ossbrowser lets you perform simple permission management to grant users access to specific resources in a bucket.
Use cases
If multiple employees need to access resources in a bucket, you can use ossbrowser to grant them different permissions. For example, you can grant one employee temporary access to a specific directory in a bucket, or grant another employee long-term read-only or read/write permissions on an entire bucket or a specific directory.
Prerequisites
For data security, use the AccessKey pair of a RAM user (for example, RAM User A) to log on to ossbrowser. This RAM user must have permissions to manage a bucket, and be granted the AliyunRAMFullAccess policy (for managing Resource Access Management) and the AliyunSTSAssumeRoleAccess policy (for calling the AssumeRole API operation of STS). These policies are required for temporary authorization and simplified policy authorization. For more information, see Create a RAM user and Grant permissions to a RAM user.
Temporary authorization
Temporary authorization lets you generate a temporary authorization token by calling the AssumeRole API operation. You can provide this token to a user, who can then assume a RAM role to gain temporary access to a specific directory in your bucket. The token automatically expires after a specified period.
-
Log on to ossbrowser using the AccessKey pair of RAM User A.
For more information, see Create an AccessKey pair and Log on to ossbrowser 1.0.
-
Click the name of the target bucket.
-
Select the checkbox for the directory you want to authorize, and then choose .
ImportantAuthorization tokens can only be generated for directories.

-
Configure the permissions, validity period, and RAM role, and then click Generate.
NoteThe RAM role must have at least read-only permissions on the directory.
-
Click Copy to copy the generated authorization token.
-
Provide the authorization token to other users so that they can temporarily access a directory in your bucket.
NoteThese users can use the authorization token to log on to ossbrowser. For more information, see Log on to ossbrowser 1.0.
Long-term authorization
ossbrowser supports long-term authorization through its simplify policy authorization feature. This feature automatically generates a policy based on the permissions you select and attaches it to a RAM user. After authorization, the RAM user has long-term read-only or read/write permissions on a specific bucket or directory.
The simplify policy authorization feature in ossbrowser is based on Alibaba Cloud Resource Access Management (RAM). For more fine-grained control, you can also manage RAM users directly in the RAM console.
-
Log on to ossbrowser as RAM User A.
-
Click the name of the target bucket.
-
Select the checkbox for one or more files or directories to authorize, and then choose .
-
On the Simplify policy authorization page, select the permissions you want.
-
Grant permissions to an existing RAM user (for example, RAM User B) or create a new RAM user.
NoteYou can click View Policy to view the generated policy text and copy it for use elsewhere. For example, you can paste the policy text into the RAM console to edit authorization policies for RAM users and RAM roles.
-
RAM User B can now log on to ossbrowser with their AccessKey pair and manage the authorized resources.