All Products
Search

This Product

    Object Storage Service:Manage permissions

    Document Center

    Object Storage Service:Manage permissions

    Last Updated:Nov 09, 2023

    You can use ossbrowser to manage user access to specific resources.

    Scenarios

    Assume that you are an IT administrator of a company and need to grant employees different access permissions on a bucket. You can use ossbrowser to accomplish that purpose. For example, you can grant Employee A temporary access permissions on a directory in the bucket and grant Employee B regular read-only or read/write access to the bucket or a directory in the bucket.

    Prerequisites

    For data security, we recommend that you use the AccessKey pair of a RAM user to log on to ossbrowser. A RAM user is created, is granted the permissions to manage the bucket, and is attached the AliyunRAMFullAccess policy and the AliyunSTSAsumeRoleAccess policy. For more information, see Create a RAM user and Grant permissions to RAM users.

    Temporary authorization

    To implement temporary authorization, you need to call the AssumeRole operation to assume a role that has temporary access credentials (a temporary AccessKey pair and an authorization token) and provide the intended user with the temporary access credentials to grant the user access to specified resources before the token expires. The token automatically becomes invalid after it expires.

    1. Log on to ossbrowser by using the AccessKey pair of the aforementioned RAM user.

      For more information, see Create an AccessKey pair and Install and log on to ossbrowser.

    2. Click the name of the bucket.

    3. Select the directory to which you want to grant temporary access and choose More > Authorization Token.

      Important

      Authorization token generation is supported only for directories.

      image.png

    4. Configure the privilege, validity period, and role, and click Generate.

      Note

      The role needs at least read-only permissions on this directory.

    5. Click Copy to copy the authorization token.

    6. Provide the authorization token for the user whom you want to grant temporary access.

      image.png
      Note

      The user can use the authorization token to log on to ossbrowser. For more information, see Log on to ossbrowser by using an authorization token.

    Long-term authorization

    ossbrowser supports long-term authorization based on a simple policy, which is automatically created based on the permissions that you select for a RAM user. After authorization is complete, the RAM user has regular read-only or read/write access to the bucket or a specific directory in the bucket.

    Note

    The simple policy feature of ossbrowser implements access control based on Alibaba Cloud Resource Access Management (RAM). You can log on to the RAM console from the Alibaba Cloud website to manage your RAM users.

    1. Log on to ossbrowser as the RAM user mentioned in the Prerequisites section.

    2. Click the name of the bucket.

    3. Select one or more objects or directories and choose More > Simplify policy authorization.

    4. In the Simplify policy authorization dialog box, set the privileges.

    5. Grant permissions to an RAM user. You can select an existing RAM user or create one.image.png

      Note

      You can click View Policy to view the generated policy text and paste it to the required location. For example, you can copy the policy text and paste it to the applicable policy editor in the OSS console.

    6. Log on to ossbrowser with the AccessKey pair of the RAM user that is granted access to the specified resources to manage the resources.