Updated on 2024-03-15 GMT+08:00

Data Sharing Among Departments/Projects

An enterprise has data that needs to be shared among different departments or projects. To reduce the risks of mistaken deletion and tampering of shared data, the data can only be downloaded but not modified or deleted by users of other departments.

In this scenario, department A shares data in the bucket example-bucket to department B, allowing users of department B to download the data. This case describes how to leverage the least privilege principle to control access permissions for the shared data. Figure 1 shows the logical relationships among administrators, users, and buckets for data sharing between the two departments in this scenario.

Figure 1 Logical relationship

Solution and Process

In this scenario, the administrator of department A can use bucket policies to implement permission control, so that users of department B can only download but not modify or delete the shared data. Figure 2 illustrates the bucket policy configuration process.

Figure 2 Configuration process of permission control for data sharing

Prerequisites

Administrators and common users of departments A and B have been created on IAM. For details, see Creating an IAM User.

The administrator of department A needs to perform operations such as creating buckets and configuring bucket policies. Therefore, when creating an administrator, the user group to which the administrator belongs must be granted at least the OBS Administrator permissions of OBS.

Procedure

  1. Create a bucket.

    1. Log in to the Huawei Cloud console as the administrator of department A.
    2. On the homepage, choose Service List > Storage > Object Storage Service to access OBS Console.
    3. Click Create Bucket in the upper right corner.
    4. Configure relevant parameters, including Region, Bucket Name, Default Storage Class, and Bucket Policy. For details, see Creating a Bucket.

      To ensure data security, you are advised to set Bucket Policy to Private.

    5. Click Create Now. The bucket is created.

  2. Grant upload permissions to users in department A.

    If the user group where the users of department A belong has been assigned Tenant Administrator, OBS Administrator, or OBS OperateAccess, skip this step and go to Step 3. If such permission is not assigned to this user group or OBS Buckets Viewer, OBS ReadOnlyAccess, or Tenant Guest is assigned to the user group, perform the following steps to grant upload permissions to users of department A.
    1. On OBS Console, click the name of the bucket where the shared data is stored to go to the Objects page.
    2. In the navigation pane, choose Permissions > Bucket Policies.
    3. Click Create.
    4. Choose a policy configuration method you like. Visual Editor is used here.
    5. Configure parameters listed in the table below to grant users of department A the permissions to access the bucket (to list objects in the bucket) and to upload objects to the bucket.
      Table 1 Parameters for granting permissions to access buckets and upload objects

      Parameter

      Description

      Policy Name

      Enter a policy name.

      Policy content

      Effect

      Select Allow.

      Principals

      • Select Current account.
      • IAM users: Select the users who are allowed to upload data.

      Resources

      • Method 1:
        • Select Entire bucket (including the objects in it).
      • Method 2:
        • Select Current bucket and Specified objects.
        • Set the resource path to * to indicate all objects in the bucket.
          NOTE:

          If you want users only to upload objects to certain folders in the bucket, set the resource path to a folder name plus a wildcard character (for example, example-folder/*). You can add multiple resource paths.

      Actions

      • Choose Customize.
      • Select the following actions:
        • ListBucket (to list objects in the bucket and obtain the bucket metadata)
        • PutObject (to upload objects using PUT and POST, upload parts, initiate multipart uploads, and assemble parts)
    6. Click Create.

  3. Grant download permissions to users in department B.

    If the user group where the users of department B belong has been assigned Tenant Administrator, OBS Administrator, OBS OperateAccess, or Tenant Guest, skip this step and go to Step 4. If such permission is not assigned to this user group or OBS ReadOnlyAccess or Tenant Guest is assigned to the user group, perform the following steps to grant download permissions to users of department B.
    1. On OBS Console, click the name of the bucket where the shared data is stored to go to the Objects page.
    2. In the navigation pane, choose Permissions > Bucket Policies.
    3. Click Create.
    4. Choose a policy configuration method you like. Visual Editor is used here.
    5. Configure parameters listed in the table below to grant users of department B the permissions to download objects from the bucket.
      Table 2 Parameters for granting permissions to download objects from the bucket

      Parameter

      Description

      Policy Name

      Enter a policy name.

      Policy content

      Effect

      Select Allow.

      Principals

      • Select Current account.
      • IAM users: Select the users who are allowed to download data.

      Resources

      • Method 1:
        • Select Entire bucket (including the objects in it).
      • Method 2:
        • Select Current bucket and Specified objects.
        • Set the resource path to * to indicate all objects in the bucket.
          NOTE:

          If you want the users of department B only to download a set of objects from the bucket, set the resource path to a folder name (for example, example-folder/, indicating the objects in this folder) or an object set with * (for example, *.doc, indicating all objects whose name ends with .doc). You can add multiple resource paths.

      Actions

      • Choose Customize.
      • Select the following actions:
        • ListBucket (to list objects in the bucket and obtain the bucket metadata)
        • GetObject (to obtain the object content and metadata)
        • GetObjectVersion (to obtain the content and metadata of a specified object version)
    6. Click Create.

  4. Prevent users of department B from writing or deleting the shared data.

    1. On OBS Console, click the name of the bucket where the shared data is stored to go to the Objects page.
    2. In the navigation pane, choose Permissions > Bucket Policies.
    3. Click Create.
    4. Choose a policy configuration method you like. Visual Editor is used here.
    5. Configure parameters listed in the table below to prevent users of department B from writing or deleting the shared data.
      Table 3 Parameters for preventing users from writing or deleting data

      Parameter

      Description

      Policy Name

      Enter a policy name.

      Policy content

      Effect

      Select Deny.

      Principals

      • Select Current account.
      • IAM users: Select the users who are not allowed to write or delete data.

      Resources

      • Method 1:
        • Select Entire bucket (including the objects in it).
      • Method 2:
        • Select Current bucket and Specified objects.
        • Set the resource path to * to indicate all objects in the bucket.
          NOTE:

          If you do not want the users of department B to write or delete a set of objects from the bucket, set the resource path to a folder name (for example, example-folder/, indicating the objects in this folder) or an object set with * (for example, *.doc, indicating all objects whose name ends with .doc). You can add multiple resource paths.

      Actions

      • Choose Customize.
      • Select the following actions:
        • PutObject (to upload objects using PUT and POST, upload parts, initiate multipart uploads, and assemble parts)
        • PutObjectAcl (to configure the object ACL)
        • PutObjectVersionAcl (to configure the ACL for a specific object version)
        • DeleteObject (to delete objects)
        • DeleteObjectVersion (to delete a specified object version)
        • AbortMultipartUpload (to abort multipart uploads)
    6. Click Create.

  5. Upload data.

    Users in department A can upload data through OBS Console, OBS Browser+, APIs, and SDKs. This section takes the operations on OBS Console as an example to describe how to upload data.
    1. Log in to OBS Console as a user of department A.
    2. In the bucket list, click the name of the bucket that stores the shared data.
    3. In the navigation pane on the left, click Objects and then Upload Object.
    4. In the displayed Upload Object dialog box, select the upload mode, storage class, and data to be uploaded.
    5. Click Upload.

      You can click Task Management in the lower part of the page to view the upload progress and result.

  6. Verify the permission.

    After the permission is granted, users in department B can verify it using OBS Console, OBS Browser+, APIs, and SDKs. This section takes OBS Console as an example to present how to verify that users of department B can only read the shared data.
    1. Log in to OBS Console as an IAM user of department B.
    2. In the bucket list, click the name of the target bucket.
    3. In the left navigation pane, click Objects. The object list is displayed.
    4. Click Download in the row where a public data record is located.
      • If the download fails, the download permission fails to be granted. Check whether the user group permission configuration is correct.
      • If the download is successful, the download permission is granted successfully. Go to the next step.
    5. Click Upload Object, select a file, and click Upload.
      • If the upload is successful, the permission configuration for preventing write and deletion by users of other departments fails. Check whether the bucket policy is correctly configured.
      • If the upload fails, the permission configuration is successful. Go to the next step.
    6. Click Delete in the row where a public data record is located.
      • If the deletion is successful, the permission configuration for preventing write and deletion by users of other departments fails. Check whether the bucket policy is correctly configured.
      • If the deletion fails, the permission configuration is successful.