ACL Entries

An ACL consists of ACL entries. An ACL entry consists of a subject and an action.

This topic explains how to update an ACL by configuring ACL entries.

Class structure of an ACL entry

The following diagram illustrates the structure of the classes used for processing an ACL entry with the Kii Cloud SDK. Though the REST API does not use classes, the diagram shows how the API is designed.

Subject and action

An ACL entry consists of a subject and an action.


A subject defines "to whom" the permission is to be granted.

The subject can be one of the following:

  • Any existing user.

  • Any existing group.

  • Any existing thing.

  • Any authenticated users (any users who are logged in and any things with the access tokens).

  • Anonymous users (any users or things, either with or without their access tokens).

The "any authenticated user" and "anonymous users" are only entities usable as an ACL entry's subject; you cannot specify them in other usages (e.g. login). The KiiAnyAuthenticatedUser and KiiAnonymousUser, used in the client SDKs, only have the relationship with KiiSubject (and do not have any relationship with KiiUser).


An action defines "which action" the permission allows to the subject.

The table below lists the actions for ACL entries. The action names vary depending on the SDK but the content is the same. The names listed in this table are used with the REST APIs.

Target Action Description
Scope CREATE_NEW_BUCKET Create buckets in the scope.
CREATE_NEW_TOPIC Create topics in the scope.
Bucket CREATE_OBJECTS_IN_BUCKET Create KiiObjects in the bucket.
QUERY_OBJECTS_IN_BUCKET Query KiiObjects in the bucket.
READ_OBJECTS_IN_BUCKET Read KiiObjects in the bucket.
DROP_BUCKET_WITH_ALL_CONTENT Drop the bucket with KiiObjects in it.
KiiObject READ_EXISTING_OBJECT Read the KiiObject.
WRITE_EXISTING_OBJECT Update and delete the KiiObject.
Topic SUBSCRIBE_TO_TOPIC Subscribe to the topic.
SEND_MESSAGE_TO_TOPIC Send push messages to the topic.

The class chart above does not include a class for the scope actions because only the REST APIs can modify the scope ACL.

A bucket, KiiObject, and topic have a different set of actions. The BucketAction, ObjectAction, and TopicAction represent actions achievable on a bucket, KiiObject, and topic, respectively.

Change request for an ACL

In order to update an ACL, you create new and/or changed ACL entries on the client and send a change request to Kii Cloud.

For example, suppose that a KiiObject on the server has four ACL entries and you need to delete Bob's write permission and add Charlie's read permission.

On the client, prepare a PUT request for an ACL entry for the permission to be granted and a DELETE request for another ACL entry for the permission to be revoked. Send the requests to the server to update the KiiObject's ACL.

Updating an ACL in the developer portal

You can customize only a bucket's ACL in the developer portal.

For more information, see Changing an existing bucket's ACL.