All Products
Search

This Product

    Object Storage Service:Share data across departments based on a bucket policy

    Document Center

    Object Storage Service:Share data across departments based on a bucket policy

    Last Updated:Mar 20, 2026

    When departments need to share data stored in OSS, the challenge is granting read access to recipients without exposing write or delete permissions. Bucket policies let you define fine-grained access rules directly on a bucket — without modifying the RAM policies of the involved users. This makes them the right tool for cross-department or cross-account data sharing when you need to control access without touching centralized permission assignments.

    This tutorial walks through a scenario where Department A stores data in a bucket and grants Department B download-only access. All configuration is done by the Department A administrator, following the principle of least privilege.

    Note: Bucket policies apply directly to the bucket and don't require changes to RAM policies. Use bucket policies when you need to grant cross-department or cross-account access without modifying RAM permission assignments.

    The following diagram shows the expected permissions for administrators and users in both departments on the example-bucket bucket.

    image

    Prerequisites

    Before you begin, ensure that you have:

    • RAM users created for the administrators and users in Department A and Department B, all within the same Alibaba Cloud account. See Create a RAM user.

    • The UIDs of the Department B RAM users. See View the information about a RAM user.

    • The AliyunOSSFullAccess policy attached to the RAM user group of the Department A administrator, so the administrator can create buckets and configure bucket policies. See Grant permissions to a RAM user.

    Step 1: Create a bucket

    Log on to the OSS console as the administrator of Department A.

    1. In the left-side navigation pane, click Buckets. On the Buckets page, click Create Bucket.

    2. In the Create Bucket panel, configure the parameters. In this example, the bucket is named example-bucket and is created in the China (Hangzhou) region. For configuration details, see Create buckets.

    3. Click Create.

    Step 2: Grant Department A upload permissions

    Configure a bucket policy that allows Department A users to upload data to example-bucket.

    1. Click the name of the bucket created in Step 1.

    2. In the left-side navigation pane, choose Permission Control > Bucket Policy.

    3. On the Add in GUI tab, click Authorize.

    4. In the Authorize panel, configure the following parameters and keep the defaults for all other settings.

      ParameterValue
      Applied ToSelect Whole Bucket
      Authorized UserSelect RAM User, then choose the Department A RAM users from the drop-down list. Enter a username or keyword to search by fuzzy match.
      Authorized OperationSelect Basic Settings, then click Read/Write. This grants read and write access to the bucket.

    5. Click OK.

    Department A users can now upload data to example-bucket.

    Step 3: Grant Department B download-only permissions

    Configure a second bucket policy that allows Department B users to download data but blocks writes and deletions.

    1. Click the name of the bucket created in Step 1.

    2. In the left-side navigation pane, choose Permission Control > Bucket Policy.

    3. On the Add in GUI tab, click Authorize.

    4. In the Authorize panel, configure the following parameters and keep the defaults for all other settings.

      ParameterValue
      Applied ToSelect Whole Bucket
      Authorized UserSelect Other Accounts, then enter the UIDs of the Department B RAM users
      Authorized OperationSelect Basic Settings, then click Read-only (including ListObject). This is more restrictive than Read/Write — authorized users can view, list, and download objects, but cannot write to or delete from the bucket.

    5. Click OK.

    Department B users can now download data from example-bucket but cannot upload or delete objects.

    Step 4: Upload data to the bucket

    Log on to the OSS console as a Department A RAM user.

    1. Open the object upload page at https://oss.console.alibabacloud.com/bucket/hangzhou/example-bucket/object/upload.

    2. On the Upload page, set Upload To to Current Directory and configure the remaining parameters. For details, see Upload objects.

    3. On the Upload Tasks tab of the Task List panel, monitor the upload progress. Close the panel after the upload completes.

    Step 5: Verify permissions

    Log on to the OSS console as a Department B RAM user.

    1. Open the Objects page at https://oss.console.alibabacloud.com/bucket/hangzhou/example-bucket/object.

    2. Run the following three checks:

      Check 1: Download permission (expected: success)

      Find an object in example-bucket and choose more > Download in the Actions column.

      • If the object downloads successfully, the download permission is correctly configured.

      • If the download fails, the download permission is incorrectly configured.

      Check 2: Upload permission (expected: failure)

      Follow Step 4 to upload data to example-bucket.

      • If the upload fails, the upload restriction is correctly configured.

      • If the upload succeeds, the upload restriction is incorrectly configured.

      Check 3: Delete permission (expected: failure)

      Find an object in example-bucket and choose more > Delete in the Actions column.

      • If the deletion fails, the delete restriction is correctly configured.

      • If the deletion succeeds, the delete restriction is incorrectly configured.