Configuring an Object Policy

An object policy applies to a specific object, which is also part of a bucket policy. The resource of an object policy is the selected object, and the actions and conditions are the object related actions and conditions configured in the bucket policy.

Procedure

  1. In the bucket list, click the bucket to be operated. The Overview page of the bucket is displayed.
  2. In the navigation pane, click Objects.
  3. On the right of the object to be operated, choose More > Configure Object Policy. The Configure Object Policy dialog box is displayed.
  4. Select a proper policy mode as required. Valid options are as follows:

    • Read-only mode: The authorized user has the read permission to the object. For follow-up procedure, see 5.
    • Read and write mode: The authorized user has the read and write permissions to the object. For follow-up procedure, see 5.
    • Customized: The authorized user will be granted with customized permissions to the object. For detailed configuration, see 6.

    You can configure only one object policy at a time.

  5. For read-only and read and write modes, enter information about the authorized user in the following format and click OK.

    Figure 1 Parameter settings of an object policy in the read-only or read and write mode
    Table 1 Object policy parameters in read-only or read and write mode

    Parameter

    Value

    Description

    Principal
    • Include or Exclude
    • Cloud service user, Federated user
      • If you select Cloud service user, you can specify the user to be the Current account or Other account.

        If you select Other account, enter the account ID, which is the Domain ID on the My Credential page.

      • If you select Federated user, you can specify the user to be an Identity provider or a User group.

    Indicates the user that the object policy applies to.

    • Include: Specifies the user on whom the bucket policy statement takes effect.
    • Exclude: Specifies that on all users except the specified user the bucket policy statement takes effect.

    Resources

    Include or Exclude

    Resources on which the object policy takes effect.

    • Include: Indicates that the policy takes effect only on the specified OBS resources.
    • Exclude: Indicates that the bucket policy takes effect on all OBS resources except the specified ones.

  6. For the customized mode, set parameters based on the site requirements and click OK.

    Figure 2 Parameter settings of an object policy in the customized mode
    Table 2 Object policy parameters in the custom mode

    Parameter

    Value

    Description

    Effect

    Allow or Deny

    Effect of the object policy.

    • Allow: Indicates that access requests are allowed, if they match the configurations of the bucket policy.
    • Deny: Indicates that access requests are denied, if they match the configurations of the bucket policy.

    Principal
    • Include or Exclude
    • Cloud service user, Federated user
      • If you select Cloud service user, you can specify the user to be the Current account or Other account.

        If you select Other account, enter the account ID, which is the Domain ID on the My Credential page.

      • If you select Federated user, you can specify the user to be an Identity provider or a User group.

    Specifies users on whom this object policy takes effect, including cloud service users and federated users. A cloud service user is the one who accesses the cloud services through registration with the cloud services. A federated user is the one who accesses the cloud services through federated identity authentication.

    • Include: Specifies the user on whom the bucket policy statement takes effect.
    • Exclude: Specifies that on all users except the specified user the bucket policy statement takes effect.

    Resources
    • Include or Exclude

    Resources on which the object policy takes effect.

    • Include: Indicates that the policy takes effect only on the specified OBS resources.
    • Exclude: Indicates that the bucket policy takes effect on all OBS resources except the specified ones.

    Actions

    Operation stated in the object policy.

    • Include: Specifies the actions on which the bucket policy takes effect.
    • Exclude: Specifies that on all except the specified actions the bucket policy takes effect.

    Conditions
    • Condition Operator: For details, see Table 1.
    • Key: For details, see Table 2 and Table 4.
    • Value: The entered value is associated with the key.

    Condition for an object policy to take effect.

  7. Click OK.

    After the object policy is configured successfully, it is displayed in the list under Custom Bucket Policies.

Parent topic: Permission Control