International
中国站
Console
PrevNext
search by keyword

Recent Pages

Documentation
Cloud Object Storage
    Documentation
    Download PDF

    Cases of Permission Setting

    Last updated: 2020-07-15 11:02:32
    Download PDF

      Granting authorization through bucket policies

      Preparations

      1. Create a bucket.
        Granting authorization through bucket policies only targets specified buckets, so you need to first create a bucket. For authorization on account dimension, please refer to [Granting authorization through access management (CAM)] (#cam) in this document.
      2. Prepare the UIN of the account to be authorized
        This document assumes that the root account that owns the target bucket has a UIN of 100000000001, and that its sub-account has a UIN of 100000000011. The sub-account needs to be authorized to access the destination bucket.
        • To query the sub-accounts created under the main account, log in to the CAM Console and view them under User List.
        • To create a new sub-account, please see Creating a Custom Sub-User.
      3. Open the [Add Policy] dialog box
        Enter the [Permission Management] page of the destination bucket and scroll down to [Permission Policy Settings]. Click [Add Policy], and then configure following the examples outlined in this document. For detailed instructions on how to add policies, see Adding Bucket Policies.

      The following lists several authorization cases, which you can configure according to your actual needs.

      Authorization Cases

      Case 1: Granting a sub-account full permission for a specified directory

      The configuration information is as follows:

      Configuration Item Configuration Value
      Effect Allow
      User Type Sub-Account
      Account ID UIN of the sub-account; the sub-account in question must be a sub-account under the current root account, such as 100000000011
      Resource Specified Resource
      Resource Path Specified directory prefix, such as folder/sub-folder/, need to end with /
      Operation Name All Operations

      Case 2: Granting a sub-account read permission for the files in a specified directory

      The configuration information is as follows:

      Configuration Item Configuration Value
      Effect Allow
      User Type Sub-Account
      Account ID UIN of the sub-account; the sub-account in question must be a sub-account under the current root account, such as 100000000011
      Resource Specified Resource
      Resource Path Specified directory prefix, such as folder/sub-folder/, need to end with /
      Operation Name Read operation (including list of objects)

      Case 3: Granting a sub-account read and write permission for specified files

      The configuration information is as follows:

      Configuration Item Configuration Value
      Effect Allow
      User Type Sub-Account
      Account ID UIN of the sub-account; the sub-account in question must be a sub-account under the current root account, such as 100000000011
      Resource Specified Resource
      Resource Path Specified object key, such as folder/sub-folder/exampleobject
      Operation Name All Operations

      Case 4: Granting a sub-account read and write permission for all files in a specified directory while prohibiting read and write permission for specified files in the directory

      For this case, we need to add two policies: an allow policy and a prohibit policy.

      1. First add the allow policy. The configuration information is as follows:
      Configuration Item Configuration Value
      Effect Allow
      User Type Sub-Account
      Account ID UIN of the sub-account; the sub-account in question must be a sub-account under the current root account, such as 100000000011
      Resource Specified Resource
      Resource Path Specified directory prefix, such as folder/sub-folder/, need to end with /
      Operation Name All Operations
      1. Then add the prohibit policy. The configuration information is as follows:
      Configuration Item Configuration Value
      Effect Prohibit
      User Type Sub-Account
      Account ID UIN of the sub-account; the sub-account in question must be a sub-account under the current root account, such as 100000000011
      Resource Specified Resource
      Resource path Object keys for which access needs to be prohibited, such as folder/sub-folder/privateobject
      Operation Name All Operations
      1. Granting a sub-account read and write permission for files with specified prefixes
        The configuration information is as follows:
      Configuration Item Configuration Value
      Effect Allow
      User Type Sub-Account
      Account ID UIN of the sub-account; the sub-account in question must be a sub-account under the current root account, such as 100000000011
      Resource Specified Resource
      Resource Path Specified prefix, such as `folder/sub-folder/prefix
      Operation Name All Operations

      Granting authorization through access management (CAM)

      If you need to authorize account dimension, please refer to the following documents:

      Was this page helpful?

      Confirm

      Was this page helpful?

      • Not at all
      • Not very helpful
      • Somewhat helpful
      • Very helpful
      • Extremely helpful
      Send Feedback
      Hide
      Submit a TicketContact sales
      Help
      tencent
      Copyright © 2013-2020 Tencent Cloud. All Rights Reserved.
      Privacy PolicyTerms of ServiceCookie Policy