Permissions Management

You can use Identity and Access Management (IAM) to manage OBS permissions and control access to your resources. IAM provides identity authentication, permissions management, and access control.

You can create IAM users for your employees, and assign permissions to these users on a principle of least privilege (PoLP) basis to control their access to specific resource types. For example, you can create IAM users for software developers and assign specific permissions to allow them to use OBS resources but prevent them from being able to delete resources or perform any high-risk operations.

If your account does not require individual IAM users for permissions management, skip this section.

IAM is offered for free. You pay only for the resources in your account. For more information about IAM, see section "Service Overview" in the Identity and Access Management User Guide.

OBS Permissions

By default, new IAM users do not have any permissions assigned. You can assign permissions to these users by adding them to one or more groups and attaching policies to the groups. IAM provides preset system policies that define common permissions for different services, such as full control access and read-only. You can directly use these preset policies.

OBS is a global service deployed and accessed without specifying any physical region. OBS permissions are assigned to users in the global project, and users do not need to switch regions when accessing OBS.

RBAC policy: An RBAC policy consists of permissions for an entire service. Users in a group with such a policy assigned are granted all the required permissions, including permissions for accessing and managing that service. RBAC policies do not support operation-specific permission control.

Note

Due to data caching, an RBAC policy and fine-grained policy involving OBS actions will take effect 10 to 15 minutes after it is attached to a user and a user group.

Table 1 lists all system policies of OBS.

Table 1 OBS system policies

Policy

Description

Policy Type

Tenant Administrator

Allows you to perform any operation on all cloud resources under the account.

OBS policies are configured under Global service > OBS.

RBAC policy

Tenant Guest

Allows you to perform read-only operations on all cloud resources under the account.

OBS policies are configured under Global service > OBS.

RBAC policy

OBS Buckets Viewer

Allows you to list buckets, obtain basic bucket information and bucket metadata, and list objects.

OBS policies are configured under Global service > OBS.

RBAC policy

OBS Viewer

Allows you to list buckets, obtain basic bucket information and bucket metadata, and list objects.

This policy is a system-defined policy of fine-grained authorization. Users with fine-grained authorization can use this policy and can create custom policy template based on this policy.

OBS policies are configured under Global service > OBS.

Fine-grained policy

OBS Operator

Allows you to perform all operations defined in OBS Viewer and to perform basic object operations, such as uploading objects, downloading objects, deleting objects, and obtaining object ACLs.

This policy is a system-defined policy of fine-grained authorization. Users with fine-grained authorization can use this policy and can create custom policy template based on this policy.

OBS policies are configured under Global service > OBS.

Fine-grained policy

The following table lists operations that can be performed under each set of OBS permission.

Table 2 Permissions and the allowed operations on OBS resources

Operation

Tenant Administrator

Tenant Guest

OBS Administrator

OBS Buckets Viewer

OBS ReadOnlyAccess

OBS OperateAccess

Listing buckets

Yes

Yes

Yes

Yes

Yes

Yes

Creating buckets

Yes

No

Yes

No

No

No

Deleting buckets

Yes

No

Yes

No

No

No

Obtaining basic bucket information

Yes

Yes

Yes

Yes

Note

The statistics of used storage space and number of objects cannot be obtained.

Yes

Note

The statistics of used storage space and number of objects cannot be obtained.

Yes

Note

The statistics of used storage space and number of objects cannot be obtained.

Controlling bucket access

Yes

No

Yes

No

No

No

Managing bucket policies

Yes

No

Yes

No

No

No

Modifying bucket storage classes

Yes

No

Yes

No

No

No

Listing objects

Yes

Yes

Yes

Yes

Yes

Yes

Listing objects with multiple versions

Yes

Yes

Yes

No

No

No

Uploading files

Yes

No

Yes

No

No

Yes

Creating folders

Yes

No

Yes

No

No

Yes

Deleting files

Yes

No

Yes

No

No

Yes

Deleting folders

Yes

No

Yes

No

No

Yes

Downloading files

Yes

Yes

Yes

No

No

Yes

Deleting files with multiple versions

Yes

No

Yes

No

No

Yes

Downloading files with multiple versions

Yes

Yes

Yes

No

No

Yes

Modifying object storage classes

Yes

No

Yes

No

No

No

Restoring files

Yes

No

Yes

No

No

No

Canceling the deletion of files

Yes

No

Yes

No

No

Yes

Deleting fragments

Yes

No

Yes

No

No

Yes

Controlling object access

Yes

No

Yes

No

No

No

Configuring object metadata

Yes

No

Yes

No

No

No

Obtaining object metadata

Yes

Yes

Yes

No

No

Yes

Managing versioning

Yes

No

Yes

No

No

No

Managing logging

Yes

No

Yes

No

No

No

Managing event notifications

Yes

No

Yes

No

No

No

Managing tags

Yes

No

Yes

No

No

No

Managing lifecycle rules

Yes

No

Yes

No

No

No

Managing static website hosting

Yes

No

Yes

No

No

No

Managing CORS rules

Yes

No

Yes

No

No

No

Managing URL validation

Yes

No

Yes

No

No

No

Managing domain names

Yes

No

Yes

No

No

No

Managing cross-region replication

Yes

No

Yes

No

No

No

Configuring object ACL

Yes

No

Yes

No

No

No

Configuring the ACL for an object of a specified version

Yes

No

Yes

No

No

No

Obtaining object ACL information

Yes

Yes

Yes

No

No

Yes

Obtaining the ACL information of a specified object version

Yes

Yes

Yes

No

No

Yes

Uploading in the multipart mode

Yes

No

Yes

No

No

Yes

Listing uploaded parts

Yes

Yes

Yes

No

No

Yes

Canceling multipart uploads

Yes

No

Yes

No

No

Yes

Configuring requester-pays

Yes

No

Yes

No

No

No

Obtaining the requester-pays configuration information

Yes

Yes

Yes

No

No

No

Managing OBS Resource Permissions

Access to OBS buckets and objects can be controlled by IAM user permissions, bucket policies, and ACLs.

For more information, see Overview.