Permissions Management
You can use Identity and Access Management (IAM) to manage OBS permissions and control access to your resources. IAM provides identity authentication, permissions management, and access control.
You can create IAM users for your employees, and assign permissions to these users on a principle of least privilege (PoLP) basis to control their access to specific resource types. For example, you can create IAM users for software developers and assign specific permissions to allow them to use OBS resources but prevent them from being able to delete resources or perform any high-risk operations.
If your account does not require individual IAM users for permissions management, skip this section.
OBS Permissions
By default, new IAM users do not have any permissions assigned. To assign permissions to these new users, add them to one or more groups, and attach permissions policies to these groups. IAM provides preset system policies that define common permissions for different services, such as full control access and read-only. You can directly use these preset policies.
OBS is a global service deployed and accessed without specifying any physical region. OBS permissions are assigned to users in the global project, and users do not need to switch regions when accessing OBS.
- RBAC policy: An RBAC policy consists of permissions for an entire service. Users in a group with such a policy assigned are granted all the required permissions, including permissions for accessing and managing that service. RBAC policies do not support operation-specific permission control.
- Fine-grained policy: A fine-grained policy consists of API-based permissions for operations on specific resource types. Fine-grained policies, as the name suggests, allow for more fine-grained control than RBAC policies. Users with such fine-grained permissions can only perform specific operations on services.
Due to data caching, an RBAC policy and fine-grained policy involving OBS actions will take effect 10 to 15 minutes after it is attached to a user, an enterprise project, and user group.
Table 1 lists all system policies of OBS.
|
Policy |
Description |
Policy Type |
|---|---|---|
|
Tenant Administrator |
Operation permissions: any operation on all cloud resources owned by the account OBS policies are configured under Global service > OBS. |
RBAC policy |
|
Tenant Guest |
Operation permissions: read-only access permission to all cloud resources owned by the account OBS policies are configured under Global service > OBS. |
RBAC policy |
|
OBS Buckets Viewer |
Operation permissions: listing buckets, obtaining basic bucket information, obtaining bucket metadata information, and listing objects OBS policies are configured under Global service > OBS. |
RBAC policy |
|
OBS Viewer |
Operation permissions: listing buckets, obtaining basic bucket information, obtaining bucket metadata information, and listing objects This policy is a system-defined policy of fine-grained authorization. Users with fine-grained authorization can use this policy and can create custom policy template based on this policy. OBS policies are configured under Global service > OBS. |
Fine-grained policy |
|
OBS Operator |
Operation permissions: Users with this permission can perform all OBS Viewer operations and perform basic object operations, such as uploading objects, downloading objects, deleting objects, and obtaining object ACLs. This policy is a system-defined policy of fine-grained authorization. Users with fine-grained authorization can use this policy and can create custom policy template based on this policy. OBS policies are configured under Global service > OBS. |
Fine-grained policy |
The following table lists operations that can be performed under each set of OBS permission.
|
Operation |
Tenant Administrator |
Tenant Guest |
OBS Buckets Viewer |
OBS Viewer |
OBS Operator |
|---|---|---|---|---|---|
|
Listing buckets |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Creating buckets |
Yes |
No |
No |
No |
No |
|
Deleting buckets |
Yes |
No |
No |
No |
No |
|
Obtaining basic bucket information |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Controlling bucket access |
Yes |
No |
No |
No |
No |
|
Managing bucket policies |
Yes |
No |
No |
No |
No |
|
Modifying bucket storage classes |
Yes |
No |
No |
No |
No |
|
Listing objects |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Listing objects with multiple versions |
Yes |
Yes |
No |
No |
No |
|
Uploading files |
Yes |
No |
No |
No |
Yes |
|
Creating folders |
Yes |
No |
No |
No |
Yes |
|
Deleting files |
Yes |
No |
No |
No |
Yes |
|
Deleting folders |
Yes |
No |
No |
No |
Yes |
|
Downloading files |
Yes |
Yes |
No |
No |
Yes |
|
Deleting files with multiple versions |
Yes |
No |
No |
No |
Yes |
|
Downloading files with multiple versions |
Yes |
Yes |
No |
No |
Yes |
|
Modifying object storage classes |
Yes |
No |
No |
No |
No |
|
Restoring files |
Yes |
No |
No |
No |
No |
|
Canceling the deletion of files |
Yes |
No |
No |
No |
Yes |
|
Deleting fragments |
Yes |
No |
No |
No |
Yes |
|
Controlling object access |
Yes |
No |
No |
No |
No |
|
Configuring object metadata |
Yes |
No |
No |
No |
No |
|
Obtaining object metadata |
Yes |
Yes |
No |
No |
Yes |
|
Managing versioning |
Yes |
No |
No |
No |
No |
|
Managing logging |
Yes |
No |
No |
No |
No |
|
Managing event notifications |
Yes |
No |
No |
No |
No |
|
Managing tags |
Yes |
No |
No |
No |
No |
|
Managing lifecycle rules |
Yes |
No |
No |
No |
No |
|
Managing static website hosting |
Yes |
No |
No |
No |
No |
|
Managing CORS rules |
Yes |
No |
No |
No |
No |
|
Managing URL validation |
Yes |
No |
No |
No |
No |
|
Managing domain names |
Yes |
No |
No |
No |
No |
|
Appending objects |
Yes |
No |
No |
No |
Yes |
|
Configuring object ACL |
Yes |
No |
No |
No |
No |
|
Configuring the ACL for an object of a specified version |
Yes |
No |
No |
No |
No |
|
Obtaining object ACL information |
Yes |
Yes |
No |
No |
Yes |
|
Obtaining the ACL information of a specified object version |
Yes |
Yes |
No |
No |
Yes |
|
Uploading in the multipart mode |
Yes |
No |
No |
No |
Yes |
|
Listing uploaded parts |
Yes |
Yes |
No |
No |
Yes |
|
Canceling multipart tasks |
Yes |
No |
No |
No |
Yes |
Managing OBS Resource Permissions
Access to OBS buckets and objects can be controlled by IAM user permissions, bucket policies, and ACLs.
For more information, see Overview.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
