This topic describes how to manage the access control list (ACL) of an object.

The following table describes the ACLs that you can configure for an object.

ACL Description Value
Inherited from the bucket The ACL of the object is the same as the ACL of the bucket in which the object is stored. default
Private Only the object owner and authorized users are granted the read and write permissions on the object. private
Public read Only the object owner and authorized users are granted the read and write permissions on the object. Other users are granted only the read permissions on the object. Exercise caution when you set the ACL of the object to this value. public-read
Public read/write All users are granted the read and write permissions on the object. Exercise caution when you set the ACL of the object to this value. public-read-write

The ACL of the object takes precedence over the ACL of the bucket. For example, if the ACL of a bucket is private and the ACL of an object that is stored in the bucket is public, all users are granted the read and write permissions on the object. If the ACL of an object is not configured, the ACL of the object is the same as the ACL of the bucket in which the object is stored.

Configure the ACL of an object

The following code provides an example on how to configure the ACL of a specified object:

<?php
if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
    require_once __DIR__ . '/../vendor/autoload.php';
}

use OSS\OssClient;
use OSS\Core\OssException;

// The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using these credentials to perform operations in OSS is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. To create a RAM user, log on to the RAM console. 
$accessKeyId = "<yourAccessKeyId>";
$accessKeySecret = "<yourAccessKeySecret>";
// In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
$endpoint = "http://oss-cn-hangzhou.aliyuncs.com";
$bucket= "<yourBucketName>";
$object = "<yourObjectName>";
// Configure the ACL of the object to public read. If you do not specify the ACL of the object, the ACL of the object inherits the ACL of the bucket in which the object is stored. 
$acl = "public-read";
try {
    $ossClient = new OssClient($accessKeyId, $accessKeySecret, $endpoint);

    $ossClient->putObjectAcl($bucket, $object, $acl);
} catch (OssException $e) {
    printf(__FUNCTION__ . ": FAILED\n");
    printf($e->getMessage() . "\n");
    return;
}
print(__FUNCTION__ . ": OK" . "\n");
            

Obtain the ACL of an object

The following code provides an example on how to query the ACL of a specified object:

<?php
if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
    require_once __DIR__ . '/../vendor/autoload.php';
}

use OSS\OssClient;
use OSS\Core\OssException;

// The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using these credentials to perform operations in OSS is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. To create a RAM user, log on to the RAM console. 
$accessKeyId = "<yourAccessKeyId>";
$accessKeySecret = "<yourAccessKeySecret>";
// In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
$endpoint = "http://oss-cn-hangzhou.aliyuncs.com";
$bucket= "<yourBucketName>";
$object = "<yourObjectName>";
try {
    $ossClient = new OssClient($accessKeyId, $accessKeySecret, $endpoint);

    $objectAcl = $ossClient->getObjectAcl($bucket, $object);
} catch (OssException $e) {
    printf(__FUNCTION__ . ": FAILED\n");
    printf($e->getMessage() . "\n");
    return;
}
print(__FUNCTION__ . ": OK" . "\n");
var_dump($objectAcl);