• Object Storage Service

  1. Help Center
  2. Object Storage Service
  3. User Guide (S3cmd)
  4. Operation Guide
  5. Object Management
  6. Configuring ACL Permissions for an Object

Configuring ACL Permissions for an Object

OBS provides account-based ACLs, so that permissions to perform operations on objects are controlled. You can configure ACL permissions on your own objects.


The account to be authorized has obtained the domain ID. The authorized account logs in to OBS Console, clicks the username in the upper right corner of the page, and chooses My Credential. On the My Credential page that is displayed, the account obtains the domain ID.


  1. Open the command line tool.
  2. Run the following command to configure object ACL permissions:

    s3cmd setacl --acl-grant=permission:domainid s3://my-bucket/object

    • domainid is the domain ID of the authorized account.
    • my-bucket/object is the object for which you want to configure ACL permissions. object is optional. If you do not specify a value for this parameter, ACL permission configuration takes effect on all objects in this bucket.
    • permission is the access permission for an object. Currently, S3cmd supports the ability to configure the following parameters listed in Table 1. You can configure only one permission at a time. The count of executing the configuration command depends on how many ACL permissions you want to configure for the same user.
    Table 1 Access permissions supported by S3cmd

    Access Permission



    The Read permission to obtain the object content and metadata.


    The Write permission to overwrite, change, and delete an object.


    The ACL View permission. An object owner permanently has this permission.


    The ACL Edit permission. With this permission, the authorized user can modify the ACL permissions on an object.

    An object owner permanently has this permission.


    Users assigned the ACL Edit permission own the Full Control permission. That is to say, these users can modify ACL permissions on an object. Exercise caution when assigning this permission to public users.


    The Full Control permission. A user assigned such a permission possesses all the permissions mentioned above. Only users without any of the permissions mentioned above can be granted the Full Control permission.


    The permission to grant all permissions mentioned above to the authorized users. This parameter is equal to full_control.

    After the command is successfully executed, information similar to the following is displayed at the end of the command output:

    s3://my-bucket/object: ACL updated

  3. (Optional) Run the following command to query the object metadata, to check that permissions are correctly configured:

    s3cmd info s3://my-bucket/object