Permissions Management

You can use Identity and Access Management (IAM) to manage OBS permissions and control access to your resources. IAM provides identity authentication, permissions management, and access control.

You can create IAM users for your employees, and assign permissions to these users on a principle of least privilege (PoLP) basis to control their access to specific resource types. For example, you can create IAM users for software developers and assign specific permissions to allow them to use OBS resources but prevent them from being able to delete resources or perform any high-risk operations.

If your Huawei Cloud account does not require individual IAM users for permissions management, skip this section.

IAM is a free service. You only pay for the resources in your account. For more information about IAM, see What Is IAM?

OBS Permissions

By default, new IAM users do not have any permissions assigned. You can assign permissions to these users by adding them to one or more groups and attaching policies or roles to the groups.

OBS is a global service deployed and accessed without specifying any physical region. OBS permissions are assigned to users in the global project, and users do not need to switch regions when accessing OBS.

You can grant users permissions by using roles or policies.

Roles: A type of coarse-grained authorization mechanism that provides only a limited number of service-level roles. When using roles to grant permissions, you also need to assign dependency roles. However, roles are not an ideal choice for fine-grained authorization and secure access control.
Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization for secure access control. For example, you can grant OBS users only the permissions for managing a certain type of OBS resources. Most policies define permissions based on APIs. For the API actions supported by OBS, see Permissions and Supported Actions.

Due to data caching, a role and policy involving OBS actions will take effect 10 to 15 minutes after it is attached to a user, an enterprise project, and a user group.

Table 1 lists all system permissions of OBS.

**Table 1** OBS system permissions
Role/Policy Name	Description	Type	Dependency
Tenant Administrator	Allows you to perform all operations on all services except IAM.	System-defined role	None
Tenant Guest	Allows you to perform read-only operations on all services except IAM.	System-defined role	None
OBS Administrator	Allows you to perform any operation on all OBS resources under the account.	System-defined policy	None
OBS Buckets Viewer	Allows you to list buckets, and obtain basic bucket information and bucket metadata.	System-defined role	None
OBS ReadOnlyAccess	Allows you to list buckets, obtain basic bucket information and bucket metadata, and list objects (excluding versioned objects). NOTE: If a user with this permission fails to list objects on OBS Console, there may be multiple versions of objects in the bucket. In this case, you need to grant the user the obs:bucket:ListBucketVersions permission so that the user can view different versions of objects on OBS Console.	System-defined policy	None
OBS OperateAccess	Allows you to perform all operations defined in OBS ReadOnlyAccess and to perform basic object operations, such as uploading objects, downloading objects, deleting objects, and obtaining object ACLs. NOTE: If a user with this permission fails to list objects on OBS Console, there may be multiple versions of objects in the bucket. In this case, you need to grant the user the obs:bucket:ListBucketVersions permission so that the user can view different versions of objects on OBS Console.	System-defined policy	None

Table 2 lists the common operations supported by each system-defined policy or role of OBS. Select the policies or roles as required.

**Table 2** Permissions and the allowed operations on OBS resources
Operation	Tenant Administrator	Tenant Guest	OBS Administrator	OBS Buckets Viewer	OBS ReadOnlyAccess	OBS OperateAccess
Listing buckets	Yes	Yes	Yes	Yes	Yes	Yes
Creating buckets	Yes	No	Yes	No	No	No
Deleting buckets	Yes	No	Yes	No	No	No
Obtaining basic bucket information	Yes	Yes	Yes	Yes	Yes	Yes
Controlling bucket access	Yes	No	Yes	No	No	No
Managing bucket policies	Yes	No	Yes	No	No	No
Modifying bucket storage classes	Yes	No	Yes	No	No	No
Listing objects	Yes	Yes	Yes	No	Yes	Yes
Listing objects with multiple versions	Yes	Yes	Yes	No	No	No
Uploading files	Yes	No	Yes	No	No	Yes
Creating folders	Yes	No	Yes	No	No	Yes
Deleting files	Yes	No	Yes	No	No	Yes
Deleting folders	Yes	No	Yes	No	No	Yes
Downloading files	Yes	Yes	Yes	No	No	Yes
Deleting files with multiple versions	Yes	No	Yes	No	No	Yes
Downloading files with multiple versions	Yes	Yes	Yes	No	No	Yes
Modifying object storage classes	Yes	No	Yes	No	No	No
Restoring files	Yes	No	Yes	No	No	No
Canceling the deletion of files	Yes	No	Yes	No	No	Yes
Deleting fragments	Yes	No	Yes	No	No	Yes
Controlling object access	Yes	No	Yes	No	No	No
Configuring object metadata	Yes	No	Yes	No	No	No
Obtaining object metadata	Yes	Yes	Yes	No	No	Yes
Managing versioning	Yes	No	Yes	No	No	No
Managing logging	Yes	No	Yes	No	No	No
Managing tags	Yes	No	Yes	No	No	No
Managing lifecycle rules	Yes	No	Yes	No	No	No
Managing static website hosting	Yes	No	Yes	No	No	No
Managing CORS rules	Yes	No	Yes	No	No	No
Managing URL validation	Yes	No	Yes	No	No	No
Managing domain names	Yes	No	Yes	No	No	No
Managing cross-region replication	Yes	No	Yes	No	No	No
Managing image processing	Yes	No	Yes	No	No	No
Appending objects	Yes	No	Yes	No	No	Yes
Configuring object ACL	Yes	No	Yes	No	No	No
Configuring the ACL for an object of a specified version	Yes	No	Yes	No	No	No
Obtaining object ACL information	Yes	Yes	Yes	No	No	Yes
Obtaining the ACL information of a specified object version	Yes	Yes	Yes	No	No	Yes
Uploading in the multipart mode	Yes	No	Yes	No	No	Yes
Listing uploaded parts	Yes	Yes	Yes	No	No	Yes
Canceling multipart uploads	Yes	No	Yes	No	No	Yes
Configuring online decompression	Yes	No	No	No	No	No

OBS Resource Permissions Management

Access to OBS buckets and objects can be controlled by IAM user permissions, bucket policies, and ACLs.

For more information, see OBS Permission Control.

Permissions Required for OBS Console Operations

**Table 3** Roles or policies that are required for performing operations on OBS Console
OBS Console Operation	Dependency	Role/Policy Required
Listing existing domain names (required when you configure a user-defined domain name or an acceleration domain name)	Domain Name Service (DNS)	Domains:domains:getDetails
Configuring mirroring back-to-source rules	Object Storage Service (OBS)	Tenant Administrator obs:object:HeadObject and obs:object:PutObject assigned by the IAM agency for OBS to pull data from its origin server kms:cmk:get, kms:cmk:list, kms:cmk:create, kms:dek:create, kms:dek:crypto, and kms:dek:crypto configured for the agency of OBS when SSE-KMS is enabled for a bucket
Obtaining mirroring back-to-source rules	Object Storage Service (OBS)	Tenant Administrator
Deleting mirroring back-to-source rules	Object Storage Service (OBS)	Tenant Administrator
Configuring online decompression policies	Object Storage Service (OBS)	Tenant Administrator
Obtaining online decompression policies	Object Storage Service (OBS)	Tenant Administrator
Deleting online decompression policies	Object Storage Service (OBS)	Tenant Administrator
Uploading or downloading encrypted objects	Key Management Service (KMS)	kms:cmk:get, kms:cmk:list, kms:cmk:create, kms:dek:create, kms:dek:crypto, and kms:dek:crypto for uploading or downloading objects encrypted with SSE-KMS