Terminology and components

ACL

Access control list (ACL) is a list of permissions attached to a container or an object. An ACL specifies which accounts are granted access to a given container or object.

AWS credentials

Amazon web services (AWS) credentials are security credentials to verify the user and if they are authorized to access the resources being requested.

Container
A new massively scalable logical entity that is accessible by users for storage.
Container vault
A vault that is hosting containers within an IBM COS system enabled for Container Mode. These vaults are similar to standard vaults in Vault Mode, except that they cannot be accessed directly by users. A container vault contains all the container metadata like ACLs, Usage information etc. A container vault also contains the actual objects and indexes. There could be many container vaults created in a system. The container vault that will host any given container is determined by the region used by the user in the request (the region needs to contain the provisioning code of the desired container vault).
Default Container Vault
A default container vault is a vault that will host containers for requests with no explicit request with a region (i.e. no provisioning code provided in the region request). This is configured as part of the access pool configuration on the Manager UI.
Index
A data structure used to perform efficient ordered listing of objects within a container.
IOP
Input output operations. Basically read, write, delete, head and other user requests.
List-Only ACL

Previously known as S3-Compliant ACL. When granted this ACL on a bucket, the user can only list objects. To read objects user needs to get explicit read access on required objects.

Management vault
A vault that is created by system administrators where access log and statistic files are uploaded periodically. These logs can be retrieved and processed for billing, issue isolation, support, etc.
Metadata
Information about account, credentials, containers and objects that are stored within an IBM COS system. The information could be system generated or user provided.
Read-and-List-ACL
Previously known as Legacy ACL. When granted this ACL on a bucket, the user can read and list objects.
Service role
A Manager user must have this role assigned in order to use the service API and interact with the service API ports on the Accesser.
Service vault
A vault that is created when a system administrator enables Container Mode. The vault contains system-generated data such as container pointers (references), storage account metadata; AWS credentials and Index for the different types of system data. There can be only a single instance of the service vault on a system in Container Mode.
Storage account
A billable entity on the IBM COS system that has a share of the available resources. AWS credentials are tied to storage accounts. Permissions are enforced for this entity using ACLs.
Usage
Metrics to track resources consumed by storage accounts and containers. This information is logged in the access logs as a separate entry type specific to usage to support billing by parsing and processing the logs.
System administrator
An end-user with an IBM COS credential with Manager Super User or System Administrator role who manages user and vault using Manager Web Interface or Manager REST API.
Service administrator
Service Admin is used generically to represent an IBM COS credential with “Service Account” role that can perform Service API to manage the account, key, and bucket resource. This user does not have access to user data and is not the same as the End-User who owns buckets.
End user
End user is used generically to represent an IBM COS end-user or an IBM Cloud service/application that is interacting with COS.