Permissions Management
OBS Resource Permissions Management
Access to OBS buckets and objects can be controlled by IAM user permissions, bucket policies, and ACLs. This section describes how to use IAM to manage permissions.
For more information, see OBS Permission Control.
You can use Identity and Access Management (IAM) to manage OBS permissions and control access to your resources. IAM provides identity authentication, permissions management, and access control.
You can create IAM users for your employees, and assign permissions to these users on a principle of least privilege (PoLP) basis to control their access to specific resource types. For example, you can create IAM users for software developers and assign specific permissions to allow them to use OBS resources but prevent them from being able to delete resources or perform any high-risk operations.
If your Huawei Cloud account does not require individual IAM users for permissions management, skip this section.
IAM is a free service. You only pay for the resources in your account. For more information about IAM, see What Is IAM?
OBS Permissions
By default, new IAM users do not have any permissions assigned. You can assign permissions to these users by adding them to one or more groups and attaching policies or roles to the groups.
OBS is a global service deployed and accessed without specifying any physical region. OBS permissions are assigned to users in the global project, and users do not need to switch regions when accessing OBS.
You can grant users permissions by using roles or policies.
- Roles: A type of coarse-grained authorization mechanism that provides only a limited number of service-level roles. When using roles to grant permissions, you also need to assign dependency roles. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization for secure access control. For example, you can grant OBS users only the permissions for managing a certain type of OBS resources. Most policies define permissions based on APIs. For the API actions supported by OBS, see Permissions and Supported Actions.
Due to data caching, a role and policy involving OBS actions will take effect 10 to 15 minutes after it is attached to a user, an enterprise project, and a user group.
Table 1 lists all system permissions of OBS.
|
Role/Policy Name |
Description |
Type |
Dependency |
|---|---|---|---|
|
Tenant Administrator |
Allows you to perform all operations on all services except IAM. |
System-defined role |
None |
|
Tenant Guest |
Allows you to perform read-only operations on all services except IAM. |
System-defined role |
None |
|
OBS Administrator |
Allows you to perform any operation on all OBS resources under the account. |
System-defined policy |
None |
|
OBS Buckets Viewer |
Allows you to list buckets, and obtain basic bucket information and bucket metadata. |
System-defined role |
None |
|
OBS ReadOnlyAccess |
Allows you to list buckets, obtain basic bucket information and bucket metadata, and list objects (excluding versioned objects).
NOTE:
If a user with this permission fails to list objects on OBS Console, there may be multiple versions of objects in the bucket. In this case, you need to grant the user the obs:bucket:ListBucketVersions permission so that the user can view different versions of objects on OBS Console. |
System-defined policy |
None |
|
OBS OperateAccess |
Allows you to perform all operations defined in OBS ReadOnlyAccess and to perform basic object operations, such as uploading objects, downloading objects, deleting objects, and obtaining object ACLs.
NOTE:
If a user with this permission fails to list objects on OBS Console, there may be multiple versions of objects in the bucket. In this case, you need to grant the user the obs:bucket:ListBucketVersions permission so that the user can view different versions of objects on OBS Console. |
System-defined policy |
None |
Table 2 lists the common operations supported by each system-defined policy or role of OBS. Select the policies or roles as required.
|
Operation |
Tenant Administrator |
Tenant Guest |
OBS Administrator |
OBS Buckets Viewer |
OBS ReadOnlyAccess |
OBS OperateAccess |
|---|---|---|---|---|---|---|
|
Listing buckets |
Supported |
Supported |
Supported |
Supported |
Supported |
Supported |
|
Creating buckets |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Deleting buckets |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Obtaining basic bucket information |
Supported |
Supported |
Supported |
Supported |
Supported |
Supported |
|
Controlling bucket access |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Managing bucket policies |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Changing bucket storage classes |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Listing objects |
Supported |
Supported |
Supported |
Not supported |
Supported |
Supported |
|
Listing objects with multiple versions |
Supported |
Supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Uploading files |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Supported |
|
Creating folders |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Supported |
|
Deleting objects |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Supported |
|
Deleting folders |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Supported |
|
Downloading objects |
Supported |
Supported |
Supported |
Not supported |
Not supported |
Supported |
|
Deleting object versions |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Supported |
|
Downloading object versions |
Supported |
Supported |
Supported |
Not supported |
Not supported |
Supported |
|
Changing object storage classes |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Restoring objects |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Undeleting objects |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Supported |
|
Deleting fragments |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Supported |
|
Controlling object access |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Configuring object metadata |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Obtaining object metadata |
Supported |
Supported |
Supported |
Not supported |
Not supported |
Supported |
|
Managing versioning |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Managing logging |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Managing tags |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Managing lifecycle rules |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Managing static website hosting |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Managing CORS rules |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Managing URL validation |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Managing domain names |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Managing cross-region replication |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Managing image processing |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Appending data to objects |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Supported |
|
Configuring object ACL |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Configuring the ACL for an object version |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Not supported |
|
Obtaining object ACL information |
Supported |
Supported |
Supported |
Not supported |
Not supported |
Supported |
|
Obtaining the ACL of a specific object version |
Supported |
Supported |
Supported |
Not supported |
Not supported |
Supported |
|
Initiating a multipart upload |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Supported |
|
Listing uploaded parts |
Supported |
Supported |
Supported |
Not supported |
Not supported |
Supported |
|
Canceling multipart uploads |
Supported |
Not supported |
Supported |
Not supported |
Not supported |
Supported |
|
Configuring online decompression |
Supported |
Not supported |
Not supported |
Not supported |
Not supported |
Not supported |
Permissions Required for OBS Console Operations
|
OBS Console Operation |
Dependency |
Role/Policy Required |
|---|---|---|
|
Listing existing domain names (required when you configure a user-defined domain name or an acceleration domain name) |
Domains |
Domains:domains:getDetails |
|
Configuring mirroring back-to-source rules |
Object Storage Service (OBS) |
|
|
Obtaining mirroring back-to-source rules |
Object Storage Service (OBS) |
Tenant Administrator |
|
Deleting mirroring back-to-source rules |
Object Storage Service (OBS) |
Tenant Administrator |
|
Configuring online decompression policies |
Object Storage Service (OBS) |
Tenant Administrator |
|
Obtaining online decompression policies |
Object Storage Service (OBS) |
Tenant Administrator |
|
Deleting online decompression policies |
Object Storage Service (OBS) |
Tenant Administrator |
|
Uploading or downloading encrypted objects |
Key Management Service (KMS) |
kms:cmk:get, kms:cmk:list, kms:cmk:create, kms:dek:create, kms:dek:crypto, and kms:dek:crypto for uploading or downloading objects encrypted with SSE-KMS |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
