1.2.18 Access Control Lists

Access control lists (ACLs) govern the operations that users can perform on Exascale vaults and files.

Each Exascale vault or file has an ACL. A vault ACL enables users to perform actions on the vault and on the files that it contains. A file ACL only controls the file that it is associated with.

The following table lists the ACL privileges and the actions that they enable users to perform:

ACL Privilege In a vault ACL, the ACL privilege enables the user to: In a file ACL, the ACL privilege enables the user to:
inspect
  • Create a file in the vault.
  • View attributes of the vault, but not the vault contents.
  • View attributes of the file, but not the file contents.
read
  • View attributes of all files in the vault, but not their contents.
  • Perform all inspect actions.
  • Read the file contents.
  • Perform all inspect actions.
use
  • Read the contents of all files in the vault.
  • Perform all inspect and read actions.
  • Read and write the file contents.
  • Alter attributes of the file.
  • Perform all inspect and read actions.
manage
  • Read and write the contents of any file in the vault.
  • Alter the attributes and ACL for the vault and any file in the vault.
  • Drop the vault and any file in the vault.
  • Perform all inspect, read and use actions.
  • Alter the file ACL.
  • Drop the file.
  • Perform all inspect, read and use actions.

Note that the same ACL privilege enables different actions in a vault ACL or a file ACL. For example, in a file ACL the read privilege enables the user to read the contents of the file. However, to read file contents using a vault ACL requires the use privilege.

Every ACL is a list of user IDs and privilege pairs. Depending on the user creation method, the user ID may be a system-generated value or a user-specified value. For example:

96a68014-5762-4579-86ee-29eb743decbd:manage;scott:use;sue:inspect;dd7c8e35-3c8d-4441-a9b0-f58e959b84ba:read

A user is added to an ACL when they are assigned one of the ACL privileges. A user is removed from an ACL when they are assigned the none privilege. It is possible for a vault or file to have an empty list of user and privilege pairs, which is also known as a null ACL.

ACLs work in conjunction with cluster level privileges. To perform an action on a vault or file, a user requires appropriate ACL privilege or the appropriate cluster level vault privilege (vlt_inspect, vlt_read, vlt_use, or vlt_manage).

Note:

In addition to the appropriate cluster level vault privilege or ACL privilege, starting with Oracle Exadata System Software release 25.2.3 (October 2025):

  • To perform operations that create, modify, or delete Exascale vaults, files, and related resources, a user must also have the rest_vault_client privilege or the cl_admin privilege.

  • To list vault and file-related resources, a user must also have the rest_vault_client, cl_monitor, or cl_operator privilege.

See Vault and File Access Control.

Related Topics

Parent topic: Exascale Components and Concepts