edit (pencil) icon in the statement's title bar.

View Statement

The title bar of each statement is a toggle: click it to expand and hide the statement settings

Undo Edits

Select Revert to undo any unsaved policy changes made. This clears any changes that are pending.

Delete Policy

Click the Delete (trashcan) icon in the title bar to remove a single statement. The change takes effect when clicking Save.

Re-enable Default (Owner only) and select Save to remove the entire existing access policy. Use caution as this cannot be undone.

Statement Counter

The counter prefix the editor adds to statement names verifies each statement name is unique; additional inspection is recommended if removing these in the JSON editing view.

View JSON

Select View JSON to view (and optionally edit) the underlying JSON; select Hide JSON to return to the interactive editor, unless changes prohibit the use (see next).

Important

In the JSON view, "Version" specifies the version of the AWS policy language, not the policy's contents. "Version" must be set to the current (2012-10-17) or prior (2008-10-17) language version, or else JSON validation errors prevent saving.

Read the modification time and author that are stored as standard metadata on the relevant policy.json object if needing to find the date and user responsible for the last policy update.

Advanced Policies

The interactive editor does not open for advanced policies, which are those that involve these complexities:

  • Resource - Anything other than asterisk (*) or all

  • Principal - Either:

    • Is AWS

    • Has any conditions (such as match criteria) with or without child properties

Advanced policies can be viewed and edited through the JSON view. The interactive editor is disabled and the JSON is edited directly if the existing policy has the above elements:

Prefixes

Prefixes are deprecated, negatively impact performance, and are ignored by the policy evaluation. The interactive editor has validation to remove them, which verifies policies work as expected. This includes the following: ldap, pam, arn, aws, s3

© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.