This topic describes how to implement data sharing across different departments or projects of an enterprise so that the data shared by a department can be only downloaded but cannot be written or deleted by users of other departments. This reduces the risk of accidental deletion and modification of the shared data.

Background information

In this example, Department A shares the data stored in a bucket named example-bucket with users of Department B and allows these users to download the shared data. This example shows how to follow the principle of least privilege to control access to shared data. The following figure shows the relationship between the shared bucket and the administrators and users of Department A and Department B.

policy1

Procedure

In this example, the administrator of Department A can configure bucket policies to allow users of Department B to download but not write or delete the shared data. To achieve the goal, the following steps must be performed:

Prerequisites

  • RAM users for the administrators and users of Department A and Department B are created by the Alibaba Cloud account of the enterprise.

    For more information about how to create RAM users, see Create a RAM user.

  • The UIDs of the RAM users are obtained.

    For more information about how to view the basic information about a RAM user such as the UID, see View the basic information about a RAM user.

  • Appropriate permissions are granted to the RAM users.

    In this example, the administrator of Department A needs to create buckets and configure bucket policies. Therefore, the RAM user group of the administrator must have the AliyunOSSFullAccess permission. For more information about how to grant permissions to RAM users, see Grant permissions to the RAM user.

Step 1: Create a bucket

Perform the following steps to create a bucket in the China (Hangzhou) region as the administrator of Department A:

  1. Log on to the OSS console as the RAM user of the administrator of Department A.
  2. In the left-side navigation pane, click Buckets. On the Buckets page, click Create Bucket.
  3. In the Create Bucket panel, configure the parameters.
    In this example, the Bucket Name parameter is set to example-bucket. For more information about how to configure parameters to create a bucket, see Create buckets.
  4. Click OK.

Step 2: Grant permissions to upload shared data

Perform the following steps to grant users of Department A permissions to upload shared data to example-bucket as the administrator of Department A:

  1. Click example-bucket created in Step 1.
  2. In the left-side navigation tree, choose Permission Control > Bucket Policy.
  3. On the page that appears, click Add by GUI and click Authorize.
  4. In the Authorize panel, configure the parameters. The following table describes the parameters. Retain the default configurations for other parameters that are not described in the table.
    Parameter Description
    Applied To Select Whole Bucket, which indicates that the authorization policy applies to the whole bucket.
    Accounts Select RAM User.

    You can select a RAM user to which you want to grant the permissions to upload data from the drop-down list. You can also enter a keyword in the search box to search for specific RAM users. Fuzzy match is supported.

    Authorized Operation Select Read/Write.

    This option indicates that authorized users can perform read and write operations on specific resources.

  5. Click OK.
    A bucket policy is created to allow users of Department A to upload shared data.

Step 3: Grant permissions to download but not write or delete shared data

Perform the following steps to grant users of Department B permissions to download shared data from example-bucket as the administrator of Department A:

  1. Click example-bucket created in Step 1.
  2. In the left-side navigation tree, choose Permission Control > Bucket Policy.
  3. On the page that appears, click Add by GUI and click Authorize.
  4. In the Authorize panel, configure the parameters. The following table describes the parameters. Retain the default configurations for other parameters that are not described in the table.
    Parameter Description
    Applied To Select Whole Bucket, which indicates that the authorization policy applies to the whole bucket.
    Accounts Select Other Accounts. Enter the UIDs of the RAM users to which you want to grant the permissions to download shared data.
    Authorized Operation Select Read-Only (including ListObject).

    This option indicates that authorized users can only view, list, and download data but cannot write or delete data stored in example-bucket.

  5. Click OK.
    A bucket policy is created to allow users of Department B to download but not write or delete shared data.

Step 4: Upload shared data

Perform the following steps to upload data to example-bucket as a user of Department A:

  1. Log on to the OSS console as a RAM user of Department A.
  2. Go to the Upload panel by using the following URL: https://oss.console.aliyun.com/bucket/hangzhou/example-bucket/object/upload.
  3. In the Upload panel, configure parameters to upload shared data.
    Select Current for Upload To. For more information about how to configure the access control list (ACL) and how to upload an object, see Upload objects.
  4. After the upload is complete, close the Upload Tasks panel.
    The shared data is uploaded to example-bucket.

Step 5: Verify permissions

Perform the following steps in the OSS console to verify that users of Department B can only download but cannot write or delete shared data:

  1. Log on to the OSS console as a RAM user of Department B.
  2. Go to the Files panel by using the following URL: https://oss.console.aliyun.com/bucket/hangzhou/example-bucket/object.
  3. In the Files panel, verify the following permissions:
    1. Verify the download permissions on shared data of users that belong to Department B.
      In the Actions column of an object in example-bucket, choose more > Download.
      • If the object cannot be downloaded, the download permissions are incorrectly configured. Check whether the bucket policy is correctly configured.
      • If the object is downloaded, the download permissions are correctly configured.
    2. Verify the upload permissions on shared data of users that belong to Department B.
      Follow Step 4 to upload shared data to example-bucket.
      • If the object cannot be uploaded, the upload permissions are correctly configured.
      • If the object is uploaded, the upload permissions are incorrectly configured. Check whether the bucket policy is correctly configured.
    3. Verify the delete permissions on shared data of users that belong to Department B.
      In the Actions column of an object in example-bucket, choose more > Delete.
      • If the object cannot be deleted, the delete permissions are correctly configured.
      • If the object is deleted, the delete permissions are incorrectly configured. Check whether the bucket policy is correctly configured.