KiiObject Access Control

Each KiiObject is in a "scope" which determines to which entity the KiiObject belongs. It can be in the application scope, group scope, user scope or thing scope. As with buckets, the default permissions applied to a KiiObject are determined by its scope.

The scope of a KiiObject is the scope of the bucket which contains the KiiObject. For example, a KiiObject in an application-scope bucket is in the application scope and KiiObject permissions for the application scope are applied to the KiiObject.

The table below indicates the default ACL entries set at KiiObject creation. You can customize a KiiObject's ACL with the ACL modification feature of the client SDKs and REST APIs.

Default permissions

Objects have the following permissions by default. The rightmost "Modify ACL" column indicates the users who can update the ACL. Note that you cannot change the users who can modify the ACL.

Scope Read the KiiObject
(READ_EXISTING_OBJECT)
Update and delete the KiiObject
(WRITE_EXISTING_OBJECT)
Modify ACL
Application - Any authenticated users
- Anonymous users
- Any authenticated users - KiiObject creator
Group - Group members
- Group owner
- KiiObject creator
- Group members
- Group owner
- KiiObject creator
- Group owner
- KiiObject creator
User - Scope owner
- KiiObject creator
- Scope owner
- KiiObject creator
- Scope owner
- KiiObject creator
Thing - Thing
- Thing owner
- KiiObject creator
- Thing
- Thing owner
- KiiObject creator
- Thing
- Thing owner
- KiiObject creator

Here is a brief summary of KiiObject permissions applied in each scope:

  • In the application scope, any authenticated users can read, update, and delete the KiiObject. Anonymous users can only read the KiiObject.
  • In the group scope, the members of the group and KiiObject creator can read, update, and delete the KiiObject.
  • In the user scope, the scope owner and KiiObject creator can read, update, and delete the KiiObject.
  • In the thing scope, the thing, its owner, and the KiiObject creator can read, update, and delete the KiiObject.

Additionally, note the following considerations:

  • For the definitions of authenticated and anonymous users, see Subject.
  • You can customize a permission to create a KiiObject by updating a bucket's ACL. For more information about setting a bucket's ACL, see Bucket Access Control.