Enabling Table and Stream Authorizations with ACEs

Permissions for Data Fabric tables, column families, and columns are defined by ACEs. Set permissions for tables after you create or edit tables. Set default permissions for column families when you create or edit tables, and you can override these defaults when you create column families.

For the syntax to use when creating Access Control Expressions, see ACE Syntax.

If a user, group, or role requests to read data from, write data to, or append data to a column, HPE Ezmeral Data Fabric Database checks whether that user, group, or role has read or write permission for the column family AND read or write permission for the column. By default, columns allow read and write access to all users; in such cases, only the read or write permission for the column family matters.

However, suppose that a table contains columns col1 and col2 in column family cf1, and these columns grant read and write permission only to the table creator. A different user tries to write data to these columns. HPE Ezmeral Data Fabric Database checks whether this user has write permission on cf1 AND col1 AND col2. If the user does not have all three permissions, HPE Ezmeral Data Fabric Database returns an error that says access for the write is denied.

If this user were to try to read from the same two columns, HPE Ezmeral Data Fabric Database would simply not return the data. If the user tried to read from those two columns and additional columns on which he had read permissions, the results would contain the data for those additional columns but exclude the data for col1 and col2.