1. Using Oracle Cloud Infrastructure Object Storage Classic
  2. Getting Started with Object Storage Classic
  3. About Access Control Lists

About Access Control Lists

The ability to read and write objects in a container is governed by the Access Control Lists (ACLs) assigned to the container. These ACLs are written to two metadata fields: X-Container-Read and X-Container-Write.

Users with roles assigned to these metadata fields can perform the following actions:

  • X-Container-Read: Users can read objects and associated metadata in the given container.
  • X-Container-Write: Users can create and delete objects and associated metadata in the given container.

The metadata field values are a comma-separated list of identity domain ID and role pairs. This allows service administrators to grant read or write access to users in other identity domains. Users with the Storage_Administrator role may define their own roles in the Users page in Infrastructure Classic Console and assign them to the X-Container-Read and X-Container-Write headers on containers, as required.

For creating custom roles for a traditional Cloud account. See Adding a Custom Role in Managing and Monitoring Oracle Cloud.

For creating custom roles for accounts with Identity Cloud Service, see Create a Custom Role for Cloud Accounts with Identity Cloud Service.

Users with the Storage_Administrator role will always have read and write access to all containers in their service instance.

All non-administrator users are subject to the ACLs for a given container.

The service instance root path is an exception to this, because it does not have ACLs associated with it. For this path, all users can obtain a list of containers, but only users with the Storage_Administrator role can create or delete containers.

By default, when a container is created in the Oracle Cloud Infrastructure Object Storage Classic, the following ACLs are assigned:

  • X-Container-Read: identity_domain_ID.storage_service.Storage_ReadOnlyGroup,identity_domain_ID.storage_service.Storage_ReadWriteGroup
  • X-Container-Write: identity_domain_ID.storage_service.Storage_ReadWriteGroup

Example:

The following are the newly created container ACL values for a service instance named Storage in an identity domain named myIdentity3.

  • X-Container-Read: myIdentityDomainID.Storage.Storage_ReadOnlyGroup, myIdentityDomainID.Storage.Storage_ReadWriteGroup
  • X-Container-Write: myIdentityDomainID.Storage.Storage_ReadWriteGroup

To learn how to restrict read and write access to containers by using ACLs, see Setting Container ACLs.

Create a Custom Role for Cloud Accounts with Identity Cloud Service

To create a custom role for cloud accounts with identity cloud service:

  1. Find your Oracle Identity Cloud Service tenant name.
    1. From the dashboard in Infrastructure Classic Console, click Identity Cloud.
    2. In the Additional Information section of the Overview tab, copy the tenant name from the Identity Service Id field. The tenant name begins with the characters idcs- and then is followed by a string of numbers and letters, for example, idcs-6572bfeb183b4becad9e649bfa14a488.
  2. Create a Confidential application in Oracle Identity Cloud Service. See Working with OAuth 2 to Access the REST API in REST API for Oracle Identity Cloud Service.
  3. After activating the application, identify and note down the SCIM Application ID from the application link that's available in the browser. For example, if https://idcs-6572bfeb183b4becad9e649bfa14a488.identity.oraclecloud.com/ui/v1/adminconsole?root=apps&app=e947cd3a3573975980930d52dfc111fb is the application link in the browser, then the SCIM application ID is e947cd3a3573975980930d52dfc111fb.
  4. Base64 encode the client ID and client secret that you had noted down while creating the application, and then obtain an access token. See Working with OAuth 2 to Access the REST API in REST API for Oracle Identity Cloud Service.
  5. In the response, you can see Status: 200. Copy the value of access_token from the response as you will have to provide this value while sending a REST request to the Oracle Identity Cloud Service REST API.
  6. Run the following command to create a custom role for the application. Provide the tenant base URL, access token value, and SCIM application ID based on your environment.
    curl --request POST \
  --url https://idcs-<tenant-base-url>.identity.oraclecloud.com/admin/v1/AppRoles \
  --header 'authorization: Bearer <access token that you have obtained in the previous step>' \
  --header 'content-type: application/json' \
  --data ' {
  "displayName": "My_Custom_Application_Role",
  "adminRole": false,
  "description": "My custom application role",
  "availableToUsers": true,
  "availableToGroups": true,
  "availableToClients": true,
  "app": {
    "value": "<SCIM Application ID that you have identified>"
  },
  "schemas": [
    "urn:ietf:params:scim:schemas:oracle:idcs:AppRole"
  ]
}'