Access Management on Department Public Data

An enterprise has a large number of files to archive but it does not want to put efforts on storage resources. Therefore, this enterprise subscribes to OBS for storing the files, and expects that staff in different departments have different access permissions. By doing so, data access permissions of staff in different departments are isolated.

The enterprise expects that administrators have the full control permission to department public data stored on OBS, and that common users can only read those data. Figure 1 shows the logical relationships.

Figure 1 Logical relationship

Solution and Process

In this scenario, you can assign permissions by configuring IAM permissions. Set the permission of the user group containing common users to Tenant Guest, so that common users can access OBS as guests and have only the read permission. Figure 2 shows the process.

Figure 2 Flowchart of managing access to department public data

Procedure

Create an administrator.
1. Log in to the Huawei Cloud console using the enterprise account.
2. On the console homepage, choose Service List > Management & Governance > Identity and Access Management to access the IAM console.
3. On the IAM console, choose User in the left navigation tree.
4. On the User page, click Create User. On the page that is displayed, enter a username and configure the following parameters:
  - Select Password for Credential Type.
  - Select admin from the drop-down list of User Groups.
5. Click Next. Select Set manually for Password Type.
6. Enter the email address, mobile number, password, and confirm password.
7. Click OK.
Create a user group with the read-only permission.
1. On the IAM console, choose User Groups in the left navigation pane.
2. Click Create User Group, and enter a user group name and description.
3. Click OK.
  The user group list is displayed, including the newly created user group.
4. Locate the newly created user group, and click Configure Permission in the Operation column.
5. Click Authorize.
6. Select Global service project. In the Permissions area, select Tenant Guest.
7. Click OK to save the permission for the user group.
Create a common user.
1. On the IAM console, choose Users in the left navigation pane.
2. Click Create User. On the page that is displayed, enter a username and configure the following parameters:
  - Select Password for Credential Type.
  - Select the user group created in 2 for User Groups.
3. Click Next. Select Set manually for Password Type.
4. Enter the email address, mobile number, password, and confirm password.
5. Click OK.
Verify the user permission.
After the permission is granted, you can verify the permissions using OBS Console, OBS Browser+, APIs, and SDKs. This section takes OBS Console as an example to present how to verify the read-only permission of common users on department public data.
1. Log in to OBS Console as a common user and check whether you have the permission to access the OBS page.
  - If a message indicating that you do not have the permission to access the page is displayed, you cannot read data in the bucket. In this case, check whether the user permission is correctly configured.
  - If a bucket list is displayed, you have the permission to read the bucket list. Go to the next step.
2. Click the bucket to be operated. On the Objects page that is displayed, view the list of objects.
  - If the data cannot be obtained and the message Access denied is displayed, you have no permission to read data in the bucket. In this case, check whether the user permission is correctly configured.
  - If the data is displayed, you have the read permission. Go to the next step.
3. On the Objects page, perform operations including uploading and deleting objects.
  - If the write and delete operations can be performed, it indicates the read-only permission fails to be granted. Check whether the user permission configuration is correct.
  - If not, the read-only permission for common users is correctly configured.