Scope Access Control
Kii Cloud has the four types of scopes: the application scope, group scope, user scope, and thing scope. This topic explains the access permissions of the scopes. See Scopes and Access Privileges in the Getting Started for the purposes of each scope.
The scope permissions only control privileges to create buckets or topics in a scope. In contrast to the scope permissions, those of buckets, KiiObjects, and topics mainly control privileges to manipulate a target itself.
The table below indicates the default ACL entries for the scopes. You can customize the scope ACLs with the REST APIs.
Default permissions
The scopes have the following permissions by default. The rightmost "Modify ACL" column indicates the users who can update the ACL. Note that you cannot change the users who can modify the ACL.
Scope | Create buckets (CREATE_NEW_BUCKET) |
Create topics (CREATE_NEW_TOPIC) |
Modify ACL |
Application | - Any authenticated users | - App administrator | - App administrator |
Group | - Group members - Group owner |
- Group members - Group owner |
- Group owner |
User | - Scope owner | - Scope owner | - Scope owner |
Thing | - Thing - Thing owner |
- Thing - Thing owner |
- Thing - Thing owner |
Here is a brief summary of scope permissions:
- In the application scope, any authenticated users can create buckets. Only the app administrator can create topics.
- In the group scope, the members of the group can create buckets and topics.
- In the user scope, only the scope owner can create buckets and topics.
- In the thing scope, only the thing and its owner can create buckets and topics.
Additionally, note the following consideration:
- For the definitions of authenticated and anonymous users, see Subject.