Help Center/ Object Storage Service/ Permissions Configuration Guide/ Best Practices for Enterprise Data Access Control/ Authorizing Business Departments with Independent Resource Permissions
Updated on 2024-03-15 GMT+08:00

Authorizing Business Departments with Independent Resource Permissions

A company usually consists of multiple business departments, and each department requires independent data management. In this scenario, you can allocate IAM users of different roles to each department, and configure bucket policies to authorize the IAM users with independent resource permissions.

Scenario Assumption

Assume that a company has two business departments: A and B. Each department needs a separate bucket to store data, and users of each department have the permission to upload data to their own department's bucket.

Figure 1 shows the logical relationships among administrators, users, and buckets between the two departments.

Figure 1 Logical relationship

This example describes how to configure the upload permission for users of a department. You can configure other permissions based on the site requirements. For details about bucket policy permissions, see Bucket Policy.

Solution and Process

The administrators of department A and department B can configure bucket policies to allow only users of their own department to upload data to their own department's bucket. For details about the configuration process, see Figure 2.

Figure 2 Permission control process

Prerequisites

You have an enterprise account of the company.

Procedure

  1. Create an administrator for each department and create users.

    You need to use the enterprise account of the company to create IAM users as administrators and common users. A department administrator can also create common users. In this example, each department has an administrator and several users.

    Add the administrator to the admin user group, which has the permissions to create users and buckets and configure bucket policies. Other users only need the permission to list buckets under the account but not permissions to create users or buckets or configure bucket policies. Therefore, add other users to user groups with the OBS Buckets Viewer permissions. For details about permissions, see Permissions Management.

    1. Create a department administrator and some IAM users. For details, see Creating an IAM User.
    2. Add the administrator to the admin user group, and add other users to user groups with the OBS Buckets Viewer permissions. For details, see Assigning Permissions to an IAM User.

  2. Create a bucket.

    Create buckets as the administrator of department A and B, respectively.

    1. Log in to the Huawei Cloud management console as the administrator of department A and B, respectively.
    2. On the homepage, choose Service List > Storage > Object Storage Service to access OBS Console.
    3. In the navigation pane, choose Object Storage. On the displayed page, click Create Bucket in the upper right corner.
    4. Configure relevant parameters, including Region, Bucket Name, Default Storage Class, and Bucket Policy. For details, see Creating a Bucket.

      To ensure data security, you are advised to set Bucket Policy to Private.

    5. Click Create Now. The bucket is created.

  3. Grant upload permissions to users in department A and department B.

    The two administrators grant the upload permission to their own users.

    1. Log in to the Huawei Cloud management console as the administrator of department A and B, respectively.
    2. On the homepage, choose Service List > Storage > Object Storage Service to access OBS Console.
    3. In the navigation pane, choose Object Storage. In the bucket list, click the department's bucket to go to the Objects page.
    4. In the navigation pane, choose Permissions > Bucket Policies.
    5. Click Create.
    6. Choose a policy configuration method you like. Visual Editor is used here.
    7. Configure parameters listed in the table below to grant users the permissions to access the bucket (to list objects in the bucket) and to upload objects to the bucket.
      Table 1 Parameters for granting permissions to access buckets and upload objects

      Parameter

      Description

      Policy Name

      Enter a policy name.

      Policy content

      Effect

      Select Allow.

      Principals

      • Select Current account.
      • IAM users: Select the users who are allowed to upload data.

      Resources

      • Method 1:
        • Select Entire bucket (including the objects in it).
      • Method 2:
        • Select Current bucket and Specified objects.
        • Set the resource path to * to indicate all objects in the bucket.
          NOTE:

          If you want users only to upload objects to certain folders in the bucket, set the resource path to a folder name plus a wildcard character (for example, example-folder/*). You can add multiple resource paths.

      Actions

      • Choose Customize.
      • Select the following actions:
        • ListBucket (to list objects in the bucket and obtain the bucket metadata)
        • PutObject (to upload objects using PUT and POST, upload parts, initiate multipart uploads, and assemble parts)
    8. Click Create.

  4. Verify the permission.

    After the permission is configured, users of department A and department B can verify the permissions by uploading objects through OBS Console, OBS Browser+, APIs, and SDKs.

    The permission verification should focus on the following aspects (taking department A for an example):

    1. Users of department A can successfully upload objects to the bucket of department A.

      If users are allowed to upload objects to only the specified folder, ensure that:

      1. Objects can be successfully uploaded to the specified folder.
      2. Upload of objects to folders other than the specified one will fail.
    2. Users of department A fail to upload objects to the bucket of department B.
    3. Users of department A fail to download or delete any object from the bucket of department A.
    4. Users of department A fail to download or delete any object from the bucket of department B.

    If the preceding requirements are met, the permission configuration is successful.

Department Administrator Permission Control

After the preceding configuration, all department administrators have full permissions for buckets of other departments. If you want to deny other department administrators' access to bucket resources of your department, configure a bucket policy according to the following procedure:

  1. Log in to the Huawei Cloud management console as the administrator of your department.
  2. On the homepage, choose Service List > Storage > Object Storage Service to access OBS Console.
  3. In the navigation pane, choose Object Storage. In the bucket list, click the department's bucket to go to the Objects page.
  4. In the navigation pane, choose Permissions > Bucket Policies.
  5. Click Create.
  6. Choose a policy configuration method you like. Visual Editor is used here.
  7. Configure parameters listed in the table below to deny other department administrators' access to the bucket of your department.

    Table 2 Parameters for denying other department administrators' access to the bucket of the current department

    Parameter

    Description

    Policy Name

    Enter a policy name.

    Policy content

    Effect

    Select Deny.

    Principals

    • Select Current account.
    • IAM users: Select the administrators of other departments.

    Resources

    • Method 1:
      • Select Entire bucket (including the objects in it).
    • Method 2:
      • Select Current bucket and Specified objects.
      • Set the resource path to * to indicate all objects in the bucket.

    Actions

    • Choose Customize.
    • Select * (indicating all actions).

  8. Click Create.