Actions Supported by Policy-based Authorization

This section describes the actions supported by OBS in policy-based authorization.

Supported Actions

OBS provides system-defined policies that can be directly used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control. Operations supported by policies are specific to APIs. The following are common concepts related to policies:

Permissions: statements in a policy that allow or deny certain operations
APIs: REST APIs that can be called by a user who has been granted specific permissions
Actions: specific operations that are allowed or denied in a custom policy
Dependencies: actions which a specific action depends on. When allowing an action for a user, you also need to allow any existing action dependencies for that user.
IAM projects/Enterprise projects: the authorization scope of a custom policy. A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only. Administrators can check whether an action supports IAM projects or enterprise projects in the action list. For details about the differences between IAM and enterprise management, see Differences Between IAM and Enterprise Management.

OBS supports the following actions in custom policies:

Bucket actions (corresponding to OBS bucket operation APIs): the actions for creating, listing, or deleting buckets, listing objects, configuring bucket access permissions and lifecycle rules, and others
Object actions (corresponding to OBS object operation APIs): the actions for uploading, downloading, or deleting objects, configuring object access permissions, and others

Bucket Actions

**Table 1** Bucket actions
Permission	API	Action	IAM Project	Enterprise Project
Listing all buckets	Listing Buckets	obs:bucket:ListAllMyBuckets	Supported	Supported
Creating a bucket	Creating a Bucket	obs:bucket:CreateBucket	Supported	Supported
Listing objects in a bucket	Listing Objects in a Bucket	obs:bucket:ListBucket	Supported	Supported
Listing object versions in a bucket	Listing Objects in a Bucket	obs:bucket:ListBucketVersions	Supported	Supported
Determining whether a bucket exists and obtaining the bucket metadata	Obtaining Bucket Metadata	obs:bucket:HeadBucket	Supported	Supported
Obtaining the bucket location	Obtaining Bucket Location	obs:bucket:GetBucketLocation	Supported	Supported
Deleting a bucket	Deleting Buckets	obs:bucket:DeleteBucket	Supported	Supported
Configuring a bucket policy	Configuring a Bucket Policy	obs:bucket:PutBucketPolicy	Supported	Supported
Obtain the bucket policy configurations	Obtaining Bucket Policy Information	obs:bucket:GetBucketPolicy	Supported	Supported
Deleting a bucket policy	Deleting a Bucket Policy	obs:bucket:DeleteBucketPolicy	Supported	Supported
Configuring the bucket ACL	Configuring a Bucket ACL	obs:bucket:PutBucketAcl	Supported	Supported
Obtaining the bucket ACL information	Obtaining Bucket ACL Information	obs:bucket:GetBucketAcl	Supported	Supported
Configuring logging for a bucket	Configuring Logging for a Bucket	obs:bucket:PutBucketLogging	Supported	Supported
Obtaining the logging configurations of a bucket	Obtaining a Bucket Logging Configuration	obs:bucket:GetBucketLogging	Supported	Supported
Configuring or deleting a lifecycle rule	Configuring Bucket Lifecycle Rules Deleting Lifecycle Rules	obs:bucket:PutLifecycleConfiguration	Supported	Supported
Obtaining the lifecycle rule configurations of a bucket	Obtaining Bucket Lifecycle Configuration	obs:bucket:GetLifecycleConfiguration	Supported	Supported
Configuring versioning for a bucket	Configuring Versioning for a Bucket	obs:bucket:PutBucketVersioning	Supported	Supported
Obtaining the versioning configurations of a bucket	Obtaining Bucket Versioning Status	obs:bucket:GetBucketVersioning	Supported	Supported
Configuring storage class for a bucket	Configuring Storage Class for a Bucket	obs:bucket:PutBucketStoragePolicy	Supported	Supported
Obtaining the storage class of a bucket	Obtaining Bucket Storage Class Information	obs:bucket:GetBucketStoragePolicy	Supported	Supported
Configuring cross-region replication for a bucket	Configuring Cross-Region Replication for a Bucket	obs:bucket:PutReplicationConfiguration	Supported	Supported
Obtaining the cross-region replication configuration of a bucket	Obtaining the Cross-Region Replication Configuration of a Bucket	obs:bucket:GetReplicationConfiguration	Supported	Supported
Deleting the cross-region replication configuration of a bucket	Deleting the Cross-Region Replication Configuration of a Bucket	obs:bucket:DeleteReplicationConfiguration	Supported	Supported
Adding tags to a bucket	Configuring Tags for a Bucket	obs:bucket:PutBucketTagging	Supported	Supported
Obtaining bucket tags	Obtaining Bucket Tags	obs:bucket:GetBucketTagging	Supported	Supported
Deleting bucket tags	Deleting Tags	obs:bucket:DeleteBucketTagging	Supported	Supported
Limiting storage capacity for a bucket	Configuring Bucket Storage Quota	obs:bucket:PutBucketQuota	Supported	Supported
Querying the storage capacity limit of a bucket	Querying Bucket Storage Quota	obs:bucket:GetBucketQuota	Supported	Supported
Querying the used capacity of a bucket	Obtaining Storage Information of a Bucket	obs:bucket:GetBucketStorage	Supported	Supported
Configuring inventories for a bucket	Configuring Bucket Inventories	obs:bucket:PutBucketInventoryConfiguration	Supported	Supported
Obtaining a specific inventory or listing all inventories of a bucket	Obtaining a Specific Inventory of a Bucket Listing All Inventories of a Bucket	obs:bucket:GetBucketInventoryConfiguration	Supported	Supported
Deleting bucket inventories	Deleting Bucket Inventories	obs:bucket:DeleteBucketInventoryConfiguration	Supported	Supported
Configuring a user-defined domain name for a bucket	Configuring a Custom Domain Name for a Bucket	obs:bucket:PutBucketCustomDomainConfiguration	Supported	Supported
Obtaining the user-defined domain name of a bucket	Obtaining the Custom Domain Name of a Bucket	obs:bucket:GetBucketCustomDomainConfiguration	Supported	Supported
Deleting the user-defined domain name of a bucket	Deleting the Custom Domain Name of a Bucket	obs:bucket:DeleteBucketCustomDomainConfiguration	Supported	Supported
Configuring or deleting encryption for a bucket	Configuring Bucket Encryption Deleting the Encryption Configuration of a Bucket	obs:bucket:PutEncryptionConfiguration	Supported	Supported
Obtaining the encryption configurations of a bucket	Obtaining Bucket Encryption Configuration	obs:bucket:GetEncryptionConfiguration	Supported	Supported
Configuring direct reading for Archive objects in a bucket	Configuring Direct Reading for Archive Objects in a Bucket	obs:bucket:PutDirectColdAccessConfiguration	Supported	Supported
Obtaining the direct reading policy of Archive objects in a bucket	Obtaining the Direct Reading Policy of Archive Objects in a Bucket	obs:bucket:GetDirectColdAccessConfiguration	Supported	Supported
Deleting the direct reading policy of Archive objects in a bucket	Deleting the Direct Reading Policy of Archive Objects in a Bucket	obs:bucket:DeleteDirectColdAccessConfiguration	Supported	Supported
Configuring static website hosting for a bucket	Configuring Static Website Hosting for a Bucket	obs:bucket:PutBucketWebsite	Supported	Supported
Obtaining the static website hosting configurations of a bucket	Obtaining the Static Website Hosting Configuration of a Bucket	obs:bucket:GetBucketWebsite	Supported	Supported
Deleting the static website hosting configurations of a bucket	Deleting the Static Website Hosting Configuration of a Bucket	obs:bucket:DeleteBucketWebsite	Supported	Supported
Configuring or deleting CORS rules for a bucket	Configuring Bucket CORS Deleting the CORS Configuration of a Bucket	obs:bucket:PutBucketCORS	Supported	Supported
Obtaining the CORS configurations of a bucket	Obtaining the CORS Configuration of a Bucket	obs:bucket:GetBucketCORS	Supported	Supported
Deleting an online decompression policy	Deleting an Online Decompression Policy	obs:notificationPolicy:DeleteDecompressRules	Supported	Supported
Configuring a default WORM policy for a bucket	Configuring a Default WORM Policy for a Bucket	obs:bucket:PutBucketObjectLockConfiguration	Supported	Supported
Obtaining the default WORM policy of a bucket	Obtaining the Default WORM Policy of a Bucket	obs:bucket:GetBucketObjectLockConfiguration	Supported	Supported
Configuring public access block for a bucket	Configuring Public Access Block for a Bucket	obs:bucket:PutBucketPublicAccessBlock	Supported	Supported
Obtaining the public access block configuration of a bucket	Obtaining the Public Access Block Configuration of a Bucket	obs:bucket:GetBucketPublicAccessBlock	Supported	Supported
Deleting the public access block configuration of a bucket	Deleting the Public Access Block Configuration of a Bucket	obs:bucket:DeleteBucketPublicAccessBlock	Supported	Supported
Obtaining the public access status of a bucket	Obtaining the Public Access Status of a Bucket	obs:bucket:GetBucketPublicStatus	Supported	Supported
Obtaining the public access status of a bucket policy	Obtaining the Public Access Status of a Bucket Policy	obs:bucket:GetBucketPolicyPublicStatus	Supported	Supported
Listing initiated multipart uploads in a bucket	Listing Initiated Multipart Uploads in a Bucket	obs:bucket:ListBucketMultipartUploads	Supported	Supported

Object Actions

**Table 2** Object actions
Permission	API	Action	IAM Project	Enterprise Project
Uploading objects using PUT or POST, copying objects, appending objects, modifying objects, truncating objects, renaming objects, initiating multipart uploads, uploading parts, copying parts, and assembling parts	Uploading an Object with PUT Uploading an Object with POST Copying an Object Appending an Object Initiating a Multipart Upload Uploading Parts Completing a Multipart Upload Modifying an Object Truncating an Object Renaming an Object	obs:object:PutObject	Supported	Supported
Obtaining the content and metadata of an object	Downloading an Object Obtaining Object Metadata	obs:object:GetObject	Supported	Supported
Obtaining the content and metadata of a specific object version	Downloading an Object Obtaining Object Metadata	obs:object:GetObjectVersion	Supported	Supported
Deleting a single object or a batch of objects	Deleting an Object Batch Deleting Objects	obs:object:DeleteObject	Supported	Supported
Deleting a single object version or a batch of object versions	Deleting an Object Batch Deleting Objects	obs:object:DeleteObjectVersion	Supported	Supported
Restoring Archive objects	Restoring Archive or Deep Archive Objects	obs:object:RestoreObject	Supported	Supported
Configuring the object ACL	Configuring an Object ACL	obs:object:PutObjectAcl	Supported	Supported
Configuring the ACL for a specific object version	Configuring an Object ACL	obs:object:PutObjectVersionAcl	Supported	Supported
Obtaining the object ACL information	Obtaining Object ACL Configuration	obs:object:GetObjectAcl	Supported	Supported
Obtaining the ACL information of a specific object version	Obtaining Object ACL Configuration	obs:object:GetObjectVersionAcl	Supported	Supported
Modifying object metadata	Modifying Object Metadata	obs:object:ModifyObjectMetaData	Supported	Supported
Listing uploaded parts	Listing Uploaded Parts that Have Not Been Assembled	obs:object:ListMultipartUploadParts	Supported	Supported
Aborting a multipart upload	Canceling a Multipart Upload Task	obs:object:AbortMultipartUpload	Supported	Supported
Adding object tags	Adding Object Tags	obs:object:PutObjectTagging	Supported	Supported
Obtaining object tags	Obtaining Object Tags	obs:object:GetObjectTagging	Supported	Supported
Deleting object tags	Deleting Object Tags	obs:object:DeleteObjectTagging	Supported	Supported
Configuring WORM retention for an object	Configuring WORM Retention for an Object	obs:object:PutObjectRetention	Supported	Supported
Obtaining the object-level WORM retention configuration	Obtaining Object Metadata	obs:object:GetObjectRetention	Supported	Supported