Tagging Data Objects with Security Policies

Once security policies are configured (with tagging enabled), permitted users can associate the security policies with data objects through the Control System, CLI, and REST API. A data object can be associated with one or multiple security policies.

Attention: Verify that the security policy state is set to allow tagging. By default, a security policy has allowtagging=false and accesscontrol=Disarmed when created. See Changing the State of a Security Policy.

Supported Data Objects

The following table lists the data objects in the data-fabric platform that users can tag with security policies:
filesystem HPE Ezmeral Data Fabric Database
  • Volumes
  • Directories
  • Files
  • JSON tables
  • JSON table column families
  • JASON table fields
Note: If you upgrade your data-fabric cluster to version 6.2.x from a pre-6.2.0 version, you can apply security policies to existing tables if Policy-Based Security is enabled. See Policy-Based Security Quick Reference.

Permissions Required to Tag Data Objects

Users must have the required permissions to tag security policies to data objects. Permission requirements vary depending on the data-fabric platform core component.

The following table lists the users that can tag data objects in the data-fabric filesystem and database:
filesystem HPE Ezmeral Data Fabric Database
  • Owner of the data object
  • Data Fabric administrator (typically mapr)
  • Superuser (root)

The superuser cannot tag filesystem objects when the cldb.reject.root flag is set.

  • Data Fabric administrator (typically mapr)
  • User with ACE administrative access (adminaccessperm permission)

The following sections describe how to tag data objects in the filesystem and HPE Ezmeral Data Fabric Database with security policies