1. Exascale User's Guide
  2. Oracle Exadata Exascale Overview
  3. Exascale Components and Concepts
  4. Vault and File Access Control

1.2.17 Vault and File Access Control

Access control lists (ACLs) work together with user privileges, in particular vault top-level privileges, to control access to Exascale vaults and files. To perform an action on a vault or file, a user requires the appropriate ACL privilege or the appropriate vault top-level user privilege. Because Exascale has no formal concept of vault or file ownership, all operations are governed by the combination of user privileges and ACLs.

The following table lists the minimum vault top-level user privilege, vault ACL privilege, or file ACL privilege that is required to perform various operations on Exascale vaults and files. Where relevant, associated ESCLI commands are listed along with each operation.

Operation Required Vault Top-Level User Privilege Required Vault ACL Privilege Required File ACL Privilege

Create vault

(mkvault)

vlt_inspect Not applicable. Not applicable.

List vaults

(ls)

vlt_read inspect Not applicable.

List files in a vault

(ls)

vlt_read read Not applicable.

Drop vault

(rmvault)

vlt_manage manage Not applicable.

View vault attributes

(lsacl, lsxattr, lstemplate)

vlt_read inspect Not applicable.

Alter vault attributes

(chxattr, mktemplate, rmtemplate, rmxattr)

vlt_manage manage Not applicable.

Alter vault ACL

(chacl)

vlt_manage manage Not applicable.

Create file

(mkfile)

vlt_read inspect Not applicable.

Drop file

(rmfile)

vlt_manage manage manage

Read and write file contents

(putfile)

vlt_manage manage use

Read file contents

(getfile)

vlt_use use read

View file attributes

(lsacl, lsxattr)

vlt_read read inspect

Alter file attributes

(chxattr, rmxattr)

vlt_manage manage use

Alter file ACL

(chacl)

vlt_manage manage manage

To create a snapshot or a clone, the user requires the privileges for the 'read file contents' operation to read the source file, and they also require the privileges for the 'create file' operation to create a file for the snapshot or clone. After creation, operations on snapshots and clones require the same privileges as for any other file.

To perform an operation, any user requires at least one of the privileges that is listed beside the operation. For example, to open a file for read-only access the requesting user must have at least one of the following:

  • The vlt_use vault top-level user privilege.
  • The use vault ACL privilege for the vault containing the file.
  • The read file ACL privilege for the file being opened.

Exascale ensures that users can manage the vaults and files that they create. During vault creation, if the creating user does not have the vlt_manage vault top-level user privilege, then Exascale adds the creating user to the vault ACL with the manage privilege. During file creation, if the creating user does not have the vlt_manage vault top-level user privilege and the user does not have the manage privilege in the vault ACL, then Exascale adds the creating user to the file ACL with the manage privilege.

Related Topics

Parent topic: Exascale Components and Concepts