Permissions on the Default Column Family

If a OJAI document field is in the MapR-DB JSON default column family, the field that you want to perform operations on inherits permissions from it's parent field must have the operation both readperm and writeperm permissions are required.

The following diagram shows an example diagram of an OJAI document where all fields are in the default column family.

You need read and write permissions on field c,

To perform both read and write operations on field c when it is in the default column family, you must have both readperm and writeperm access on field c.

  • If you have readperm and writeperm permissions on the column family, then you have access to field c.
  • If you have readperm and writeperm permissions on the column family but either field a or b denied you permissions:
    • You must have traverseperm permission granted to you on the field that denied you access (field a or b).
    • You must have readperm and writeperm permissions explicitly granted to you on field c.
  • If you do not have readperm and writeperm permissions on the default column family:
    • You must have traverseperm permission granted to you on the default column family since fields a and b inherit this permission.
    • You must have readperm and writeperm permission must be explicitly granted to you on field c.

A maprcli table cf colperm set commands similar to the following can be used to grant permissions:

maprcli table cf colperm set 
  -path <path to JSON table > 
  -cfname default 
  -name a.b 
  -traverseperm u:<user ID> | <existing ACE for this field>
              
maprcli table cf colperm set 
  -path <path to JSON table > 
  -cfname default 
  -name a.b.c 
  -readperm u:<user ID> | <existing ACE for this field> 
  -writeperm u:<user ID> | <existing ACE for this field>
maprcli table cf edit 
  -path <path to JSON table > 
  -cfname default 
  -traverseperm u:<user ID> | <existing ACE for this field>
        
maprcli table cf colperm set 
  -path <path to JSON table > 
  -cfname default 
  -name a.b.c 
  -readperm u:<user ID> | <existing ACE for this field> 
  -writeperm u:<user ID> | <existing ACE for this field> 

You need either read or write permissions on field c,

To perform either read or write operations on field c when it is in the default column family, you must have either readperm or writeperm access on field c.

  • If you have the same permission (readperm or writeperm) on the default column family, then you have access to field c.
  • If you have the same permission (readperm or writeperm) on the default column family but either field a or b denied you permission:
    • You must have traverseperm permission granted to you on the field that denied you access (field a or b).
    • You must have readperm or writeperm permissions explicitly granted to you on field c.
  • If you do not have the same permission (readperm or writeperm) on the default column family:
    • You must have the traverseperm permission granted to you on the default column family since fields a and b inherit this permission.
    • You must have readperm or writeperm permission explicitly granted to you on field c.

A maprcli table cf colperm set commands similar to the following can be used to grant permissions:

maprcli table cf colperm set 
  -path <path to JSON table> 
  -cfname default 
  -name a.b 
  -traverseperm u:<user ID> | <existing ACE for this field>
              

The following example command grants readperm:

maprcli table cf colperm set 
  -path <path to JSON table> 
  -cfname default 
  -name a.b.c 
  -readperm u:<user ID> | <existing ACE for this field>