Configuring an Object Policy

Procedure

1. In the bucket list, click the bucket you want to operate. The Overview page is displayed.
2. In the navigation pane, choose Objects.
3. On the right of the object to be operated, choose More > Configure Object Policy. The Configure Object Policy dialog box is displayed.
4. Select a proper policy mode as required. Valid options are as follows:
   • Read-only: The authorized user has the read permission on the object. For follow-up procedure, see 5.
   • Read and write: The authorized user has the read and write permissions on the object. For follow-up procedure, see 5.
   • Customized: The authorized user has the customized permissions on the object. For detailed configuration, see 6.
   

   You can configure only one object policy at a time.

5. For read-only and read and write modes, enter information about the authorized user in the following format and click OK.
   Figure 1 Parameter settings of an object policy in the read-only or read and write mode
   

   Table 1 Object policy parameters in read-only or read and write mode

   Parameter	Value	Description
   Principal	Include or Exclude Cloud service user, Federated user If you select Federated user, you can specify the user to be an Identity provider or a User group.	Indicates the user that the object policy applies to. Include: The policy applies to specified users. Exclude: The policy applies to users except the specified ones.
   Resources	Include or Exclude	Resources on which the object policy takes effect. Include: The bucket policy applies to specified OBS resources. Exclude: The bucket policy applies to OBS resources except the specified ones.

6. For the customized mode, set parameters based on the site requirements and click OK.
   Figure 2 Parameter settings of an object policy in the customized mode
   

   Table 2 Object policy parameters in the custom mode

   Parameter	Value	Description
   Effect	Allow or Deny	Effect of the object policy. Allow: The policy allows the matched requests. Deny: The policy denies the matched requests.
   Principal	Include or Exclude Cloud service user, Federated user If you select Federated user, you can specify the user to be an Identity provider or a User group.	Specifies users on whom this object policy takes effect, including cloud service users and federated users. A cloud service user is the one who accesses the cloud services through registration with the cloud services. A federated user is the one who accesses the cloud services through federated identity authentication. Include: The policy applies to specified users. Exclude: The policy applies to users except the specified ones.
   Resources	Include or Exclude	Resources on which the object policy takes effect. Include: The bucket policy applies to specified OBS resources. Exclude: The bucket policy applies to OBS resources except the specified ones.
   Actions	Include or Exclude For details about the actions, see Actions Related to Objects.	Operation stated in the object policy. Include: The bucket policy applies to specified actions. Exclude: The bucket policy applies to actions except the specified ones.
   Conditions	Condition Operator: See Table 1. Key: See Table 2 and Table 4. Value: The entered value is associated with the key.	Condition for an object policy to take effect.

7. Click OK.

   After the object policy is configured successfully, it is displayed in the list under Custom Bucket Policies in the Bucket Policies tab on the Permissions page.