Help Center> Object Storage Service> Permissions Configuration Guide> Best Practices for Enterprise Data Access Control> Isolating Bucket Resources Between Business Departments
Updated on 2024-03-15 GMT+08:00
View PDF

Isolating Bucket Resources Between Business Departments

According to the permission control configured in Authorizing Business Departments with Independent Resource Permissions, users in different departments can only access resources of their own departments. However, they can read all bucket resources under the enterprise account. This section describes how to use OBS Browser+ to isolate bucket resources between business departments by adding external buckets.

Scenario Assumption

Assume that a company has two business departments: A and B. Each department needs a separate bucket to store data, and users of each department can view and upload data to only their own department's bucket.

Figure 1 shows the logical relationships among administrators, users, and buckets between the two departments.

Figure 1 Logical relationship

This example describes how to configure the upload permission for users of a department. You can configure other permissions based on the site requirements. For details about bucket policy permissions, see Bucket Policy.

Solution and Process

This solution should focus on the following aspects:

  1. Do not grant OBS access permissions to users created by a department administrator.
  2. Configure a bucket policy that allows users of their own department to perform list and upload operations only in their own bucket.

Figure 2 shows the process.

Figure 2 Permission control process

Prerequisites

You have an enterprise account of the company.

Procedure

  1. Create administrators for department A and B, and then create their users.

    You need to use the enterprise account of the company to create IAM users as administrators and common users. A department administrator can also create common users. In this example, each department has an administrator and several users.

    Add the administrator to the admin user group, which has the permissions to create users and buckets and configure bucket policies. In this example, you do not need to log in to the IAM console and grant common users of the department with any OBS permissions. For details about permissions, see Permissions Management.

    1. Create a department administrator and some IAM users. For details, see Creating an IAM User.
    2. Add the administrator to the admin user group. Do not add other users to user groups with OBS access permissions. For details, see Assigning Permissions to an IAM User.

  2. Create a bucket.

    The administrator of department A creates a bucket for its own department, so does the administrator of department B.

    1. Log in to the Huawei Cloud management console as the administrator of department A and B, respectively.
    2. On the homepage, choose Service List > Storage > Object Storage Service to access OBS Console.
    3. In the navigation pane, choose Object Storage. On the displayed page, click Create Bucket in the upper right corner.
    4. Configure relevant parameters, including Region, Bucket Name, Default Storage Class, and Bucket Policy. For details, see Creating a Bucket.

      To ensure data security, set Bucket Policy to Private and set other parameters as prompted.

    5. Click Create Now. The bucket is created.

  3. Grant users the permission to list and upload objects.

    The two administrators configure the permissions for their own department users in their own bucket separately.

    1. Log in to the Huawei Cloud management console as the administrator of department A and B, respectively.
    2. On the homepage, choose Service List > Storage > Object Storage Service to access OBS Console.
    3. In the navigation pane, choose Object Storage. In the bucket list, click the department's bucket to go to the Objects page.
    4. In the navigation pane, choose Permissions > Bucket Policies.
    5. Click Create.
    6. Choose a policy configuration method you like. Visual Editor is used here.
    7. Configure parameters listed in the following table to grant users the permissions to list and upload objects.
      Table 1 Parameters for granting permissions to list and upload objects

      Parameter

      Description

      Policy Name

      Enter a policy name.

      Policy content

      Effect

      Select Allow.

      Principals
      • Select Current account.
      • IAM users: Select the users who are allowed to view the bucket and upload data.

      Resources
      • Method 1:
        • Select Entire bucket (including the objects in it).
      • Method 2:
        • Select Current bucket and Specified objects.
        • Set the resource path to * to indicate all objects in the bucket.
          NOTE:

          If you want users only to upload objects to certain folders in the bucket, set the resource path to a folder name plus a wildcard character (for example, example-folder/*). You can add multiple resource paths.

      Actions
      • Choose Customize.
      • Select the following actions:
        • ListBucket (to list objects in the bucket and obtain the bucket metadata)
        • PutObject (to upload objects using PUT and POST, upload parts, initiate multipart uploads, and assemble parts)
    8. Click Create.

  4. Verify the permission.

    After the permission is configured, users of department A and department B can verify the permission through OBS Browser+.

    Users in the two departments have only the permission to access a specified bucket. Therefore, it is normal that these users are prompted that their access is restricted when logging in to OBS Console.

    In this case, use OBS Browser+ to add the bucket of your own department to OBS Browser+ as an external bucket for permission verification and subsequent upload operations.

    To verify the permission on OBS Browser+, perform the following steps:

    1. Download OBS Browser+.
    2. Log in to OBS Browser+ as a department user.

      Due to the preceding permission configuration, it is normal that the system displays a message indicating that the access is restricted after a department user logs in to OBS Browser+.

    3. In the navigation pane on the left, choose External Bucket.
    4. Click Add. The dialog box for adding an external bucket is displayed. Enter the name of the authorized bucket.
      Figure 3 Adding an external bucket
    5. Click OK. The external bucket is displayed in the bucket list.
    6. Upload a file to the bucket and verify the upload permission.

    The permission verification should focus on the following aspects (taking department A for an example):

    1. When users in department A log in to OBS Browser+ for the first time, a message is displayed indicating that the access is restricted and no bucket is displayed.
    2. Users of department A can successfully add the bucket of department A on OBS Browser+.
    3. Users of department A fail to add the bucket of department B.
    4. Users of department A can successfully upload objects to the bucket of department A.

      If users are allowed to upload objects to only the specified folder, ensure that:

      1. Objects can be successfully uploaded to the specified folder.
      2. Upload of objects to folders other than the specified one will fail.
    5. Users of department A fail to download or delete any object from the bucket of department A.

    If the preceding requirements are met, the permission configuration is successful.