IAM policies, bucket policies, and access control lists (ACLs) are available in OBS for access permission control.
IAM policies define the actions that can be performed on your cloud resources. In other words, an IAM policy specifies what actions are allowed or denied.
You can implement an IAM policy according to the following procedure:
An IAM policy with OBS permissions takes effect on all OBS buckets and objects. To grant an IAM user the permission to operate OBS resources, you need to assign one or more OBS permission sets to the user group to which the user belongs.
For details about OBS permissions controlled by IAM policies, see User Permissions.
IAM policies apply to the following scenarios:
A bucket policy is attached to a bucket and objects in the bucket. By leveraging bucket policies, the owner of a bucket can authorize IAM users or other accounts the permissions to operate the bucket and objects in the bucket.
Bucket policies apply to the following scenarios:
Bucket and object ACLs are attached to accounts. By default, an ACL is created when a bucket or object is created, authorizing the owner the full control over the bucket or object.
ACLs are write and read control rules attached to accounts, whose permission granularity is not as fine as bucket policies and IAM policies. Generally, it is recommended that you use IAM policies and bucket policies for access control.
The owner of an object is the account that uploads the object, who may not be the owner of the bucket to which the object belongs. For example, account B is granted the permission to access a bucket of account A, and account B uploads a file to the bucket. In that case, account B is the owner of the object instead of the bucket owner, account A.
Based on the least-privilege principle, decisions default to DENY, and an explicit DENY always take precedence over an ALLOW. For example, an IAM policy grants access to an object, a bucket policy denies access to that object, and there is no OBS ACL. Then access will be denied.
if no method specifies an ALLOW, then the request will be denied by default. Only if no method specifies a DENY and one or more methods specify an ALLOW, will the request be allowed.
Table 1 is a matrix of the IAM policy, bucket policy, and ACL control rules (ALLOW and DENY).