Overview

You can set access permissions of folders in the COS Console, so that specified users can perform specified operations on the contents of the folders. You are recommended to follow the principle of least privilege when configuring permissions to protect your data assets.

COS stores objects in a flat structure with no traditional folder concept. In order to make COS customary, we turn an object into a "folder" by suffixing it with / in its key. In fact, a "folder" in COS is an object with a storage capacity of 0 KB.

The folder permission is essentially an access permission at the object level, which takes precedence over the bucket access permission. COS supports the following two types of object permissions:

• Public permissions: inherited permission, private read/write, and public read/private write. For more information on public permissions, please see Access Permission Types.
• User permissions: the root account has all the permissions of the object by default (i.e., full access). In COS, sub-accounts can be added to read/write data, read/write permissions, and have the full access.

Directions

1. Log in to the COS Console and click Bucket List on the left sidebar to enter the bucket list page.
2. Find the bucket where a folder is located and click the bucket name to enter the bucket management page.
   
3. On the "File List" tab, click Set Permission in the "Operation" column to the right of the folder for which to set permission.
   
4. You can set folder permissions based on your business needs as detailed below:

   Permission Type	Configuration Item	Description
   Public permissions	Inherited permissions	Same as the bucket permission by default.
   	Private read/write	Only the root account can read/write, while non-root accounts (sub-accounts, other users' root accounts, or anonymous users) cannot access this folder.
   	Public read/private write	The root account can read/write, while non-root accounts (sub-accounts, other users' root accounts, or anonymous users) can only read the contents of the folder but not write new data into it.
   	Public read/write	Both the root account and non-root accounts (sub-accounts, other users' root accounts, or anonymous users) can read/write.
   User permissions	User type	A root account refers to the root account ID of other user accounts, while a sub-account refers to the sub-account under the currently used root account. If you want sub-accounts under another root account to have access permissions, you must grant access permissions to that root accounts first, so that it can grant access permissions to its own sub-accounts.
   	Data read	Permission to read data.
   	Data write	Permission to write data.
   	Permission read	Permission to read folder permission configuration. If this permission is granted, authorized users can get details of folder permission configuration.
   	Permission write	Permission to modify folder permission configuration. If this permission is granted, authorized users can modify the details of folder permission configuration.This configuration will cause permission change. Please select it with caution.
   	Full access	Including four permissions: data read, data write, permission read, and permission write. This configuration grants a wide range of permissions. Please select it with caution.

   
5. After setting the permission, click Save on the right.