- Notes, cautions, and warnings
- Revision history
- About using this guide
- Overview
- Getting Started with ObjectScale
- IAM accounts and account entities
- Introduction to Identity and Access Management
- Accounts
- New Accounts
- View the summary of an account
- Edit Account
- Enable or Disable an Account
- Delete an account
- Users
- Groups
- Roles
- Policies
- Create a new customer-managed policy
- Edit a customer-managed policy
- Delete a customer-managed policy
- Attach a policy to an account entity
- Detach a policy from an account entity
- Attach a permission boundary to an account entity
- Detach a permission boundary from an account entity
- Actions in IAM Policy
- Principal types in IAM Policies
- Identity Provider
- Root Access Keys
- Notification Destinations
- Object stores
- About ObjectScale object stores
- Creating a new object store
- Edit the settings of an object store
- Delete an object store
- View the Summary of an object store
- View the Dashboard of an Object Store
- Understand object store space reclamation
- Set capacity alerts for an object store
- Add additional accounts to an object store
- Edit an account values for an object store
- Remove an account from an object store
- View the certificates for an object store
- Monitor and manage replication for an object store
- View the health of an object store
- Metrics
- Buckets
- About ObjectScale buckets
- Create a bucket
- Edit a bucket
- View the summary of a bucket
- Delete a bucket
- Configure Bucket Logging
- About bucket policies
- Setting up bucket event notifications
- View the Bucket Summary
- Managing Bucket Replication
- Federate ObjectScale Systems
- ObjectScale Replication
- Platform settings
- Management Users and Roles in ObjectScale
- Authentication Providers in ObjectScale Software Bundle
- ObjectScale Administration
- About the Administration section of the ObjectScale Portal
- Installing and maintaining the health of ObjectScale
- Licensing ObjectScale
- System support
- SAML Service Provider Metadata
- Manage ObjectScale Certificates
- Security settings
- Active sessions
- ObjectScale Upgrades
- ObjectScale 1.3 upgrade considerations
- Upgrade ObjectScale on OpenShift
- Upgrade Considerations for OpenShift Container Platform from 4.12 to 4.13
- Prerequisites for OpenShift Container Platform Upgrade from 4.12 to 4.13
- Upgrade Procedure for OpenShift Container Platform from 4.12 to 4.13
- Upgrade ObjectScale on Software Bundle
- Upgrade ObjectScale on Appliance
- Troubleshooting Object store upgrade status in progress after failed node repair
- ObjectScale Management REST API
- Accessing data with IAM and S3
- ObjectScale IAM overview
- Amazon S3 API support in ObjectScale
- Alerts
- About ObjectScale instance event and issue monitoring
- Monitoring Events, Audits, and Alerts
- CSI-01
- CSI-03
- CSI-05
- DECKS-HC-1000
- DECKS-LIC-1002
- DECKS-LIC-1005
- DECKS-LIC-1006
- DECKS-LIC-1008
- DECKS-LIC-1011
- DECKS-SA-1023
- DECKS-SA-1024
- KAHM-HC-1000
- OBJSC-CO-0000
- OBJSC-CO-0001
- OBJSC-CO-0002
- OBJSC-CO-0003
- OBJSC-CO-0004
- NVMF-1389
- NVMF-1390
- NVMF-1393
- NVMF-1395
- NVMF-1396
- OBJPRECHK-2000
- OBJPRECHK-2001
- OBJPRECHK-2002
- OBJPRECHK-2003
- OBJPRECHK-2004
- OBJPRECHK-2005
- OBJPRECHK-2006
- OBJPRECHK-2007
- OBJPRECHK-2008
- OBJPRECHK-2009
- OBJPRECHK-2010
- OBJPSTCHK-3000
- OBJPSTCHK-3001
- OBJPSTCHK-3002
- OBJPSTCHK-3003
- OBJSC-FED-1001
- OBJSC-IAM-1004
- OBJSC-LIC-0004
- OBJSC-MGR-3000
- OBJSC-MGR-HC-1000
- OBJSC-MON-1111
- OBJSC-MON-1112
- OBJSC-MON-1113
- OBJSC-MON-3002
- OBJSC-MON-3003
- OBJSC-MON-4019
- OBJSC-MON-4020
- OBJSC-MON-4021
- OBJSC-MON-4022
- OBJSC-MON-4025
- OBJSC-MON-4028
- OBJSC-SP-0000
- OBJSC-SP-0001
- OBJSC-SP-0002
- OBJSC-SP-0003
- OBJSC-SP-0004
- OBJSC-TARGET-01
- OBJSOP-1000
- OBJSOP-1001
- OBJSOP-1002
- OBJSOP-1003
- OBJSOP-1004
- OBJSOP-1005
- OBJSOP-1006
- OBJSOP-2001
- OBJSOP-2002
- OBJST-1006
- OBJST-1008
- OBJST-12001
- OBJST-12003
- OBJST-12004
- OBJST-12005
- OBJST-12006
- OBJST-12007
- OBJST-12008
- OBJST-12010
- OBJST-12011
- OBJST-13000
- OBJST-13001
- OBJST-13002
- OBJST-13003
- OBJST-13004
- OBJST-13005
- OBJST-13006
- OBJST-13007
- OBJST-13008
- OBJST-13009
- OBJST-13010
- OBJST-13011
- OBJSTEPUPD-4000
- OBJSTEPUPD-4001
- OBJSTEPUPD-4002
- OBJSTEPUPD-4003
- OBJSTEPUPD-4004
- OBJSTEPUPD-4005
- OBJSTEPUPD–4006
- OBJSTEPUPD–4007
- OBJSTEPUPD–4008
- OBJST-1320
- OBJST-1321
- OBJST-1324
- OBJST-1325
- OBJST-1328
- OBJST-1329
- OBJST-1332
- OBJST-1333
- OBJST-1336
- OBJST-1337
- OBJST-1340
- OBJST-1341
- OBJST-1344
- OBJST-1345
- OBJST-1352
- OBJST-1354
- OBJST-1364
- OBJST-1365
- OBJST-1366
- OBJST-1389
- OBJST-1390
- OBJST-1392
- OBJST-1600
- OBJST-1601
- OBJST-1602
- OBJST-1603
- OBJST-1604
- OBJST-1605
- OBJST-1700
- OBJST-1701
- OBJST-2100
- OBJST-2101
- OBJST-MON-4016
- OBJST-MON-4019
- OBJST-MON-4020
- OBJSTORE-HC-1000
- OBJUPD-1000
- SNMPNOTI-1000
- TEST TRAP
- Metrics for ObjectScale and object stores
- Maintain ObjectScale
- About ObjectScale service procedures
- About ObjectScale capacity expansion procedures
- About ObjectScale maintenance modes
- Maintenance mode in ObjectScale on OpenShift
- Place a node into temporary maintenance mode (ObjectScale on OpenShift)
- Remove a node from temporary maintenance mode (ObjectScale on OpenShift)
- Place a healthy node into permanent maintenance mode (ObjectScale on OpenShift)
- Place a failed node into permanent maintenance mode (ObjectScale on OpenShift)
- Temporary maintenance mode for ObjectScale Software Bundle
- Maintenance mode in ObjectScale on Appliance
- Disk replacement service procedure
- Perform a node replacement service procedure (ObjectScale on OpenShift)
- Add a node (ObjectScale Software Bundle)
- Remove a node (ObjectScale Software Bundle)
- Prepare a failed node for node hardware or software maintenance (ObjectScale Software Bundle)
- Prepare a healthy node for node hardware or software maintenance (ObjectScale Software Bundle)
- Replace a healthy node within the ObjectScale Software Bundle
- Replace a failed node within the ObjectScale Software Bundle
- Add a node (ObjectScale Appliance)
- Node Replacement on ObjectScale Appliance
- Node Repair on ObjectScale Appliance
- Failed Node Repair on ObjectScale Appliance
- View service procedure status
- Updating iDRAC IPs Using Server Patch API for ObjectScale Appliance
- Shutting Down and Restarting ObjectScale
- About ObjectScale service procedures
Dell ObjectScale 1.3 Administration Guide
IAM Policies and ACLs
A policy is an object that when associated with an identity or resource defines their permissions. Permissions in the policies determine if the request is permitted or denied.
IAM Policies
ObjectScale IAM enables creation, modification, listing, assigning, and deletion of policies on an identity or resource. IAM policies are stored in JSON format.
Using policies you can:
- Specify actions on a resource.
- Identify resources.
- Identify principals that are applicable for the policies.
- Specify conditions that are applicable
IAM policies define permissions for an action regardless of the method that you use to perform the operation. The following policy types, are designed for use in ObjectScale:
| Policies | Description |
|---|---|
| Identity-based policies | Policies that are assigned to users, groups, and roles which grant permissions to an identity.
|
| Resource-based policies | Resource-based policies are inline policies that are assigned to an ObjectScale resource that grants specified principal permission to perform specific action on the resource.
|
| Permission Boundaries | Use a managed policy as the permissions boundary for an IAM entity (user or role). That policy defines the maximum permissions that the identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity. |
| Session policies | Session policies are used with AssumeRole and AssumeRoleWithSAML APIs. Session policies limit the permissions that the identity-based policies of a role or user grants to the session. Session policies limit permissions for a created session, but do not grant permissions. |
| Access Control Lists (ACLs) | ACLs are cross-account permissions policies that grant permissions to the specified principal. ACLs cannot grant permissions to entities within the same account. |
NOTE:If there is an explicit deny in any policy, then the request is denied otherwise there must be a policy that explicitly allows the request. If neither then by default the request is denied.
Policy Basics
Policy is made up of one or list of statements. A statement is contained within a series of elements.
- Version
- Specify the version of the policy language that you want to use. As a best practice, use the latest 2012-10-17 version.
- Statement
- Use this main policy element as a container for the following elements. You can include more than one statement in a policy.
- Sid
- (Optional) Include an optional statement ID to differentiate between your statements.
- Effect
- Use Allow or Deny to indicate whether the policy allows or denies access.
- Principal
- (Required in only some circumstances) If you create a resource-based policy, you must indicate the account, user, role, or federated user to which you would like to allow or deny access. If you are creating an IAM permissions policy to attach to a user or role, you cannot include this element. The principal is implied as that user or role.
- Action
- Include a list of actions that the policy allows or denies.
- Resource
- ARN of resources the permission applied on. * apply to all resources.
- Condition
- (Optional) Specify the circumstances under which the policy grants permission.
ACLs
Access control lists allow you to manage access to objects and buckets. An ACL is attached to all objects and buckets. With S3 ObjectScale IAM access:
Buckets are owned by the account to which they belong and objects are owned by the account to which the user that created the object belongs.
Buckets and object owners can never be changed.
Only an account can be a non-group grantee in an ACL.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\