About Access Control Lists

The ability to read and write objects in a container is governed by the Access Control Lists (ACLs) assigned to the container. These ACLs are written to two metadata fields: X-Container-Read and X-Container-Write.

Users with roles assigned to these metadata fields can perform the following actions:

  • X-Container-Read: Users can read objects and associated metadata in the given container.
  • X-Container-Write: Users can create and delete objects and associated metadata in the given container.

The metadata field values are a comma-separated list of identity domain and role pairs. This allows service administrators to grant read or write access to users in other identity domains. Users with the Storage_Administrator role may define their own roles in the My Services Users page and assign them to the X-Container-Read and X-Container-Write headers on containers, as required. See Adding a Custom Role in Managing and Monitoring Oracle Cloud.

Users with the Storage_Administrator role will always have read and write access to all containers in their service instance.

All non-administrator users are subject to the ACLs for a given container.

The service instance root path is an exception to this, because it does not have ACLs associated with it. For this path, all users can obtain a list of containers, but only users with the Storage_Administrator role can create or delete containers.

By default, when a container is created in the Oracle Storage Cloud Service, the following ACLs are assigned:

  • X-Container-Read: identity_domain.storage_service.Storage_ReadOnlyGroup,identity_domain.storage_service.Storage_ReadWriteGroup
  • X-Container-Write: identity_domain.storage_service.Storage_ReadWriteGroup


The following are the newly created container ACL values for a service instance named Storage in an identity domain named myIdentityDomain.

  • X-Container-Read: myIdentityDomain.Storage.Storage_ReadOnlyGroup, myIdentityDomain.Storage.Storage_ReadWriteGroup
  • X-Container-Write: myIdentityDomain.Storage.Storage_ReadWriteGroup

To learn how to restrict read and write access to containers by using ACLs, see Setting Container ACLs and the following tutorials: