Permission Types for Fields and Column Families in JSON Tables

By using ACEs, you can grant or deny access to fields and column families that are in JSON tables.

There are three types of permission:
  • Traverse (traverseperm)
  • Read (readperm)
  • Write (writeperm)

This permission allows the grantee to descend a hierarchy of fields to access fields on which the grantee has write or read permission.

For example, suppose that a user has read and write access to only field b below.

To access field b, the user would need to be able to traverse (pass through) field a. In this case, because the entire document is in the default column family, the user could be granted traverse permission on the default column family. Field a would inherit the traverse permission.

If a user was denied traverse permission on the default column family, the user would not be able to access field b. Granting traverse permission on field a in this case would have no effect.

In the example below, field a is part of the cf1 column family.

To be able to read and write at field b, the user could be granted the traverse permission on the column family.

The read permission allows the grantee to read from a field.

This permission extends to fields that are nested below the field on which the permission was granted. However, grantees can be explicitly denied the permission on any of the nested fields.

This permission allows the grantee to delete a field, insert a value into a field, or overwrite field value.

As illustrated in the two diagrams below, deleting a field also deletes all fields that are nested within that field, even those fields on which the write permission is explicitly denied.