All Products
Search
Document Center

Object Storage Service:Manage permissions

Last Updated:Nov 09, 2023

You can use ossbrowser to manage user access to specific resources.

Scenarios

Assume that you are an IT administrator of a company and need to grant employees different access permissions on a bucket. You can use ossbrowser to accomplish that purpose. For example, you can grant Employee A temporary access permissions on a directory in the bucket and grant Employee B regular read-only or read/write access to the bucket or a directory in the bucket.

Prerequisites

For data security, we recommend that you use the AccessKey pair of a RAM user to log on to ossbrowser. A RAM user is created, is granted the permissions to manage the bucket, and is attached the AliyunRAMFullAccess policy and the AliyunSTSAsumeRoleAccess policy. For more information, see Create a RAM user and Grant permissions to RAM users.

Temporary authorization

To implement temporary authorization, you need to call the AssumeRole operation to assume a role that has temporary access credentials (a temporary AccessKey pair and an authorization token) and provide the intended user with the temporary access credentials to grant the user access to specified resources before the token expires. The token automatically becomes invalid after it expires.

  1. Log on to ossbrowser by using the AccessKey pair of the aforementioned RAM user.

    For more information, see Create an AccessKey pair and Install and log on to ossbrowser.

  2. Click the name of the bucket.

  3. Select the directory to which you want to grant temporary access and choose More > Authorization Token.

    Important

    Authorization token generation is supported only for directories.

    image.png
  4. Configure the privilege, validity period, and role, and click Generate.

    Note

    The role needs at least read-only permissions on this directory.

  5. Click Copy to copy the authorization token.

  6. Provide the authorization token for the user whom you want to grant temporary access.

    image.png
    Note

    The user can use the authorization token to log on to ossbrowser. For more information, see Log on to ossbrowser by using an authorization token.

Long-term authorization

ossbrowser supports long-term authorization based on a simple policy, which is automatically created based on the permissions that you select for a RAM user. After authorization is complete, the RAM user has regular read-only or read/write access to the bucket or a specific directory in the bucket.

Note

The simple policy feature of ossbrowser implements access control based on Alibaba Cloud Resource Access Management (RAM). You can log on to the RAM console from the Alibaba Cloud website to manage your RAM users.

  1. Log on to ossbrowser as the RAM user mentioned in the Prerequisites section.

  2. Click the name of the bucket.

  3. Select one or more objects or directories and choose More > Simplify policy authorization.

  4. In the Simplify policy authorization dialog box, set the privileges.

  5. Grant permissions to an RAM user. You can select an existing RAM user or create one.image.png

    Note

    You can click View Policy to view the generated policy text and paste it to the required location. For example, you can copy the policy text and paste it to the applicable policy editor in the OSS console.

  6. Log on to ossbrowser with the AccessKey pair of the RAM user that is granted access to the specified resources to manage the resources.