OBS PERMS DOC

Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>

docs/obs/perms-cfg/PARAMETERS.txt

@@ -0,0 +1,3 @@
+version=""
+language="en-us"
+type=""

docs/obs/perms-cfg/obs_40_0002.html

@@ -0,0 +1,15 @@
+<a name="obs_40_0002"></a><a name="obs_40_0002"></a>
+
+<h1 class="topictitle1">Permission Control Mechanisms</h1>
+<div id="body1588766432188"></div>
+<div>
+<ul class="ullinks">
+<li class="ulchildlink"><strong><a href="obs_40_0003.html">IAM Permissions</a></strong><br>
+</li>
+<li class="ulchildlink"><strong><a href="obs_40_0004.html">Bucket Policies</a></strong><br>
+</li>
+<li class="ulchildlink"><strong><a href="obs_40_0005.html">ACLs</a></strong><br>
+</li>
+</ul>
+</div>
+

docs/obs/perms-cfg/obs_40_0006.html

@@ -0,0 +1,17 @@
+<a name="obs_40_0006"></a><a name="obs_40_0006"></a>
+
+<h1 class="topictitle1">Access Requests</h1>
+<div id="body1597060971933"></div>
+<div>
+<ul class="ullinks">
+<li class="ulchildlink"><strong><a href="obs_40_0007.html">Accessing OBS Using Permanent Access Keys</a></strong><br>
+</li>
+<li class="ulchildlink"><strong><a href="obs_40_0008.html">Accessing OBS Using Temporary Access Keys</a></strong><br>
+</li>
+<li class="ulchildlink"><strong><a href="obs_40_0009.html">Accessing OBS Using a Temporary URL</a></strong><br>
+</li>
+<li class="ulchildlink"><strong><a href="obs_40_0010.html">Accessing OBS Using an IAM Agency</a></strong><br>
+</li>
+</ul>
+</div>
+

docs/obs/perms-cfg/obs_40_0007.html

@@ -0,0 +1,15 @@
+<a name="obs_40_0007"></a><a name="obs_40_0007"></a>
+
+<h1 class="topictitle1">Accessing OBS Using Permanent Access Keys</h1>
+<div id="body1597061276141"><p id="obs_40_0007__p8384154201114">OBS provides REST APIs that supports authenticated requests and anonymous requests. Anonymous requests are typically used for scenarios that require public access, such as accessing a hosted static website. In most scenarios, accessing OBS resources require authenticated requests. An authenticated request contains a signature value. The signature value is calculated based on the requester's access keys (a pair of AK and SK) as the encryption factor and the specific information carried by the request body. The signature calculation process is included in the SDK. You only need to prepare the access keys when initializing the SDK. Then the signature calculation is implemented automatically. However, if a client uses the REST APIs to develop a program to access OBS, the client needs to calculate the signature based on the signature algorithm defined by the OBS and add the signature to the request.</p>
+<p id="obs_40_0007__p15291241">Users can create permanent access keys (a pair of AK and SK) on the <strong id="obs_40_0007__b536018488218">My Credentials</strong> page.</p>
+<ul id="obs_40_0007__ul36784332"><li id="obs_40_0007__li32558606">AK stands for the access key ID. It is the unique ID associated with the secret access key (SK). An AK is used together with an SK to encrypt and sign a request.</li><li id="obs_40_0007__li24592002">They can identify a request sender and prevent the request from being modified.</li></ul>
+<p class="msonormal" id="obs_40_0007__p62623536">An AK is also the unique identifier of an IAM user. OBS identifies a user based on its AK and SK, and then checks the permissions.</p>
+<p id="obs_40_0007__p136071453104913">For details about how to obtain the permanent access keys, see <a href="https://docs.otc.t-systems.com/en-us/browsertg/obs/obs_03_1007.html" target="_blank" rel="noopener noreferrer">Where Can I Obtain Access Keys (AK and SK)?</a></p>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0006.html">Access Requests</a></div>
+</div>
+</div>
+

docs/obs/perms-cfg/obs_40_0008.html

@@ -0,0 +1,49 @@
+<a name="obs_40_0008"></a><a name="obs_40_0008"></a>
+
+<h1 class="topictitle1">Accessing OBS Using Temporary Access Keys</h1>
+<div id="body1597060383204"><div class="section" id="obs_40_0008__section9831018134415"><h4 class="sectiontitle">Temporary Access Keys</h4><p id="obs_40_0008__p13730171513276">OBS can be accessed through temporary access keys and the security token, which can be obtained on IAM. You can assign the temporary access keys (including the security token) to a third-party application and an IAM user, so they can access OBS within a specified period of time.</p>
+<p id="obs_40_0008__p1046714345219">You can obtain the temporary access keys and security token by calling the IAM API in <a href="https://docs.otc.t-systems.com/en-us/api/iam/en-us_topic_0097949518.html" target="_blank" rel="noopener noreferrer">Obtaining a Temporary AK/SK</a>.</p>
+<p id="obs_40_0008__p15487641192319">Temporary AK/SK and security token comply with the least privilege principle and can be used to temporarily access OBS. When you use a temporary AK/SK pair to call an API for authentication, you must use the temporary AK/SK and security token at the same time and add the <strong id="obs_40_0008__b24394441318">x-obs-security-token</strong> field to the request header.</p>
+<p id="obs_40_0008__p886610168273">Temporary access keys have the following advantages over permanent access keys of IAM users:</p>
+<ul id="obs_40_0008__ul48663167279"><li id="obs_40_0008__li118661716152719">Temporary access keys are valid for 15 minutes to 24 hours. You do not need to expose the permanent access keys of IAM users, reducing security risks.</li><li id="obs_40_0008__li957912263442">When obtaining temporary access keys, you can pass policy parameters to further restrict the temporary permissions granted to users. This ensures that IAM users can effectively control permissions granted to other users.</li></ul>
+<p id="obs_40_0008__p132948119510">For details, see <a href="https://docs.otc.t-systems.com/api_obs/obs/en-us_topic_0125560435.html" target="_blank" rel="noopener noreferrer">Authenticating a Request</a>.</p>
+</div>
+<div class="section" id="obs_40_0008__section114813400459"><h4 class="sectiontitle">Permissions of the Temporary Access Keys</h4><p id="obs_40_0008__p88917031019">When an IAM user calls the IAM API in <a href="https://docs.otc.t-systems.com/en-us/api/iam/en-us_topic_0097949518.html" target="_blank" rel="noopener noreferrer">Obtaining a Temporary AK/SK</a>, the user can specify parameter <strong id="obs_40_0008__b194816914418">policy</strong> to add a temporary policy for the temporary access keys to further restrict the permissions granted to other users. The format and content of a temporary policy are consistent with those specified in <a href="obs_40_0003.html">IAM Permissions</a>.</p>
+<ul id="obs_40_0008__ul9969419203210"><li id="obs_40_0008__li3649172273215">If policy parameters are not specified, no temporary policies are used. The temporary access keys inherit the IAM user's permissions.</li><li id="obs_40_0008__li220117270328">If policy parameters are specified, a temporary policy is enabled. Then the temporary access keys confine the granted permissions according to the temporary policy and the IAM user permissions.</li></ul>
+<p id="obs_40_0008__p96091528153211">As shown in the following figure, circle 1 indicates the original permissions of an IAM user, and circle 2 indicates the temporary permissions specified by a temporary policy. The overlapped part 3 is the scope of permissions enabled by the temporary access keys.</p>
+<div class="fignone" id="obs_40_0008__fig479016438362"><span class="figcap"><b>Figure 1 </b>Intersection of IAM user permissions and temporary policy permissions</span><br><span><img id="obs_40_0008__image1769334518330" src="en-us_image_0269157281.png"></span></div>
+<p id="obs_40_0008__p15917195513116"><span style="color:#3D3F43;">Temporary access keys comply with the least privilege principle</span>. Configure a temporary policy within the original permission scope of an IAM user. Otherwise you may be confused about why permissions enabled by a temporary policy are not effective. As illustrated by the following figure, the finally effective permissions are the authorized temporary permissions.</p>
+<div class="fignone" id="obs_40_0008__fig78106108396"><span class="figcap"><b>Figure 2 </b>Restricting temporary permissions within the scope of IAM user permissions</span><br><span><img id="obs_40_0008__image79784541391" src="en-us_image_0269160697.png"></span></div>
+<p id="obs_40_0008__p2062985411216">A temporary policy authentication starts from the Deny statements. Unspecified permissions are denied by default.</p>
+<div class="note" id="obs_40_0008__note1450962491713"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0008__p9509524111715">Therefore, you are advised to specify only the allowed permission.</p>
+</div></div>
+</div>
+<div class="section" id="obs_40_0008__section1586812104015"><h4 class="sectiontitle">Application Scenarios</h4><p id="obs_40_0008__p582375113811">Temporary access keys are used to authorize third parties to temporarily access OBS. For example, some companies have their user management systems, which manage device app users and local enterprise users. These users do not have IAM user permissions, so IAM users can grant temporary access keys to these users when they need to access OBS.</p>
+<p id="obs_40_0008__p2028733765210"><strong id="obs_40_0008__b171291233598">Typical application scenario:</strong></p>
+<p id="obs_40_0008__p1722820165317">A company has a large number of device apps that need to access OBS. Different apps represent different end users who require different access permissions. In this case, temporary access keys can be used to access OBS.</p>
+<div class="fignone" id="obs_40_0008__fig1578555615594"><span class="figcap"><b>Figure 3 </b>Application scenarios of temporary access keys</span><br><span><img id="obs_40_0008__image8785185610591" src="en-us_image_0268971273.jpg"></span></div>
+<ol id="obs_40_0008__ol13913571123"><li id="obs_40_0008__li187401810623">If the customer's server can obtain permanent access keys for IAM users, the server can send requests to IAM to generate different temporary access keys for different apps.<p id="obs_40_0008__p1515944241010"><a name="obs_40_0008__li187401810623"></a><a name="li187401810623"></a>IAM users can obtain the temporary access keys and security token by calling the IAM API in <a href="https://docs.otc.t-systems.com/en-us/api/iam/en-us_topic_0097949518.html" target="_blank" rel="noopener noreferrer">Obtaining a Temporary AK/SK</a>. When calling this API, pass the <strong id="obs_40_0008__b17874234156">policy</strong> parameter to set a temporary policy. An example is provided as follows:</p>
+<pre class="screen" id="obs_40_0008__screen895118193314">{
+    "auth": {
+        "identity": {
+            "methods": [
+                ... ...
+            ],
+<strong id="obs_40_0008__b10174183511418">            "policy": {</strong>
+<strong id="obs_40_0008__b49022111524">                ... ...</strong>
+<strong id="obs_40_0008__b39038111622">            }</strong>
+        }
+    }
+}</pre>
+<p id="obs_40_0008__p196416033516">The policy's syntax and format are the same as those specified in <a href="obs_40_0003.html">IAM Permissions</a>.</p>
+</li><li id="obs_40_0008__li02417287213">IAM generates temporary access keys with different permissions and validity periods based on the passed policy parameters and returns the access keys to the customer server.</li><li id="obs_40_0008__li11742153019213">Then the customer server distributes the temporary access keys to device apps that require such permissions.</li><li id="obs_40_0008__li173616331227">A device app can use the temporary access keys to access OBS through OBS SDKs or APIs. Temporary access keys are valid for a short period of time. If the device app needs to prolong its use of OBS, it should send a request to the customer server for updating temporary access keys before they expire.</li></ol>
+</div>
+<div class="section" id="obs_40_0008__section68052393915"><h4 class="sectiontitle">Configuration Example</h4><p id="obs_40_0008__p14371168163915">For details, see <a href="obs_40_0037.html">Granting Temporary Access to OBS</a>.</p>
+</div>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0006.html">Access Requests</a></div>
+</div>
+</div>
+

docs/obs/perms-cfg/obs_40_0009.html

@@ -0,0 +1,21 @@
+<a name="obs_40_0009"></a><a name="obs_40_0009"></a>
+
+<h1 class="topictitle1">Accessing OBS Using a Temporary URL</h1>
+<div id="body1588766432188"><p id="obs_40_0009__p8235152911353">You can use a temporary URL to access OBS and perform operations such as bucket creation or object upload and download. This section describes how to share objects using a temporary URL.</p>
+<div class="section" id="obs_40_0009__section19994292017"><h4 class="sectiontitle">Sharing Objects</h4><p id="obs_40_0009__p8060118">You can share objects (files or folders) stored in OBS with all users within a specified period.</p>
+<p id="obs_40_0009__p485730113312"><strong id="obs_40_0009__b317316469135">Sharing a file</strong></p>
+<p id="obs_40_0009__p728652492213">All URLs generated during file sharing are temporary and remain valid for a limited period of time.</p>
+<p id="obs_40_0009__p23269357438">A temporary URL uses V4 temporarily authorized requests. The following is a temporary URL sample:</p>
+<pre class="screen" id="obs_40_0009__screen732623584313">https://oss.<em id="obs_40_0009__i77546494">regionid</em>.example.region.com/<em id="obs_40_0009__i1717434918">bucketname</em>/<em id="obs_40_0009__i1877416498">objectname</em>?<span style="color:#FF0000;">X-Amz-Algorithm</span>=<em id="obs_40_0009__i1071048494">xxx</em>&amp;<span style="color:#FF0000;">X-Amz-Credential</span>=<em id="obs_40_0009__i11717411494">xxx</em>&amp;<span style="color:#FF0000;">X-Amz-Date</span>=<em id="obs_40_0009__i07047498">xxx</em>&amp;<span style="color:#FF0000;">X-Amz-Expires</span>=900&amp;<span style="color:#FF0000;">X-Amz-Signature</span>=<em id="obs_40_0009__i8713464915">xxx</em>&amp;<span style="color:#FF0000;">X-Amz-SignedHeaders</span>=<em id="obs_40_0009__i1671148498">xxx</em>&amp;<span style="color:#FF0000;">response-content-disposition</span>=<em id="obs_40_0009__i9714484913">xxx</em></pre>
+<p id="obs_40_0009__p78796553521">For details about the temporary authentication and parameters, see <a href="https://docs.otc.t-systems.com/en-us/api_obs/obs/en-us_topic_0125560420.html" target="_blank" rel="noopener noreferrer">V4 Temporarily Authorized Request</a> in the <em id="obs_40_0009__i188166914813">Object Storage Service API Reference</em>. A temporary URL also contains the <strong id="obs_40_0009__b1455482495">response-content-disposition</strong> parameter that defines whether an object is directly downloaded or previewed in a browser when it is accessed. This is determined by the browser based on the <strong id="obs_40_0009__b16555621918">Content-Type</strong> of the shared object.</p>
+<p id="obs_40_0009__p52403316294">After you share an object by choosing <strong id="obs_40_0009__b10272191912013">More</strong> &gt; <strong id="obs_40_0009__b1727220197208">Copy Object URL</strong> on OBS Console, the system will generate a URL that contains the temporary authentication information, valid for 900 seconds since its generation by default. Each time you click <strong id="obs_40_0009__b17360142022216">Copy Object URL</strong>, OBS will obtain the authentication information again to generate a new sharing URL whose validity period is reset.</p>
+</div>
+<div class="section" id="obs_40_0009__section2995192554816"><h4 class="sectiontitle">Limitations and Constraints</h4><ul id="obs_40_0009__ul109951125124812"><li id="obs_40_0009__li799542515487">The validity period of files shared through OBS Console is fixed at 900s. If you want a file to be accessed permanently, you can configure <a href="https://docs.otc.t-systems.com/usermanual/obs/en-us_topic_0045853745.html" target="_blank" rel="noopener noreferrer">a bucket policy or an object policy</a>.</li><li id="obs_40_0009__li1862383053711">Only buckets 3.0 support file and folder sharing. You can view the bucket version in the <strong id="obs_40_0009__b769213043717">Basic Information</strong> area on the <strong id="obs_40_0009__b176922023714">Overview</strong> page of a bucket.</li><li id="obs_40_0009__li1068453183718">To share a cold object, restore it first.</li></ul>
+</div>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0006.html">Access Requests</a></div>
+</div>
+</div>
+

docs/obs/perms-cfg/obs_40_0010.html

@@ -0,0 +1,12 @@
+<a name="obs_40_0010"></a><a name="obs_40_0010"></a>
+
+<h1 class="topictitle1">Accessing OBS Using an IAM Agency</h1>
+<div id="body1593432992233"><p id="obs_40_0010__p8060118">The IAM agency is a function of Identity and Access Management (IAM). In some OBS application scenarios (such as CDN private bucket retrieval and cross-region replication), IAM agencies are required to grant other users or cloud services the permission to access OBS and manage OBS resources for the delegating party, thus implementing secure and efficient agent maintenance.</p>
+<p id="obs_40_0010__p7715152117311">For details about IAM agencies, see <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0026.html" target="_blank" rel="noopener noreferrer">Identity and Access Management User Guide</a>.</p>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0006.html">Access Requests</a></div>
+</div>
+</div>
+

docs/obs/perms-cfg/obs_40_0011.html

@@ -0,0 +1,93 @@
+<a name="obs_40_0011"></a><a name="obs_40_0011"></a>
+
+<h1 class="topictitle1">Typical Permission Control Scenarios</h1>
+<div id="body1588765301378"><p id="obs_40_0011__p208051717135517">The following typical scenarios are provided to help you better configure OBS permission control.</p>
+<p id="obs_40_0011__p450012614259">Factors to consider before configuring permission control:</p>
+<ol id="obs_40_0011__ol838416464318"><li id="obs_40_0011__li1238424174319"><strong id="obs_40_0011__b20514845194711">Who are granted</strong>: Grantees can be a single IAM user, multiple IAM users or user groups, other accounts, and anonymous users.</li><li id="obs_40_0011__li1589648104320"><strong id="obs_40_0011__b1147712564478">What resources will be accessed</strong>: Such resources can be all OBS resources (requiring service-level permissions), specified buckets, and specified objects.</li><li id="obs_40_0011__li9359217184615"><strong id="obs_40_0011__b7610105485">What permissions are granted</strong>: In addition to configure basic permissions, such as read and read/write permissions, you can also customize permissions based on your needs.</li></ol>
+<p id="obs_40_0011__p15476185084820">OBS provides various permission control mechanisms for different scenarios. The following figure can help you quickly find the best method that matches your requirements.</p>
+<div class="fignone" id="obs_40_0011__fig948112311130"><span class="figcap"><b>Figure 1 </b>Typical permission scenarios</span><br><span><img id="obs_40_0011__image144815310137" src="en-us_image_0000001254687479.png"></span></div>
+<p id="obs_40_0011__p13461202015411">The following table lists the permission control cases in typical scenarios for your reference.</p>
+
+<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0011__table5166203464617" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Configuration cases in typical scenarios</caption><thead align="left"><tr id="obs_40_0011__row12166143413462"><th align="left" class="cellrowborder" valign="top" width="27.72%" id="mcps1.3.7.2.3.1.1"><p id="obs_40_0011__p71661934154618">Scenario</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="72.28%" id="mcps1.3.7.2.3.1.2"><p id="obs_40_0011__p16166103434612">Configuration Case</p>
+</th>
+</tr>
+</thead>
+<tbody><tr id="obs_40_0011__row41661034204612"><td class="cellrowborder" rowspan="5" valign="top" width="27.72%" headers="mcps1.3.7.2.3.1.1 "><p id="obs_40_0011__p1016620343468">Granting permissions to an IAM user under the current account</p>
+</td>
+<td class="cellrowborder" valign="top" width="72.28%" headers="mcps1.3.7.2.3.1.2 "><p id="obs_40_0011__p0166143484615"><a href="obs_40_0014.html">Granting an IAM User the Permissions Required to List and Create Buckets</a></p>
+</td>
+</tr>
+<tr id="obs_40_0011__row10166113411469"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.3.1.1 "><p id="obs_40_0011__p6166113413467"><a href="obs_40_0015.html">Granting an IAM User the Read and Write Permissions on a Bucket</a></p>
+</td>
+</tr>
+<tr id="obs_40_0011__row616643416467"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.3.1.1 "><p id="obs_40_0011__p516603413468"><a href="obs_40_0016.html">Granting an IAM User the Permissions Required to Perform Specific Operations on a Specific Bucket</a></p>
+</td>
+</tr>
+<tr id="obs_40_0011__row916617344466"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.3.1.1 "><p id="obs_40_0011__p5166103444612"><a href="obs_40_0017.html">Granting an IAM User the Read Permission on a Specific Object</a></p>
+</td>
+</tr>
+<tr id="obs_40_0011__row161661234184618"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.3.1.1 "><p id="obs_40_0011__p181667345467"><a href="obs_40_0018.html">Granting an IAM User the Permissions Required to Perform Specific Operations on Certain Objects</a></p>
+</td>
+</tr>
+<tr id="obs_40_0011__row1116683419469"><td class="cellrowborder" rowspan="4" valign="top" width="27.72%" headers="mcps1.3.7.2.3.1.1 "><p id="obs_40_0011__p201661934174616">Granting permissions to multiple IAM users or user groups under the current account</p>
+</td>
+<td class="cellrowborder" valign="top" width="72.28%" headers="mcps1.3.7.2.3.1.2 "><p id="obs_40_0011__p1316673411468"><a href="obs_40_0020.html">Granting IAM User Groups All Permissions on All OBS Resources</a></p>
+</td>
+</tr>
+<tr id="obs_40_0011__row2166163419466"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.3.1.1 "><p id="obs_40_0011__p816673494612"><a href="obs_40_0021.html">Granting IAM User Groups Basic Permissions on All OBS Resources</a></p>
+</td>
+</tr>
+<tr id="obs_40_0011__row158760195713"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.3.1.1 "><p id="obs_40_0011__p16886010576"><a href="obs_40_0022.html">Granting IAM User Groups Specified Permissions on All OBS Resources</a></p>
+</td>
+</tr>
+<tr id="obs_40_0011__row14565103216579"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.3.1.1 "><p id="obs_40_0011__p756563255710"><a href="obs_40_0023.html">Granting IAM User Groups Specified Permissions on Certain OBS Resources</a></p>
+</td>
+</tr>
+<tr id="obs_40_0011__row19214163615570"><td class="cellrowborder" rowspan="5" valign="top" width="27.72%" headers="mcps1.3.7.2.3.1.1 "><p id="obs_40_0011__p1521111362571">Granting permissions to other accounts</p>
+</td>
+<td class="cellrowborder" valign="top" width="72.28%" headers="mcps1.3.7.2.3.1.2 "><p id="obs_40_0011__p221111364578"><a href="obs_40_0025.html">Granting an Account the Read and Write Permissions on a Bucket</a></p>
+</td>
+</tr>
+<tr id="obs_40_0011__row15213736195717"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.3.1.1 "><p id="obs_40_0011__p102111236155710"><a href="obs_40_0026.html">Granting an Account the Specified Permissions on a Bucket</a></p>
+</td>
+</tr>
+<tr id="obs_40_0011__row74361952195611"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.3.1.1 "><p id="obs_40_0011__p17500721185617"><a href="obs_40_0027.html">Granting IAM Users Under an Account the Access to a Bucket and Resources in the Bucket</a></p>
+</td>
+</tr>
+<tr id="obs_40_0011__row12131836195711"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.3.1.1 "><p id="obs_40_0011__p1821111366579"><a href="obs_40_0028.html">Granting an Account Read Permissions on Certain Objects</a></p>
+</td>
+</tr>
+<tr id="obs_40_0011__row237901617583"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.3.1.1 "><p id="obs_40_0011__p637811163586"><a href="obs_40_0029.html">Granting an Account the Specified Permissions on Certain Objects</a></p>
+</td>
+</tr>
+<tr id="obs_40_0011__row9379111605813"><td class="cellrowborder" rowspan="4" valign="top" width="27.72%" headers="mcps1.3.7.2.3.1.1 "><p id="obs_40_0011__p43781316155819">Granting permissions to anonymous users</p>
+</td>
+<td class="cellrowborder" valign="top" width="72.28%" headers="mcps1.3.7.2.3.1.2 "><p id="obs_40_0011__p5378191611588"><a href="obs_40_0031.html">Granting Anonymous Users Public Read Permissions on a Bucket</a></p>
+</td>
+</tr>
+<tr id="obs_40_0011__row17665101919589"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.3.1.1 "><p id="obs_40_0011__p15664171965816"><a href="obs_40_0032.html">Granting Anonymous Users Public Read Permissions on a Directory</a></p>
+</td>
+</tr>
+<tr id="obs_40_0011__row166501995815"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.3.1.1 "><p id="obs_40_0011__p7664101918588"><a href="obs_40_0033.html">Granting Anonymous Users Public Read Permissions on Certain Objects</a></p>
+</td>
+</tr>
+<tr id="obs_40_0011__row148469160595"><td class="cellrowborder" valign="top" headers="mcps1.3.7.2.3.1.1 "><p id="obs_40_0011__p12844121685912"><a href="obs_40_0034.html">Temporarily Sharing Objects with Anonymous Users</a></p>
+</td>
+</tr>
+<tr id="obs_40_0011__row18593917167"><td class="cellrowborder" valign="top" width="27.72%" headers="mcps1.3.7.2.3.1.1 "><p id="obs_40_0011__p12693971611">Granting temporary permissions</p>
+</td>
+<td class="cellrowborder" valign="top" width="72.28%" headers="mcps1.3.7.2.3.1.2 "><p id="obs_40_0011__p46139121619"><a href="obs_40_0037.html">Granting Temporary Access to OBS</a></p>
+</td>
+</tr>
+<tr id="obs_40_0011__row19316192981419"><td class="cellrowborder" valign="top" width="27.72%" headers="mcps1.3.7.2.3.1.1 "><p id="obs_40_0011__p2084451620593">Restricting access to specified IP addresses</p>
+</td>
+<td class="cellrowborder" valign="top" width="72.28%" headers="mcps1.3.7.2.3.1.2 "><p id="obs_40_0011__p555917422118"><a href="obs_40_0036.html">Preventing Specific IP Addresses from Accessing a Bucket</a></p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
+

docs/obs/perms-cfg/obs_40_0012.html

@@ -0,0 +1,21 @@
+<a name="obs_40_0012"></a><a name="obs_40_0012"></a>
+
+<h1 class="topictitle1">Configuration Cases in Typical Permission Control Scenarios</h1>
+<div id="body1588765301378"></div>
+<div>
+<ul class="ullinks">
+<li class="ulchildlink"><strong><a href="obs_40_0013.html">Granting Permissions to an IAM User Under the Account</a></strong><br>
+</li>
+<li class="ulchildlink"><strong><a href="obs_40_0019.html">Granting Permissions to Multiple IAM Users or User Groups Under the Account</a></strong><br>
+</li>
+<li class="ulchildlink"><strong><a href="obs_40_0024.html">Granting Permissions to Other Accounts</a></strong><br>
+</li>
+<li class="ulchildlink"><strong><a href="obs_40_0030.html">Granting Permissions to Anonymous Users</a></strong><br>
+</li>
+<li class="ulchildlink"><strong><a href="obs_40_0037.html">Granting Temporary Access to OBS</a></strong><br>
+</li>
+<li class="ulchildlink"><strong><a href="obs_40_0036.html">Preventing Specific IP Addresses from Accessing a Bucket</a></strong><br>
+</li>
+</ul>
+</div>
+