Access control lists (ACLs) enable you to manage the permission to access buckets and objects. Each bucket or object has an attached ACL that functions as a child resource and defines which domains have the permission to access the bucket or object and the type of the permission. After receiving a request to access a specific resource, OBS checks the corresponding ACL to determine whether the requester has the access permission.

During bucket or object creation, OBS creates a default ACL to grant the full control to the resource owner. The following provides an example of an ACL (a default object ACL has the same structure).

<?xml version="1.0" encoding="UTF-8"?>   
<AccessControlPolicy xmlns="">     
  <ID>*** Owner-Canonical-User-ID ***</ID>       
   <Grantee xmlns:xsi=""                   xsi:type="Canonical User">           
    <ID>*** Owner-Canonical-User-ID ***</ID>           

The example ACL contains an Owner element that can identify the resource owner using the ID of a standard OBS domain user. A Grant element can identify grantees (authorized users supported by OBS) and the granted permission. The ACL contains a Grant element applicable to the resource owner. Users can grant permission by adding Grant elements. Each element indicates a grantee and the granted permission. Each item in an ACL indicates the permission granted to a grantee. Users can invoke an ACL interface to modify the ACL of or generate an ACL for an existing bucket or object.