Scenario 1: An account can have multiple IAM users. Each user can access only its own bucket.

If you want to list all buckets owned by an account, you can use only OBS SDK, OBS BrowserOBS Browser+, or obscmd to implement this function, instead of operating on OBS Console.

1. Log in to IAM using a tenant that can access OBS, and create an IAM user. After creating an IAM user, add the user to the user group. For details about how to create an IAM user and user group, see Creating an IAM User. Do not grant the OBS permission to the user group.

   After the user is created, record the username. The username is used for authorization.

2. In IAM, create a credential (AK/SK) for the newly created user.
3. Log in to OBS Console as a tenant (an IAM user with the permission to access OBS), and create a bucket. You can also use the access keys (AK and SK) of a tenant (or an IAM user with the permission to access OBS) to log in to OBS SDK or OBS Browser or OBS Browser+ to create a bucket. After the bucket is created, add a policy for the bucket. Do not select any resource for the policy, so that it indicates the policy is applicable to the entire bucket. You can configure bucket related permissions through the policy, such as bucket configuration, querying bucket logs, versioning management, and lifecycle management.

   The authorized user is the user created in step 1.

   A new policy is added. The action is * (indicating that all objects in the bucket are authorized and objects can be listed, uploaded, downloaded, and deleted).

   If you use the OBS API to configure the bucket policy, see Configuring a Bucket Policy.

4. Add an external bucket to OBS Browser+. Skip this step if you use SDK to access OBS.

   Open OBS Browser+ and enter the credential created in step 2 for login.

   Then add the bucket created in step 3 to OBS Browser+ as an external bucket.

5. After the bucket is added successfully, users who have been granted permissions to this bucket (see step 3) can upload to and download objects from this bucket through OBS Browser+.

Scenario 2: After you have registered with the public cloud, the user has only the read and write permissions for objects in OBS.

1. Log in to IAM using a tenant that can access OBS, and create an IAM user. After creating an IAM user, add the user to the user group. For details about how to create an IAM user and user group, see Creating an IAM User. Do not grant the OBS permission to the user group.

   After the user is created, record the user ID. The user ID is used for authorization.

2. Log in to OBS Console as a tenant (an IAM user with the permission to access OBS), and create a bucket. You can also use the access keys (AK and SK) of a tenant (an IAM user with the permission to access OBS) to log in to OBS SDK or OBS Browser or OBS Browser+ to create a bucket. After the bucket is created, a policy is added. The resource is * (indicating that all objects in the bucket are authorized and objects can be listed, uploaded, downloaded, and deleted). The authorized user is the user created in step 1.

   If you use the OBS API to configure the bucket policy, see Configuring a Bucket Policy.

3. Log in to OBS Console using the user created in Step 1, enter the bucket, and upload or download objects. Alternatively, you can use OBS SDK to upload and download objects.

Scenario 3: Allow users to display only authorized buckets on the bucket list page.

Users, who have enabled enterprise projects and fine-grained permission control, can implement this scenario.

1. Log in to IAM using a tenant that can access OBS, and create an IAM user. After creating an IAM user, add the user to the user group. For details about how to create an IAM user and user group, see Creating an IAM User.
2. Create a user group and add a user to the group on the Enterprise Project page, create an enterprise project, and add a user group to the enterprise project. Select OBS ReadOnlyAccess when configuring the permission control policy, or configure custom policy with the ListAllMyBucket permission. See the following figure:
3. Log in to OBS Console and open the page where buckets are listed. You can see only buckets in the enterprise project.
   

   1. If the enterprise project information of some buckets in the list is displayed as --, it indicates that the region does not support the functions for enterprise project management and fine-grained permission control. When creating a bucket in an enterprise project, ensure that the region supports the function for enterprise projects management.
   2. A console page usually requires more than one operation permissions. If you have insufficient permissions, information on the page may be incomplete or even the entire page cannot be displayed. Therefore, do not restrict the GET permissions of a user.

Scenario 4: Use a sub-user to upload and download KMS-encrypted objects.

1. Log in to IAM using a tenant that can access OBS, and create an IAM user. After creating an IAM user, add the user to the user group. For details about how to create an IAM user and user group, see Creating an IAM User. Select the OBS OperateAccess permission when editing user group permissions. This step is to grant sub-users the permission to upload and download objects. You can also configure custom policies.
2. Edit the user group permissions to add the KMS Administrator permission. KMS is a project-level service. Therefore, you need to select the region where your bucket is located.