OSS provides access control lists (ACLs) for you to control access permissions. ACLs are access policies that grant bucket and object access permissions to users. You can set an ACL when creating a bucket or uploading an object, and modify the ACL for a created bucket or an uploaded object at any time.

Note For more information about ACL-based OSS API operations, see the following topics:

Bucket ACL

  • Overview
    Bucket ACLs are used to control access to buckets. The following ACL types are available: public-read-write, public-read, and private. These ACL types are described in the following table.
    ACL Description Access control
    public-read-write The public-read-write permission. Anyone, including anonymous users, can perform read, write, and delete operations on objects in the bucket. Fees incurred by such operations are paid by the owner of the bucket. Configure this permission only when necessary.
    public-read The public-read permission. Only the bucket owner or authorized users can perform write and delete operations on objects in the bucket. Other users, including anonymous users, can only read from the objects in the bucket.
    private The private permission. Only the bucket owner or authorized users can perform read, write, and delete operations on objects in the bucket. Other users cannot access the objects in the bucket without authorization.
  • Implementation modes
    Implementation mode Description
    Console A user-friendly and intuitive Web application
    ossbrowser Easy-to-operate graphical tool
    ossutil A high-performance command-line tool
    Java SDK SDK demos in various programming languages
    Python SDK
    PHP SDK
    Go SDK
    C SDK
    .NET SDK
    Node.js SDK
    Ruby SDK

Object ACL

  • Overview

    Object ACLs are used to control access to objects. The following ACL types are available: private, public-read, public-read-write, and default. You can set the ACL for an object by including the x-oss-object-acl field in the request header of a PUT request for the PutObjectACL operation. Only the owner of a bucket can perform the PutObjectACL operation on the objects in the bucket.

    The following table describes the ACL types for objects.
    ACL Description Access control
    public-read-write The public-read-write permission. All users can read data from and write data to the object.
    public-read The public-read permission. The object owner can read data from and write data to the object. Other users can only read data from the object.
    private The private permission. The object owner can read data from and write data to the object. Other users have no access to the object without authorization.
    default The default permission. The object inherits the ACL of the bucket where it is stored.
    Note
    • If no ACL is set for an object, the object uses the default ACL, indicating that the object has the same ACL as the bucket where the object is stored.
    • If an ACL is set for an object, the object ACL takes precedence over the ACL of the bucket where the object is stored. Example: If the ACL for an object is set to public-read, all authenticated and anonymous users can read data from the object regardless of the bucket ACL.
  • Implementation modes
    Implementation mode Description
    Console A user-friendly and intuitive Web application
    ossbrowser Easy-to-operate graphical tool
    ossutil A high-performance command-line tool
    Java SDK SDK demos in various programming languages
    Python SDK
    PHP SDK
    Go SDK
    C SDK
    .NET SDK

References

For more information about how to authorize only specified users to access your objects, see the following topics: