Entitlements (ACL)

Every OSDU record has an ACL that controls who can read and who can write.

Format

"acl": {
    "viewers": [
      "data.office.global.viewer@<DATA_PARTITION>.dataservices.energy"
    ],
    "owners": [
      "data.masterdata.owners@<DATA_PARTITION>.dataservices.energy"
    ]
}

The string after data. describes the data you are giving access to. Work with the Data Owner / Data Office and the OSDU Platform Team to decide on the right groups.

Groups

Viewer groups (read access) — managed by the Data Office
Owner groups (write access) — granted by the Data Owner / Data Office, assigned to Data Producer teams

To view a record, a user must belong to a data viewer group listed in the record's ACL. To edit or delete a record, a user must belong to a data owner group listed in the ACL.

Service access

Three access levels control which ADME APIs a user or service principal can call:

Base — read-only access
Editor — write access
Admin — full administrative access

User access to services is managed via AccessIT; review and approval is done by the Platform team. For service principal access, requests are submitted via ServiceNow.

Service Name	Base	Editor	Admin
`service.dataset.admin`			x
`service.dataset.editors`		x	x
`service.dataset.viewers`	x	x	x
`service.edsdms.user`	x	x	x
`service.entitlements.admin`			x
`service.entitlements.user`	x	x	x
`service.file.admin`			x
`service.file.editors`		x	x
`service.file.viewers`	x	x	x
`service.index-document.admins`			x
`service.index-document.editors`		x	x
`service.index-document.user`		x	x
`service.index-document.viewers`	x	x	x
`service.legal.admin`			x
`service.legal.editor`		x	x
`service.legal.user`	x	x	x
`service.mapping-service.admins`			x
`service.mapping-service.editors`		x	x
`service.mapping-service.viewers`	x	x	x
`service.messaging.user`	x	x	x
`service.plugin.user`	x	x	x
`service.policy.admin`			x
`service.policy.user`	x	x	x
`service.referencedata.editors`		x	x
`service.referencedata.viewers`	x	x	x
`service.reservoir-dms.owners`		x	x
`service.reservoir-dms.viewers`	x	x	x
`service.schema-service.admin`			x
`service.schema-service.editors`		x	x
`service.schema-service.viewers`	x	x	x
`service.search.admin`			x
`service.search.user`	x	x	x
`service.secret.admin`			x
`service.secret.editor`		x	x
`service.secret.viewer`	x	x	x
`service.status-processor.editors`		x	x
`service.status-processor.viewers`	x	x	x
`service.status-publisher.editors`		x	x
`service.status-publisher.viewers`	x	x	x
`service.storage.admin`			x
`service.storage.creator`		x	x
`service.storage.viewer`	x	x	x
`service.workflow.admin`			x
`service.workflow.creator`		x	x
`service.workflow.viewer`	x	x	x

Information deletion

ADME supports two types of delete operations, each using a different API call.

Hard delete

A hard delete permanently removes the specified record and all its versions from the system. This action is irreversible.

Allowed roles: owner of the record, service.storage.admin

Soft delete

A soft delete marks the record as deleted using the record ID, without physically removing it. This action is reversible and the record can be restored later.

Allowed roles: owner of the record, service.storage.creator, service.storage.admin

Privileged access

The following groups grant elevated access across the platform. They are periodically reviewed to ensure they remain up to date and are properly managed. In future, only AZ accounts will have this privileged access.

Service access groups

Group	Description
`users.datalake.admins`	Full administrative access to platform services
`users.datalake.ops`	Operational access to platform services

Data access group

Group	Description
`users.data.root`	Super-owner for all data. Automatically included as a member of every data owner group to ensure no data is left without an owner.

Investigation is ongoing to explore a Privileged Identity Management (PIM) approach for these access groups, to reduce reliance on permanent access.