Data Access Control

General access control on platform resources is explained in the Controlling Access documentation.

ACL Inheritance

Resource object models relating to data follow a unique set of rules dictating access control based on ACL inheritance. The logical hierarchy of data resources starts with volumes at the top-level, followed by folders and files. Folders are logically above the files it contains with respect to access control.

Upon creating a volume, the initial root folder resource will have an ACL according to the creator's identity context. The access to the volume resource is controlled by the root folder's ACL.

Upon creating files and folders, the folder node lowest in the path property will receive an ACL according to the creator's identity context. Folders higher in the path will inherit the ACL from the nearest folder resource above it. This prevents inadvertently granting access to folders auto-created during a files or folder create operation.

Files resources will inherit the ACL of the nearest folder resource above it. The identity context of the requestor is ignored.

Volume, folder, and file resource object models include an inheritedAcl property, which is the collated ACL from the root folder down to the resource requested. When requesting to create a file or folder, the union of the ACLs on all upstream parent folders of the specified path in the creation request is used to check if the requestor has permission. If the requestor identity context contains an identity membership with permission to create the file or folder that matches an identity in the collated ACLs from upstream folders, the request is permitted.