This topic describes how to perform simple permission management by using ossbrowser.
Log on to ossbrowser as a RAM user
- Administrator RAM user: a RAM user who has administrative permissions. For example, a RAM user who can manage all buckets and authorize other RAM users is an administrator RAM user. You can log on to the RAM console by using your Alibaba Cloud account to create an administrator RAM user and grant permissions to the user, as shown in the following figure.
- Operator RAM user: a RAM user who has the read-only permission on a bucket or folder.
Administrator RAM users can use the simple policy feature to grant RAM users permissions.
For more information, see Grant permissions by using a simple policy.
Note You can grant fine-grained permissions to RAM users. For more information, see Implement access control based on RAM policies.
Log on to ossbrowser by using STS tokens
You can use an STS token to log on to ossbrowser. STS tokens can be provided for other authorized users for temporary access to a folder in your bucket. The STS token automatically becomes invalid after it expires.
- Log on to ossbrowser as an administrator RAM user.Notice When you log on to ossbrowser by using your Alibaba Cloud account or as an administrator RAM user, part of the features are inaccessible to ensure data security. Use the AccessKey pair of an administrator RAM user to log on to ossbrowser and generate a token. The administrator RAM user must have the permissions to manage a bucket or folder, manage RAM (AliyunRAMFullAccess), and call the STS AssumeRole operation (AliyunSTSAssumeRoleAccess).
- Select the objects or folders to be temporarily accessed by the authorized users, and choose , as shown in the following figure.
- Save the obtained token.
- Log off from ossbrowser and use the STS token to log on, as shown in the following figure.
Grant permissions by using a simple policy
- Log on to ossbrowser as an administrator RAM user.
- Select one or more objects or folders to be temporarily accessed by the authorized users, and choose .
- In the Simplify policy authorization dialog box, set Privileges.
- Grant permissions to an existing operator RAM user or create a new operator RAM user
in this dialog box.
You can view, copy, and use the generated policy text. For example, you can copy the policy text and use it to edit the authorization policies for RAM users and roles in the RAM console.Notice To use the simple policy feature, you must log on to ossbrowser by using the AccessKey pair of a RAM user who has the RAM configuration permissions. For example, use the AccessKey pair of an administrator RAM user who has the RAM configuration permissions.