IAM Policy¶
An administrator account can configure permission policies for user groups in IAM. Table 1 lists the default permission policies.
On the console homepage, select Identity and Access Management, and click User Groups in the navigation pane on the left. Locate the user group that you want to authorize permissions. Click Modify under the Operation column. In the User Group Permissions area, find the OBS (S3) project and click Modify to authorize permissions to the user group.
Policy | Description |
|---|---|
Tenant Administrator | Users with this permission can perform any operation on OBS resources. |
Tenant Guest | Users with this permission can query the usage of OBS resources, in other words, this is the read permission to OBS resources. |
OBS Buckets Viewer | A user with this permission can list buckets, obtain basic bucket information, obtain bucket metadata, and list objects. |
Table 2 lists the operations that can be performed on OBS resources after a user has the required permissions.
Operation | Tenant Administrator Permission | Tenant Guest Permission | OBS Buckets Viewer Permission |
|---|---|---|---|
Listing buckets | Yes | Yes | Yes |
Creating buckets | Yes | No | No |
Deleting buckets | Yes | No | No |
Obtaining basic bucket information | Yes | Yes | Yes Note The statistics of used storage space and number of objects cannot be obtained. |
Bucket access control | Yes | No | No |
Bucket policies | Yes | No | No |
Modifying bucket storage classes | Yes | No | No |
Listing objects | Yes | Yes | Yes |
Listing objects with multiple versions | Yes | Yes | No |
Uploading files | Yes | No | No |
Creating folders | Yes | No | No |
Deleting files | Yes | No | No |
Deleting folders | Yes | No | No |
Downloading files | Yes | Yes | No |
Deleting files with multiple versions | Yes | No | No |
Downloading files with multiple versions | Yes | Yes | No |
Modifying object storage classes | Yes | No | No |
Restoring files | Yes | No | No |
Canceling the deletion of files | Yes | No | No |
Deleting fragments | Yes | No | No |
Object access control | Yes | No | No |
Configuring object metadata | Yes | No | No |
Managing versioning | Yes | No | No |
Managing logging | Yes | No | No |
Managing event notifications | Yes | No | No |
Managing tags | Yes | No | No |
Managing lifecycle rules | Yes | No | No |
Managing static website hosting | Yes | No | No |
Managing CORS rules | Yes | No | No |
Managing URL validation | Yes | No | No |