# Data Access Controls

Data for a run is split between the **object store** (e.g. S3, GCS) and the **database**. 

* **Metadata** (e.g. name, schema) and **aggregate data** (e.g. summary statistics, histograms) are stored in the database.
* **Raw data** is stored in the object store.

All data accesses are mediated by the API ensuring the enforcement of access controls. For more details on permissions, see [Users and Permissions](https://docs.dbnl.com/v0.21.x/using-distributional/access/users-and-permissions). 

## Database

Database access is always done through the API with the API enforcing access controls to ensure users only access data for which they have permission.

## Object Store

Direct object store access is required to upload or download raw run data using the SDK. [Pre-signed URLs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html) are used to provide limited direct access. This access is limited in both time and scope, ensuring only data for a specific run is accessible and that it is only accessible for a limited time.

When uploading or downloading data for a run, the SDK first sends a request for a pre-signed upload or download URL to the API. The API enforces access controls, returning an error if the user is missing the necessary permissions. Otherwise, it returns a pre-signed URL which the SDK then uses to upload or download the data.

<figure><img src="https://content.gitbook.com/content/8JzuHWEGbvAoSBN9SPb8/blobs/2gVHsFYKgvUy9y7RGnK4/image.png" alt=""><figcaption><p>Data upload</p></figcaption></figure>

{% hint style="info" %}
Uploading data to a run in a given namespace requires write permission to runs in that namespace. Downloading data from a run in a given namespace requires read permission to runs in that namespace.
{% endhint %}