You can use ossbrowser to manage user access to specific resources.
Assume that you are an IT administrator of a company and need to grant employees different access permissions on a bucket. You can use ossbrowser to accomplish that purpose. For example, you can grant Employee A temporary access permissions on a directory in the bucket and grant Employee B regular read-only or read/write access to the bucket or a directory in the bucket.
For data security, we recommend that you use the AccessKey pair of a RAM user to log on to ossbrowser. A RAM user is created, is granted the permissions to manage the bucket, and is attached the AliyunRAMFullAccess policy and the AliyunSTSAsumeRoleAccess policy. For more information, see Create a RAM user and Grant permissions to RAM users.
To implement temporary authorization, you need to call the AssumeRole operation to assume a role that has temporary access credentials (a temporary AccessKey pair and an authorization token) and provide the intended user with the temporary access credentials to grant the user access to specified resources before the token expires. The token automatically becomes invalid after it expires.
Log on to ossbrowser by using the AccessKey pair of the aforementioned RAM user.
Click the name of the bucket.
Select the directory to which you want to grant temporary access and choose .Important
Authorization token generation is supported only for directories.
Configure the privilege, validity period, and role, and click Generate.Note
The role needs at least read-only permissions on this directory.
Click Copy to copy the authorization token.
Provide the authorization token for the user whom you want to grant temporary access.Note
The user can use the authorization token to log on to ossbrowser. For more information, see Log on to ossbrowser by using an authorization token.
ossbrowser supports long-term authorization based on a simple policy, which is automatically created based on the permissions that you select for a RAM user. After authorization is complete, the RAM user has regular read-only or read/write access to the bucket or a specific directory in the bucket.
The simple policy feature of ossbrowser implements access control based on Alibaba Cloud Resource Access Management (RAM). You can log on to the RAM console from the Alibaba Cloud website to manage your RAM users.
Log on to ossbrowser as the RAM user mentioned in the Prerequisites section.
Click the name of the bucket.
Select one or more objects or directories and choose .
In the Simplify policy authorization dialog box, set the privileges.
Grant permissions to an RAM user. You can select an existing RAM user or create one.Note
You can click View Policy to view the generated policy text and paste it to the required location. For example, you can copy the policy text and paste it to the applicable policy editor in the OSS console.
Log on to ossbrowser with the AccessKey pair of the RAM user that is granted access to the specified resources to manage the resources.