vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/umn/obs_03_0114.html
zhangyue b55201d729 OBS UMN DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2024-03-18 15:39:30 +00:00

22 lines
2.5 KiB
HTML
Raw Blame History

<a name="obs_03_0114"></a><a name="obs_03_0114"></a>
<h1 class="topictitle1">How Does Authorization Work When Multiple Access Control Mechanisms Co-Exist?</h1>
<div id="body1557026128761"><p id="obs_03_0114__p2366102212325">Based on the principle of least privilege, the default access control result is always deny, and an explicit deny statement always take precedence over an allow statement. Suppose that <span id="obs_03_0114__ph9419171385810">IAM policies</span> grant a user the access to an object, a bucket policy denies the user's access to that object, and there is no ACL. Then user's access to the object will be denied.</p>
<p id="obs_03_0114__p1416134111327">If no method specifies an allow statement, then the request will be denied by default. Only if no method specifies a deny statement and one or more methods specify an allow statement, will the request be allowed. For example, if a bucket has multiple bucket policies with allow statements, the adding of a new bucket policy with an allow statement will simply add the allowed permissions to the bucket, but the adding of a new bucket policy with a deny statement will result in a re-arrangement of the permissions. The deny statement will take precedence over allowed statements, even the denied permissions are allowed in other bucket policies.</p>
<div class="fignone" id="obs_03_0114__fig137808145374"><span class="figcap"><b>Figure 1 </b>Authorization process</span><br><span><img id="obs_03_0114__image1291856165214" src="en-us_image_0168203499.png" title="Click to enlarge" class="imgResize"></span></div>
<p id="obs_03_0114__p3975193111381"><a href="#obs_03_0114__fig1251114133010">Figure 2</a> is a matrix of the <span id="obs_03_0114__ph318811172715">IAM policies</span>, bucket policies, and ACLs (allow and deny effects).</p>
<div class="fignone" id="obs_03_0114__fig1251114133010"><a name="obs_03_0114__fig1251114133010"></a><a name="fig1251114133010"></a><span class="figcap"><b>Figure 2 </b>Matrix of the <span id="obs_03_0114__ph17548151312279">IAM policies</span>, bucket policies, and ACLs (allow and deny effects)</span><br><span><img id="obs_03_0114__image8757123514593" src="en-us_image_0168203521.png" title="Click to enlarge" class="imgResize"></span></div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_03_0109.html">Permission Control Mechanisms</a></div>
</div>
</div>
<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>
View Git Blame Copy Permalink