All Products
Search

This Product

    Object Storage Service:Grant file permissions to other users in ossbrowser 2.0

    Document Center

    Object Storage Service:Grant file permissions to other users in ossbrowser 2.0

    Last Updated:May 15, 2026

    To grant a user permissions to access specific resources in a bucket, you can use ossbrowser 2.0 for simple permission management.

    Important

    • You cannot grant file permissions if you log on with an Alibaba Cloud account. To grant permissions, you must use one of the other logon methods.

    • You cannot grant file permissions if you log on to ossbrowser 2.0 using a CloudBox Endpoint.

    Precautions

    • To ensure data security, log on to ossbrowser 2.0 using the AccessKey (AK) of a RAM user.

    • The RAM user must have permissions to manage a bucket, such as AliyunRAMFullAccess (permissions to manage Resource Access Management (RAM)) and AliyunSTSAssumeRoleAccess (permissions to call the AssumeRole operation of Security Token Service (STS)). For more information, see Create a RAM user and Grant permissions to a RAM user.

    Procedure

    1. Log on to ossbrowser 2.0 using an AK.

    2. Click the name of the target bucket, select the file or folder to which you want to grant permissions, and then click More > Authorize.

    3. To grant long-term permissions on specific resources to a RAM user, user group, or role, select Direct Authorization. To grant temporary permissions, select Role Assumption.

      Important

      Direct Authorization: Directly grants permissions to RAM users, user groups, or roles under the current account. The authorized RAM user will have read-only or read/write permissions for a specific bucket or folder. This option is available only to Alibaba Cloud accounts.

      Role Assumption: Assumes a RAM role by calling the AssumeRole operation to obtain temporary identity credentials and generate a temporary authorization code. This code grants temporary access to a specific folder in your bucket and becomes invalid after it expires. This option is available only to RAM users.

      Direct authorization

      In the following example, Identity to Authorize is set to Create RAM User. You can also select RAM User, Role, or User Group.

      1. Configure the parameters as shown in the following figure and click OK.

        image

      2. Copy and save the new RAM user's AK and authorization code.

        Note

        Click Policy Content to view the generated policy text. You can copy this text for other purposes, such as editing authorization policies for RAM users or roles in the RAM console.

        image

      3. Click the image icon in the lower-left corner to log out.

        image

      4. Use the generated AK or authorization code to log on to ossbrowser 2.0.

      Role assumption

      1. Configure the parameters as shown in the following figure and click OK.

        image

      2. Click Copy Authorization Code.

        image

      3. Click the image icon in the lower-left corner to log out.

        image

      4. Use the generated authorization code to log on to ossbrowser 2.0.