Permissions Management
If you have OBS resources purchased on HUAWEI CLOUD and you need to grant different access permissions to different user roles, you can leverage the Identity and Access Management (IAM) service for fine-grained permission control. IAM provides identity authentication, permissions management, and access control, helping you provide secure access to your cloud resources.
With IAM, you can use your HUAWEI CLOUD account to create IAM users, and assign permissions to the users to control their access to specific resources on HUAWEI CLOUD. For example, if you have software developers and you want to grant them the permission to only access OBS but not delete OBS resources, you can create an IAM policy that only grants the developers the permission to access OBS.
If your HUAWEI CLOUD service account does not have individual IAM users, please skip this section.
IAM is offered for free, and you pay only for the billable resources in your account. For more information about IAM, see What Is IAM?
OBS Permissions
By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.
OBS is a global service because it is available for all physical regions. OBS permissions are assigned to users in the Global project, and users do not need to switch the region when accessing OBS.
You can grant users permissions by using roles and policies.
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you need to also assign other roles on which the permissions depend to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant OBS users only the permissions for managing a certain type of OBS resources. Most policies define permissions based on APIs. For the API actions supported by OBS, see IAM Policies and Supported Actions.
Due to data caching, a role and policy involving OBS actions will take effect 10 to 15 minutes after it is attached to a user, an enterprise project, and user group.
Table 1 lists all system permissions of OBS.
|
Role/Policy Name |
Description |
Type |
Dependency |
|---|---|---|---|
|
Tenant Administrator |
Users with this permission can perform all operations on all services except IAM. |
System-defined role |
None |
|
Tenant Guest |
Users with this permission can perform read-only operations on all services except IAM. |
System-defined role |
None |
|
OBS Administrator |
Users with this permission are OBS administrators and can perform any operations on all OBS resources under the account. |
System-defined policy |
None |
|
OBS Buckets Viewer |
Users with this permission can list buckets, obtain basic bucket information, and obtain bucket metadata. |
System-defined role |
None |
|
OBS ReadOnlyAccess |
Users with this permission can list buckets, obtain basic bucket information, obtain bucket metadata, and list objects. |
System-defined policy |
None |
|
OBS OperateAccess |
Users with this permission can perform all OBS ReadOnlyAccess operations and perform basic object operations, such as uploading objects, downloading objects, deleting objects, and obtaining object ACLs. |
System-defined policy |
None |
Table 2 lists the common operations supported by each system-defined policy or role of OBS. Select the policies or roles as required.
|
Operation |
Tenant Administrator |
Tenant Guest |
OBS Administrator |
OBS Buckets Viewer |
OBS ReadOnlyAccess |
OBS OperateAccess |
|---|---|---|---|---|---|---|
|
Listing buckets |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Creating buckets |
Yes |
No |
Yes |
No |
No |
No |
|
Deleting buckets |
Yes |
No |
Yes |
No |
No |
No |
|
Obtaining basic bucket information |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Obtaining monitoring statistics about buckets |
Yes |
Yes |
Yes |
No |
No |
No |
|
Controlling bucket access |
Yes |
No |
Yes |
No |
No |
No |
|
Managing bucket policies |
Yes |
No |
Yes |
No |
No |
No |
|
Modifying bucket storage classes |
Yes |
No |
Yes |
No |
No |
No |
|
Listing objects |
Yes |
Yes |
Yes |
No |
Yes |
Yes |
|
Listing objects with multiple versions |
Yes |
Yes |
Yes |
No |
No |
No |
|
Uploading files |
Yes |
No |
Yes |
No |
No |
Yes |
|
Creating folders |
Yes |
No |
Yes |
No |
No |
Yes |
|
Deleting files |
Yes |
No |
Yes |
No |
No |
Yes |
|
Deleting folders |
Yes |
No |
Yes |
No |
No |
Yes |
|
Downloading files |
Yes |
Yes |
Yes |
No |
No |
Yes |
|
Deleting files with multiple versions |
Yes |
No |
Yes |
No |
No |
Yes |
|
Downloading files with multiple versions |
Yes |
Yes |
Yes |
No |
No |
Yes |
|
Modifying object storage classes |
Yes |
No |
Yes |
No |
No |
No |
|
Restoring files |
Yes |
No |
Yes |
No |
No |
No |
|
Canceling the deletion of files |
Yes |
No |
Yes |
No |
No |
Yes |
|
Deleting fragments |
Yes |
No |
Yes |
No |
No |
Yes |
|
Controlling object access |
Yes |
No |
Yes |
No |
No |
No |
|
Configuring object metadata |
Yes |
No |
Yes |
No |
No |
No |
|
Obtaining object metadata |
Yes |
Yes |
Yes |
No |
No |
Yes |
|
Managing versioning |
Yes |
No |
Yes |
No |
No |
No |
|
Managing logging |
Yes |
No |
Yes |
No |
No |
No |
|
Managing event notifications |
Yes |
No |
Yes |
No |
No |
No |
|
Managing tags |
Yes |
No |
Yes |
No |
No |
No |
|
Managing lifecycle rules |
Yes |
No |
Yes |
No |
No |
No |
|
Managing static website hosting |
Yes |
No |
Yes |
No |
No |
No |
|
Managing CORS rules |
Yes |
No |
Yes |
No |
No |
No |
|
Managing URL validation |
Yes |
No |
Yes |
No |
No |
No |
|
Managing domain names |
Yes |
No |
Yes |
No |
No |
No |
|
Managing cross-region replication |
Yes |
No |
Yes |
No |
No |
No |
|
Managing image processing |
Yes |
No |
Yes |
No |
No |
No |
|
Appending objects |
Yes |
No |
Yes |
No |
No |
Yes |
|
Configuring object ACL |
Yes |
No |
Yes |
No |
No |
No |
|
Configuring the ACL for an object of a specified version |
Yes |
No |
Yes |
No |
No |
No |
|
Obtaining object ACL information |
Yes |
Yes |
Yes |
No |
No |
Yes |
|
Obtaining the ACL information of a specified object version |
Yes |
Yes |
Yes |
No |
No |
Yes |
|
Uploading in the multipart mode |
Yes |
No |
Yes |
No |
No |
Yes |
|
Listing uploaded parts |
Yes |
Yes |
Yes |
No |
No |
Yes |
|
Canceling multipart tasks |
Yes |
No |
Yes |
No |
No |
Yes |
Managing OBS Resource Permissions
Access to OBS buckets and objects can be controlled by IAM user permissions, bucket policies, and ACLs.
For more information, see OBS Permission Control.
Last Article: Billing
Next Article: Related Services
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.