Updated on 2024-04-16 GMT+08:00

Permissions Management

You can use Identity and Access Management (IAM) to manage OBS permissions and control access to your resources. IAM provides identity authentication, permissions management, and access control.

You can create IAM users for your employees, and assign permissions to these users on a principle of least privilege (PoLP) basis to control their access to specific resource types. For example, you can create IAM users for software developers and assign specific permissions to allow them to use OBS resources but prevent them from being able to delete resources or perform any high-risk operations.

If your account does not require individual IAM users for permissions management, skip this section.

OBS Permissions

By default, new IAM users do not have any permissions assigned. You can assign permissions to these users by adding them to one or more groups and attaching policies to the groups. IAM provides preset system policies that define common permissions for different services, such as full control access and read-only. You can directly use these preset policies.

OBS is a global service deployed and accessed without specifying any physical region. OBS permissions are assigned to users in the global project, and users do not need to switch regions when accessing OBS.

You can grant users permissions by using roles or policies.

  • Roles: A type of coarse-grained authorization mechanism that provides only a limited number of service-level roles. When using roles to grant permissions, you also need to assign dependency roles. However, roles are not an ideal choice for fine-grained authorization and secure access control.
  • Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization for secure access control. For example, you can grant OBS users only the permissions for managing a certain type of OBS resources. Most policies define permissions based on APIs.

Due to data caching, a role and policy involving OBS actions will take effect 10 to 15 minutes after it is attached to a user and a user group.

Table 1 lists all system permissions of OBS.

Table 1 OBS system permissions

Role/Policy Name

Description

Type

Dependency

Tenant Administrator

Allows you to perform all operations on all services except IAM.

System-defined role

None

Tenant Guest

Allows you to perform read-only operations on all services except IAM.

System-defined role

None

OBS Administrator

Allows you to perform any operation on all OBS resources under the account.

System-defined policy

None

OBS ReadOnlyAccess

Allows you to list buckets, obtain basic bucket information and bucket metadata, and list objects (excluding versioned objects).

System-defined policy

None

OBS OperateAccess

Allows you to perform all operations defined in OBS ReadOnlyAccess and to perform basic object operations, such as uploading objects, downloading objects, deleting objects, and obtaining object ACLs.

System-defined policy

None

The following table lists operations that can be performed under each set of OBS permission.

Table 2 Permissions and the allowed operations on OBS resources

Operation

Tenant Administrator

Tenant Guest

OBS Administrator

OBS ReadOnlyAccess

OBS OperateAccess

Listing buckets

Supported

Supported

Supported

Supported

Supported

Creating buckets

Supported

Not supported

Supported

Not supported

Not supported

Deleting buckets

Supported

Not supported

Supported

Not supported

Not supported

Obtaining basic bucket information

Supported

Supported

Supported

Supported

Supported

Controlling bucket access

Supported

Not supported

Supported

Not supported

Not supported

Managing bucket policies

Supported

Not supported

Supported

Not supported

Not supported

Listing objects

Supported

Supported

Supported

Supported

Supported

Listing objects with multiple versions

Supported

Supported

Supported

Not supported

Not supported

Uploading files

Supported

Not supported

Supported

Not supported

Supported

Creating folders

Supported

Not supported

Supported

Not supported

Supported

Deleting objects

Supported

Not supported

Supported

Not supported

Supported

Deleting folders

Supported

Not supported

Supported

Not supported

Supported

Downloading objects

Supported

Supported

Supported

Not supported

Supported

Deleting object versions

Supported

Not supported

Supported

Not supported

Supported

Downloading object versions

Supported

Supported

Supported

Not supported

Supported

Undeleting objects

Supported

Not supported

Supported

Not supported

Supported

Deleting fragments

Supported

Not supported

Supported

Not supported

Supported

Controlling object access

Supported

Not supported

Supported

Not supported

Not supported

Configuring object metadata

Supported

Not supported

Supported

Not supported

Not supported

Obtaining object metadata

Supported

Supported

Supported

Not supported

Supported

Managing versioning

Supported

Not supported

Supported

Not supported

Not supported

Managing logging

Supported

Not supported

Supported

Not supported

Not supported

Managing event notifications

Supported

Not supported

Supported

Not supported

Not supported

Managing lifecycle rules

Supported

Not supported

Supported

Not supported

Not supported

Managing static website hosting

Supported

Not supported

Supported

Not supported

Not supported

Managing CORS rules

Supported

Not supported

Supported

Not supported

Not supported

Managing URL validation

Supported

Not supported

Supported

Not supported

Not supported

Managing domain names

Supported

Not supported

Supported

Not supported

Not supported

Managing cross-region replication

Supported

Not supported

Supported

Not supported

Not supported

Appending data to objects

Supported

Not supported

Supported

Not supported

Supported

Configuring object ACL

Supported

Not supported

Supported

Not supported

Not supported

Configuring the ACL for an object version

Supported

Not supported

Supported

Not supported

Not supported

Obtaining object ACL information

Supported

Supported

Supported

Not supported

Supported

Obtaining the ACL of a specific object version

Supported

Supported

Supported

Not supported

Supported

Initiating a multipart upload

Supported

Not supported

Supported

Not supported

Supported

Listing uploaded parts

Supported

Supported

Supported

Not supported

Supported

Canceling multipart uploads

Supported

Not supported

Supported

Not supported

Supported

OBS Resource Permissions Management

Access to OBS buckets and objects can be controlled by IAM user permissions, bucket policies, and ACLs.

For more information, see Overview.