Authorization Methods

Differences Between Bucket Policies, User Policies, Bucket ACLs, and Object ACLs
The differences between bucket policies, user policies, bucket ACLs, and object ACLs are as follows, which are further illustrated in Table 1:
User policies grant permissions based on users. Bucket policies, bucket ACLs, and object ACLs grant permissions based on resources.
User policies and bucket policies are based on the access policy language and therefore provide higher permission control flexibility. They allow you to grant the permission of each specific action and the permission effect can be set to deny or allow. Bucket ACLs and object ACLs are based on ACLs ad therefore provide relatively lower permission control flexibility. They allow you to grant only basic read and write permissions.
User policies cannot be used to grant permissions to anonymous users. Bucket policies, bucket ACLs, and object ACLs can be used to grant permissions to anonymous users.
User policies are configured in the CAM console. Bucket policies, bucket ACLs, and object ACLs are configured in the COS console.
Table 1. Differences between authorization methods
Item
﻿
User policy
Bucket policy
Bucket ACL
Object ACL
Classification
﻿
User-based authorization
Resource-based authorization
Resource-based authorization
Resource-based authorization
Permission control flexibility
﻿
High flexibility
High flexibility
Low flexibility
Low flexibility
Console configuration
﻿
CAM console
COS console
COS console
COS console
Access control element
User
All CAM identities (sub-accounts, roles, etc.) management by the current account
Sub-accounts, root accounts, anonymous users
Sub-accounts, other root accounts, anonymous users
Sub-accounts, other root accounts, anonymous users
﻿
﻿
﻿
﻿
﻿
Sub-account Tencent Cloud services, roles, etc.
﻿
﻿
Before cross-account authorization, you need to add the target account as your collaborator.
Directly supports cross-account authorization.
﻿
﻿
﻿
Effect
Allow + Deny
Allow + Deny
Allow only
Allow only
﻿
Resource
All cloud resources, all COS buckets, specified buckets (prefixes, objects, etc.)
Specified buckets (prefixes, objects, etc.)
Entire bucket
Specified objects
﻿
Action
Every specific action
Every specific action (excluding bucket creation and bucket listing)
Simplified read and write permissions
Simplified read and write permissions
﻿
Condition
Supported
Supported
Not supported
Not supported
﻿
How to Choose an Appropriate Authorization Method?
The differences listed in Table 1 show the advantages and disadvantages of different authorization methods. You can choose an appropriate authorization method based on your own needs.
But whichever authorization method you choose, you are advised to maintain consistency as much as possible. Otherwise, with the increase of bucket policies, user policies, and ACLs, it will become increasingly difficult to maintain permissions.
When do I use an ACL?
Note: 
 Enabling anonymous access (Public Read) is highly risky due to hotlinking risks. In cases where Public Read is required, you can set hotlink protection to improve security.
Use ACLs if you only need to set some simple access permissions for buckets and objects or enable anonymous access. However, in most cases, you are advised to use bucket policies or user policies, which are more flexible. ACLs are recommended in scenarios where you want to:
Set simple access permissions.
Set access permissions quickly in the console.
Make an object, directory, or bucket accessible to all anonymous internet users.
Each account supports only 1,000 ACLs. If this upper limit is exceeded, select bucket policies or user policies instead.
When do I use a user policy?
If you want to specify what operations a user can perform, you are advised to configure user policy. You can search for a CAM user and check the permissions of the user's user groups to see what operations the user can perform. A user policy is recommended in scenarios where you want to:
Configure COS service-level permissions such as the permissions for bucket creation and bucket listing.
Grant permissions on all COS buckets and objects under your root account.
Grant the same permissions to a large number of CAM users under the root account.
When do I use a bucket policy?
If you want to specify which users can access a COS bucket, you are advised to configure a bucket policy. You can search for a bucket and check the bucket's policy to see who can access the bucket. A bucket policy is recommended in scenarios where you want to:
Authorize a specific bucket.
Authorize a specific action with the authorization effect set to deny or allow, which is not supported by ACL.
Use cross-account authorization and anonymous user authorization, which are not supported by user policies.

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

Item			User policy	Bucket policy	Bucket ACL	Object ACL
Classification			User-based authorization	Resource-based authorization	Resource-based authorization	Resource-based authorization
Permission control flexibility			High flexibility	High flexibility	Low flexibility	Low flexibility
Console configuration			CAM console	COS console	COS console	COS console
Access control element	User	All CAM identities (sub-accounts, roles, etc.) management by the current account	Sub-accounts, root accounts, anonymous users	Sub-accounts, other root accounts, anonymous users	Sub-accounts, other root accounts, anonymous users
				Sub-accounts, other root accounts, anonymous users	Sub-accounts, other root accounts, anonymous users		Sub-account Tencent Cloud services, roles, etc.
				Before cross-account authorization, you need to add the target account as your collaborator.	Directly supports cross-account authorization.
		Effect	Allow + Deny	Allow + Deny	Allow only	Allow only
		Resource	All cloud resources, all COS buckets, specified buckets (prefixes, objects, etc.)	Specified buckets (prefixes, objects, etc.)	Entire bucket	Specified objects
		Action	Every specific action	Every specific action (excluding bucket creation and bucket listing)	Simplified read and write permissions	Simplified read and write permissions
		Condition	Supported	Supported	Not supported	Not supported

tencent cloud

New User Offers

Next-Generation CDN：EdgeOne

Elasticsearch Service free trial

Free Tier

Tencent Cloud Startup Program

Special Offers

Lighthouse Special Offers

Cloud Object Storage Special Offers

Featured Products

New Products

Education

Tencent Cloud Online Education Solutions

Gaming

Gaming Solution

Game Media Solutions

E-commerce

E-commerce retail solutions

Audio & Video

Audio/Video Solution

LVB Recording Solution

Interactive Classroom Solution

Interactive Live Streaming Solution

Audio Chat Social Networking Solution

Financial Services

Financial Services Solution

Compute

Cloud Virtual Machine

Auto Scaling

Batch Compute

CVM Dedicated Host

Database

TencentDB for MySQL

TencentDB for Redis®

TencentDB for CTSDB

TDSQL for MySQL

Data Transfer Service

TencentDB for MongoDB

TencentDB for PostgreSQL

TencentDB for SQL Server

TencentDB for TcaplusDB

Video Service

Cloud Streaming Services

Video on Demand

Media Processing Service

Cloud Application Rendering

Cloud Contact Center

Game Multimedia Engine

Chat

Real-time Communication

Tencent Effect SDK

AI and Machine Learning

Image Creation Large Model

Face Fusion

eKYC

Optical Character Recognition

Video Creation Large Model

Industry Applications

Tencent HealthCare Omics Platform

Container and Middleware

TDMQ for CKafka

Serverless Cloud Function

Tencent Kubernetes Engine

Tencent Kubernetes Engine for Serverless

Networking

Cloud Load Balancer

Virtual Private Cloud

Direct Connect

Cloud Connect Network

NAT Gateway

VPN Connection

Bandwidth Package

Anycast Internet Acceleration

Elastic Network Interface

Flow Logs

Global Application Acceleration Platform

Security

Captcha

Cloud Workload Protection Platform

Data Security Governance Center