The ability to read and write objects in a container is governed by the Access Control Lists (ACLs) assigned to the container. These ACLs are written to two metadata fields:
Users with roles assigned to these metadata fields can perform the following actions:
X-Container-Read: Users can read objects and associated metadata in the given container.
X-Container-Write: Users can create and delete objects and associated metadata in the given container.
The metadata field values are a comma-separated list of identity domain and role pairs. This allows service administrators to grant read or write access to users in other identity domains. Users with the
Storage_Administrator role may define their own roles in the My Services Users page and assign them to the
X-Container-Write headers on containers, as required. See Adding a Custom Role in Managing and Monitoring Oracle Cloud.
Users with the
Storage_Administrator role will always have read and write access to all containers in their service instance.
All non-administrator users are subject to the ACLs for a given container.
The service instance root path is an exception to this, because it does not have ACLs associated with it. For this path, all users can obtain a list of containers, but only users with the
Storage_Administrator role can create or delete containers.
By default, when a container is created in the Oracle Storage Cloud Service, the following ACLs are assigned:
The following are the newly created container ACL values for a service instance named
Storage in an identity domain named
X-Container-Read: myIdentityDomain.Storage.Storage_ReadOnlyGroup, myIdentityDomain.Storage.Storage_ReadWriteGroup
To learn how to restrict read and write access to containers by using ACLs, see Setting Container ACLs and the following tutorials: