vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/perms-cfg/obs_40_0021.html
zhangyue 2c8baf104e OBS PERM DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2024-10-29 16:45:36 +00:00

82 lines
8.6 KiB
HTML
Raw Blame History

<a name="obs_40_0021"></a><a name="obs_40_0021"></a>
<h1 class="topictitle1">Granting IAM User Groups Basic Permissions on All OBS Resources</h1>
<div id="body1588765301379"><div class="section" id="obs_40_0021__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0021__p3431154410448">This topic describes how to use OBS system roles and policies preset in IAM to grant basic operation permissions for all OBS resources to multiple IAM users or user groups. The following table lists the permissions supported by preset system roles and policies.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0021__table143320246431" frame="border" border="1" rules="all"><caption><b>Table 1 </b>OBS system permissions</caption><thead align="left"><tr id="obs_40_0021__row13332624144312"><th align="left" class="cellrowborder" valign="top" width="21.89%" id="mcps1.3.1.3.2.4.1.1"><p id="obs_40_0021__p7332132484320">Role/Policy Name</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="60.050000000000004%" id="mcps1.3.1.3.2.4.1.2"><p id="obs_40_0021__p5332824174310">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="18.060000000000002%" id="mcps1.3.1.3.2.4.1.3"><p id="obs_40_0021__p033272494312">Type</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0021__row92218311275"><td class="cellrowborder" valign="top" width="21.89%" headers="mcps1.3.1.3.2.4.1.1 "><p id="obs_40_0021__p82223315277">Tenant Administrator</p>
</td>
<td class="cellrowborder" valign="top" width="60.050000000000004%" headers="mcps1.3.1.3.2.4.1.2 "><p id="obs_40_0021__p4466456182919">Users with this permission can perform all operations on all services except IAM.</p>
</td>
<td class="cellrowborder" valign="top" width="18.060000000000002%" headers="mcps1.3.1.3.2.4.1.3 "><p id="obs_40_0021__p13307349152715">System-defined role</p>
</td>
</tr>
<tr id="obs_40_0021__row6159933152717"><td class="cellrowborder" valign="top" width="21.89%" headers="mcps1.3.1.3.2.4.1.1 "><p id="obs_40_0021__p26447396278">Tenant Guest</p>
</td>
<td class="cellrowborder" valign="top" width="60.050000000000004%" headers="mcps1.3.1.3.2.4.1.2 "><p id="obs_40_0021__p201591334273">Users with this permission can perform read-only operations on all services except IAM.</p>
</td>
<td class="cellrowborder" valign="top" width="18.060000000000002%" headers="mcps1.3.1.3.2.4.1.3 "><p id="obs_40_0021__p1684219494278">System-defined role</p>
</td>
</tr>
<tr id="obs_40_0021__row1924313114811"><td class="cellrowborder" valign="top" width="21.89%" headers="mcps1.3.1.3.2.4.1.1 "><p id="obs_40_0021__p71016102325">OBS Administrator</p>
</td>
<td class="cellrowborder" valign="top" width="60.050000000000004%" headers="mcps1.3.1.3.2.4.1.2 "><p id="obs_40_0021__p1910111102324">Users with this permission are OBS administrators and can perform any operations on all OBS resources under the account.</p>
</td>
<td class="cellrowborder" valign="top" width="18.060000000000002%" headers="mcps1.3.1.3.2.4.1.3 "><p id="obs_40_0021__p157071737143313">System-defined policy</p>
</td>
</tr>
<tr id="obs_40_0021__row333212434317"><td class="cellrowborder" valign="top" width="21.89%" headers="mcps1.3.1.3.2.4.1.1 "><p id="obs_40_0021__p143321924104311">OBS Buckets Viewer</p>
</td>
<td class="cellrowborder" valign="top" width="60.050000000000004%" headers="mcps1.3.1.3.2.4.1.2 "><p id="obs_40_0021__p1733310247431">Users with this permission can list buckets, obtain basic bucket information, and obtain bucket metadata.</p>
</td>
<td class="cellrowborder" valign="top" width="18.060000000000002%" headers="mcps1.3.1.3.2.4.1.3 "><p id="obs_40_0021__p1554625611421">System-defined role</p>
</td>
</tr>
<tr id="obs_40_0021__row7333132416439"><td class="cellrowborder" valign="top" width="21.89%" headers="mcps1.3.1.3.2.4.1.1 "><p id="obs_40_0021__p23331324114313">OBS ReadOnlyAccess</p>
</td>
<td class="cellrowborder" valign="top" width="60.050000000000004%" headers="mcps1.3.1.3.2.4.1.2 "><p id="obs_40_0021__p193331246430">Users with this permission can list buckets, obtain basic bucket information, obtain bucket metadata, and list objects (excluding the objects that have been versioned).</p>
<div class="note" id="obs_40_0021__note864512387375"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="obs_40_0021__p136452384379">If a user with this permission fails to list objects on OBS Console, there may be multiple versions of objects in the bucket. In this case, you need to grant the user the <strong id="obs_40_0021__b11873241193513">obs:bucket:ListBucketVersions</strong> permission so that the user can view different versions of objects on OBS Console.</p>
</div></div>
</td>
<td class="cellrowborder" valign="top" width="18.060000000000002%" headers="mcps1.3.1.3.2.4.1.3 "><p id="obs_40_0021__p123331524164312">System-defined policy</p>
</td>
</tr>
<tr id="obs_40_0021__row3333202464311"><td class="cellrowborder" valign="top" width="21.89%" headers="mcps1.3.1.3.2.4.1.1 "><p id="obs_40_0021__p1333112420434">OBS OperateAccess</p>
</td>
<td class="cellrowborder" valign="top" width="60.050000000000004%" headers="mcps1.3.1.3.2.4.1.2 "><p id="obs_40_0021__p145991616552">Users with this permission can perform all ReadOnlyAccess operations on OBS and perform basic operations on objects, such as uploading, downloading, deleting objects, and obtaining object ACLs.</p>
<div class="note" id="obs_40_0021__note84579519419"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="obs_40_0021__p9457205144115">If a user with this permission fails to list objects on OBS Console, there may be multiple versions of objects in the bucket. In this case, you need to grant the user the <strong id="obs_40_0021__b79791245133515">obs:bucket:ListBucketVersions</strong> permission so that the user can view different versions of objects on OBS Console.</p>
</div></div>
</td>
<td class="cellrowborder" valign="top" width="18.060000000000002%" headers="mcps1.3.1.3.2.4.1.3 "><p id="obs_40_0021__p933316249432">System-defined policy</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section" id="obs_40_0021__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0021__p103657437515">IAM system roles and policies</p>
</div>
<div class="section" id="obs_40_0021__section786219432319"><h4 class="sectiontitle">Precautions</h4><p id="obs_40_0021__p817120327254">After a system role or policy is configured according to this case, if you log in to the system using OBS Console or OBS Browser+, a message may be displayed indicating that you do not have the permission. </p>
<p id="obs_40_0021__p5919175842316">Although the error message is displayed, the IAM users can still call the APIs to perform authorized operations.</p>
<p id="obs_40_0021__p2091955810234">When <strong id="obs_40_0021__b6954823124117">OBS OperateAccess</strong> is allowed, they can upload or download objects on OBS Console or OBS Browser+.</p>
</div>
<div class="section" id="obs_40_0021__section1976313561854"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0021__ol170633855216"><li id="obs_40_0021__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0021__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0021__b1424104235114">Service List</strong> &gt; <strong id="obs_40_0021__b152515429519">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0021__b225154225119">Identity and Access Management</strong>.</span></li><li id="obs_40_0021__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0021__p1312812258417">Apply system roles or policies that meet requirements to the user group by following the instructions provided in the IAM document.</p>
</p></li><li id="obs_40_0021__li12273529113919"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Add the IAM user you want to authorize to the created user group</a>.</span><p><div class="note" id="obs_40_0021__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0021__p37253183814">Due to data caching, it takes about 10 to 15 minutes for the configured permissions to take effect.</p>
</div></div>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0019.html">Granting Permissions to Multiple IAM Users or User Groups Under the Account</a></div>
</div>
</div>
View Git Blame Copy Permalink