Enabling Table Authorizations with ACEs

Describes how to set permissions for tables.

Permissions for MapR tables, column families, and columns are defined by Access Control Expressions (ACEs). You can set permissions for tables when you create or edit tables. You can set default permissions for column families when you create or edit tables, and you can override these defaults when you create column families.

For the syntax to use when creating Access Control Expressions, see Syntax of Access Control Expressions.

Note: When a user, group, or role requests to read data from, write data to, or append data to a column, MapR-DB checks whether that user, group, or role has read or write permission for the column family AND read or write permission for the column. By default, columns allow read and write access to all users; in such cases, only the read or write permission for the column family matters.

However, suppose that a table contains columns col1 and col2 in column family cf1, and these columns grant read and write permission only to the table creator. A different user tries to write data to these columns. MapR-DB checks whether this user has write permission on cf1 AND col1 AND col2. If the user does not have all three permissions, MapR-DB returns an error that says access for the write is denied.

If this user were to try to read from the same two columns, MapR-DB would simply not return the data. If the user tried to read from those two columns and additional columns on which he had read permissions, the results would contain the data for those additional columns but exclude the data for col1 and col2.