Skip to main content

Enable S3 Object Lock globally

Contributors netapp-perveilerk netapp-lhalbert netapp-madkat ssantho3

If an S3 tenant account needs to comply with regulatory requirements when saving object data, you must enable S3 Object Lock for your entire StorageGRID system. Enabling the global S3 Object Lock setting allows any S3 tenant user to create and manage buckets and objects with S3 Object Lock.

Before you begin
  • You have the Root access permission.

  • You are signed in to the Grid Manager using a supported web browser.

  • You have reviewed the S3 Object Lock workflow, and you understand the considerations.

  • You have confirmed that the default rule in the active ILM policy is compliant. See Create a default ILM rule for details.

About this task

A grid administrator must enable the global S3 Object Lock setting to allow tenant users to create new buckets that have S3 Object Lock enabled. After this setting is enabled, it can't be disabled.

Note The global Compliance setting is deprecated. If you enabled this setting using a previous version of StorageGRID, the S3 Object Lock setting is enabled automatically. You can continue to use StorageGRID to manage the settings of existing compliant buckets; however, you can't create new compliant buckets. For details, see NetApp Knowledge Base: How to manage legacy Compliant buckets in StorageGRID 11.5.
  1. Select CONFIGURATION > System > S3 Object Lock.

    The S3 Object Lock Settings page appears.

  2. Select Enable S3 Object Lock.

  3. Select Apply.

    A confirmation dialog box appears and reminds you that you can't disable S3 Object Lock after it is enabled.

  4. If you are sure you want to permanently enable S3 Object Lock for your entire system, select OK.

    When you select OK:

    • If the default rule in the active ILM policy is compliant, S3 Object Lock is now enabled for the entire grid and can't be disabled.

    • If the default rule is not compliant, an error appears. You must create and activate a new ILM policy that includes a compliant rule as its default rule. Select OK. Then, create a new proposed policy, simulate it, and activate it. See Create ILM policy for instructions.

After you finish

After you enable the global S3 Object Lock setting, you might want to create a new ILM policy. After the setting is enabled, the ILM policy can optionally include both a compliant default rule and a non-compliant default rule. For example, you might want to use a non-compliant rule that does not have filters for objects in buckets that don't have S3 Object Lock enabled.