Bucket Access Control

Each bucket is in a "scope" which determines to which entity the bucket belongs. It can be in the application scope, group scope, user scope or thing scope. This topic explains the access permissions of buckets.

The table below indicates the default ACL entries set at bucket creation. You can customize bucket ACLs with the ACL modification feature of the client SDKs and REST APIs.

Default permissions

Buckets have the following permissions by default. The rightmost "Modify ACL" column indicates the users who can update the ACL. Note that you cannot change the users who can modify the ACL.

Scope Create KiiObjects in the bucket
(CREATE_OBJECTS_IN_BUCKET)
Query KiiObjects in the bucket
(QUERY_OBJECTS_IN_BUCKET)
Modify ACL
Application - Any authenticated users - Any authenticated users
- Anonymous users
- App administrator
Group - Group members
- Group owner
- Bucket creator
- Group members
- Group owner
- Bucket creator
- Group owner
User - Scope owner
- Bucket creator
- Scope owner
- Bucket creator
- Scope owner
Thing - Thing
- Thing owner
- Bucket creator
- Thing
- Thing owner
- Bucket creator
- Thing
- Thing owner
Scope Read KiiObjects in the bucket
(READ_OBJECTS_IN_BUCKET)
Drop the bucket
(DROP_BUCKET_WITH_ALL_CONTENT)
Modify ACL
Application - Any authenticated users
- Anonymous users
- Any authenticated users - App administrator
Group - Group members
- Group owner
- Bucket creator
- Group owner
- Bucket creator
- Group owner
User - Scope owner
- Bucket creator
- Scope owner
- Bucket creator
- Scope owner
Thing - Thing
- Thing owner
- Bucket creator
- Thing
- Thing owner
- Bucket creator
- Thing
- Thing owner

Here is a brief summary of bucket permissions applied in each scope:

  • In the application scope, any authenticated users are permitted to perform all bucket actions. Anonymous users are permitted to query and read KiiObjects in the bucket.

  • In the group scope, the group owner and bucket creator are permitted to perform all bucket actions. The group members are permitted to perform all bucket actions except for dropping the bucket.

  • In the user scope, the scope owner and bucket creator are permitted to perform all bucket actions.

  • In the thing scope, the thing, its owner, and the bucket creator are permitted to perform all bucket actions.

Additionally, note the following considerations:

  • For the definitions of authenticated and anonymous users, see Subject.
  • You can customize a permission to create a bucket by updating a scope's ACL. For more information about setting a scope's ACL, see Scope Access Control.
  • You can customize a bucket's ACL also in the developer portal. For more information, see Changing an existing bucket's ACL.