About Access Control Lists

The ability to read and write objects is governed by the Access Control Lists (ACLs) assigned to containers. These ACLs are written to two metadata fields: X-Container-Read and X-Container-Write.

User accounts with roles assigned to these metadata fields may perform the following actions:

  • X-Container-Read: User accounts may read objects and associated metadata in the given container.
  • X-Container-Write: User accounts may create and delete objects and associated metadata in the given container.

The metadata field values are a comma-separated list of identity domain and role pairs. This allows service administrators to grant read or write access to users in other identity domains. Users with the Storage_Administrator role may define their own roles with the My Services Security page and assign them to the X-Container-Read and X-Container-Write headers on containers as needed. See Adding and Removing Custom Roles in Getting Started with Oracle Cloud.

User accounts with the Storage_Administrator role will always have read and write access to all containers in their service instance.

All non-administrator users are subject to the ACLs for a given container.

The service instance root path is an exception to this, as it does not have ACLs associated with it (or may they be set). For this path, all user accounts may obtain a list of containers, but only user accounts with the Storage_Administrator role may create or delete containers.

By default, when a container is created in the Oracle Storage Cloud Service, the following ACLs are assigned:

  • X-Container-Read: identity_domain.storage_service.Storage_ReadOnlyGroup,identity_domain.storage_service.Storage_ReadWriteGroup
  • X-Container-Write: identity_domain.storage_service.Storage_ReadWriteGroup


The following are the newly created container ACL values for a service instance named inst_1 in an identity domain named dom_1.

  • X-Container-Read: dom_1.inst_1.Storage_ReadOnlyGroup, dom_1.inst_1.Storage_ReadWriteGroup
  • X-Container-Write: dom_1.inst_1.Storage_ReadWriteGroup

To learn how to restrict read and write access to containers by using ACLs, see Setting Container ACLs and the following tutorials: