I have determined by experimentation that it is possible to change the value of the user.maui.retentionEnd attribute (via the REST API) on an object associated with a policy for which retention is enabled. What I would like to know is whether or not that is possible if the policy is configured to comply with SEC 17a-4(f).
Suppose I have a policy specification for a policy named 'P1' that I have made the default. Suppose also that I have checked the 'Enable Retention' check box and specified a retention period of 5 years. Now supposes I create an object that gets assigned to the default policy. Since retention is enabled and the retention period is 5 years, if I create it on 2014-04-01T00:00:00Z, the user.maui.retentionEnd attribute will be set to 2019-04-01T00:00:00Z (current date plus 5 years); however I can use the REST API to update this attribute and set it to any arbitrary date to the right or left of the current value. Can I still do this if the policy is configured to comply with SEC 17a-4(f)?
This has been a recent hot topic. First, I'd like to point out that SEC 17a-4(f) is only supported for "compliant" subtenants. That means the subtenant must be created with this feature enabled (a check in the compliance checkbox at the top). There are also "compliant" policies and policy selectors, but it all has to start with the subtenant.
It's also important to note that Atmos policy will set the default retention period for an object on creation and any operations to change the retention are at the individual object level.
In a compliant subtenant, you can extend the retention period, but you cannot shrink it. So if the policy retention is for two months, you can increase it to three months, but you cannot decrease it to one month. You also cannot disable retention for an object.
In a normal (non-compliant) retention policy, you can disable retention using user.maui.retentionEnable=false, but in a compliant subtenant you cannot. Otherwise retention behavior is very similar.