Overview

To ensure the high security of your data stored in BOS, we provide you with multi-level access control capabilities. The access control system of BOS is divided into the following three levels:

• Bucket standard permission: Common permission settings in industry, including private, public read, and public read-write.
• Coarse-grained custom permission: Permission with granularity finer than that of the standard permission. It can be used to set the READ, LIST, WRITE, FULL_CONTROL, and MODIFY permissions for the specified users, and specify the accessible resources through this permission, as well as the IP address and referer whitelist with this permission.
• Fine-grained custom permission: API level fine-grained custom permissions provided by BOS. The APIs that can be set include 18 categories, such as GetBucket, GetObject, PutObject, and DeleteObject. You can customize the corresponding access control for each category.

Set Bucket Read/write Permission

1. Log in to BOS Management Console.
2. Select the bucket to set the permission in the Bucket List on the left, and then click “Bucket Name” to enter the bucket management directory.
3. Select the Configuration Management tab in the navbar above.
4. Select “Basic Configuration” on the Configuration Management page, and then click “Change Configuration” in the Bucket Permission Configuration area to configure the permission of this bucket.

5. You can set the bucket as private, public read, and public read-write. For more requirements, you can select the custom permissions and then click “Add Custom Authorization” to add the permissions.

6. In the pop-up Add Custom Permission form, enter the corresponding item for authorization.

For the related configuration process of custom permissions, see the table below.

Configuration Name	Configuration Description
User Authorization	All users: means that this configuration is effective for all users. Custom: means that this configuration is effective for specified users. When you select “Custom”, you need to enter the user ID you want to specify. You can View the user ID in the user center. Furthermore, BOS supports the setting of multiple user IDs at the same time. Each user ID can be filled in separately. No punctuation is required at the end of each line. If you expect that it is effective for all users, you can fill in "*". Up to one "*" can be filled in. You can also enter AuthenticatedUsers to represent the authorization of all Baidu AI Cloud registered users.
Authorization effect	It is used to set the operation effect of authorized users. If you select "Allow", the configured permission is granted to the user with the "Allow" effect. If You select "Deny", the configured permission is granted to the user with the "Deny" effect.
Authorization configuration	Coarse-grained custom permission: includess READ, LIST, WRITE, MODIFY, and FULL_CONTROL permissions. Fine-grained custom permission: Users can click "Advanced Settings" to expand the fine-grained permission list, and can select one or more permissions as needed to form a new custom permission. The fine-grained and coarse-grained permissions of READ, LIST, WRITE, FULL_CONTROL and MODIFY do not affect each other and can be authorized at the same time. The coarse-grained permissions take precedence over the fine-grained permissions. If both coarse-grained permissions and fine-grained permissions are configured, the coarse-grained permissions overwrite the fine-grained permissions, and the coarse-grained permissions shall prevail. You can combine with the coarse-grained permissions and the fine-grained permissions according to your own needs.
Resources	It specifies the resource range of this permission. The "included" resource is the effective resource range. The resource must start with the bucket name. If there is only one slash for the resource, it cannot end with the slash, but should end with the wildcard "*". Multiple resources can be set, one per line, and each line with the wildcard, for example, `myBucket, myBucket/* and myBucket/myfolder/object*`. If the resource is left blank, it is equivalent to "Bucket Name". The "Excluded" resource indicates the permissions setting of objects beyond the specified range. The configuration filling method is the same as that of "Included". If you select "Excluded" but enter the setting as blank, it is equivalent to being not configured. In this case, the default configuration is adopted, that is, the bucket itself and all objects in the bucket.
Access control	Referer: sets the referer whitelist. Individual referers are separated by a newline character, and each referer supports up to one wildcard `*`. Furthermore, you can select whether the referrer is allowed as Left Blank. When you select “Referer Left Blank”, accessing the referrer with the whitelist and blank referer in the HTTP request is allowed. When you select “Referer Not Left Blank”, accessing the referrer with whitelist in the HTTP request is allowed only, while accessing the empty referer is not allowed. IP address: specifies the IP address list with this permission. The IP address is identified in the CIDR type. You can set multiple IP addresses, one per line. There is up to one wildcard `*` per line, and each line ends with `.*`. Example：`192.168.1.*`or `192.168.0.1/24` `192.168.0.100` `192.168.*` HTTPS protocol: The whitelist only supports HTTP and HTTPS protocols. If you want to use the HTTPS protocol, you need to select this option. Access time: BOS supports the setting of access time for this custom permission. You can set the minimum time and maximum time in the access time. VPC: BOS supports the setting of the VPC access control for this custom permission. You can set to allow or prohibit a VPC from accessing your bucket.

> **Descriptions:** > > - If you want to carry out the access control based on the IP address, you need to use the official bucket domain name or the custom domain name without CDN acceleration enabled for access. If you use the official CDN domain name or the custom domain name with CDN acceleration enabled to access BOS, the IP setting is invalid. > - **At present, the VPC access control is only available in the North China - Baoding region through the whitelist.** If you want to use it, please [**********Submit Ticket********** ](https://ticket.bce.baidu.com/?_=1603103630709#/ticket/create)to contact us.

7. Click OK to complete the configuration.
8. After the configuration, you can see the generated permission records in Bucket Permission Configuration, and adjust the existing permissions by clicking the “Modify” and “Delete” button.