This topic describes how to implement data sharing across different departments or projects of an enterprise so that the data shared by a department can be only downloaded but cannot be written or deleted by users of other departments. This reduces the risk of accidental deletion and modification of the shared data.

Background information

In this example, Department A shares the data stored in a bucket named example-bucket with users of Department B and allows these users to download the shared data. This example shows how to follow the principle of least privilege to control access to shared data. The following figure shows the relationship between the shared bucket and the administrators and users of Department A and Department B.

policy1

Procedure

In this example, the administrator of Department A can configure bucket policies to allow users of Department B to download but not write or delete the shared data. To achieve the goal, the following steps must be performed:

Prerequisites

  • RAM users for the administrators and users of Department A and Department B are created by the Alibaba Cloud account of the enterprise.

    For more information about how to create RAM users, see Create a RAM user.

  • The UIDs of the RAM users are obtained.

    For more information about how to view the basic information about a RAM user such as the UID, see View the basic information about a RAM user.

  • Appropriate permissions are granted to the RAM users.

    In this example, the administrator of Department A needs to create buckets and configure bucket policies. Therefore, the RAM user group of the administrator must have the AliyunOSSFullAccess permission. For more information about how to grant permissions to RAM users, see Grant permissions to a RAM user.

Step 1: Create a bucket

Perform the following steps to create a bucket in the China (Hangzhou) region as the administrator of Department A:

  1. Log on to the OSS console as the RAM user of the administrator of Department A.
  2. In the left-side navigation pane, click Buckets. On the Buckets page, click Create Bucket.
  3. In the Create Bucket panel, set the parameters.
    In this example, set the bucket name to example-bucket. For more information about how to configure parameters to create a bucket, see Create buckets.
  4. Click OK.

Step 2: Grant permissions to upload shared data

Perform the following steps to grant users of Department A permissions to upload shared data to example-bucket as the administrator of Department A:

  1. Click example-bucket created in Step 1.
  2. You can also choose Access Control > Bucket Policy. In the Bucket Policy section, click Configure.
  3. In the Authorize panel, click Authorize.
  4. In the Authorize dialog box, configure parameters for the bucket policy.
    Parameter Description
    Applied To Select Whole Bucket, which indicates that the authorization policy applies to the whole bucket.
    Accounts Select RAM Users.

    You can select the RAM users to which you can grant permissions to upload shared data from the drop-down list. You can also enter a keyword in the search box to search for specific RAM users. Fuzzy matching is supported.

    Authorized Operation Select Read/Write.

    This option indicates that authorized users can perform read and write operations on the specified resources.

  5. Click OK.
    A bucket policy is created to allow users of Department A to upload shared data.

Step 3: Grant permissions to download but not write or delete shared data

Perform the following steps to grant users of Department B permissions to download shared data from example-bucket as the administrator of Department A:

  1. Click example-bucket created in Step 1.
  2. You can also choose Access Control > Bucket Policy. In the Bucket Policy section, click Configure.
  3. In the Authorize panel, click Authorize.
  4. In the Authorize dialog box, configure parameters for the bucket policy.
    Parameter Description
    Applied To Select Whole Bucket, which indicates that the authorization policy applies to the whole bucket.
    Accounts Select Other Accounts. Enter the UIDs of the RAM users to which you want to grant permissions to download shared data.
    Authorized Operation Select Read-Only (including ListObject).

    This option indicates that authorized users can only view, list, and download but cannot write or delete the data stored in example-bucket.

  5. Click OK.
    A bucket policy is created to allow users of Department B to download but not write or delete shared data.

Step 4: Upload shared data

Perform the following steps to upload data to example-bucket as a user of Department A:

  1. Log on to the OSS console as a RAM user of Department A.
  2. Go to the Upload panel by using the following URL: https://oss.console.aliyun.com/bucket/hangzhou/example-bucket/object/upload.
  3. In the Upload panel, configure parameters to upload shared data.
    Select Current for Upload To. For more information about how to configure the access control list (ACL) and how to upload an object, see Upload objects.
  4. After the upload is complete, close the Upload Tasks panel.
    The shared data is uploaded to example-bucket.

Step 5: Verify permissions

Perform the following steps in the OSS console to verify that users of Department B can only download but cannot write or delete shared data:

  1. Log on to the OSS console as a RAM user of Department B.
  2. Go to the Files panel by using the following URL: https://oss.console.aliyun.com/bucket/hangzhou/example-bucket/object.
  3. In the Files panel, verify the following permissions:
    1. Verify download permissions of users of Department B on shared data.
      In the Actions column corresponding to an object in example-bucket, choose More > Download.
      • If the object cannot be downloaded, download permissions are not correctly configured. Check whether the bucket policy is correctly configured.
      • If the object is downloaded, download permissions are correctly configured.
    2. Verify upload permissions of users of Department B on shared data.
      Follow Step 4 to upload shared data to example-bucket.
      • If the object cannot be uploaded, upload permissions are correctly configured.
      • If the object is uploaded, upload permissions are not correctly configured. Check whether the bucket policy is correctly configured.
    3. Verify deletion permissions of users of Department B on shared data.
      In the Actions column corresponding to an object in example-bucket, choose More > Completely Delete.
      • If the object cannot be deleted, deletion permissions are correctly configured.
      • If the object is deleted, deletion permissions are not correctly configured. Check whether the bucket policy is correctly configured.