Creating groups for an S3 tenant

You can manage the access permissions for an S3 tenant account by creating local groups or by importing federated groups. As required, you can also specify S3 policies for each group.

Before you begin


  1. Select Access Control > Groups.

    screenshot showing Access Control > Groups page
  2. Click Add.
  3. Select Local to create a local group, or select Federated to import a group from the previously configured identity source.
  4. Enter the group's name.
    If you selected... Enter...
    Local Both a display name and a unique name for this group. You can edit the display name later.
    Federated The unique name of the federated group.
    Note: For Active Directory, the unique name is the name associated with the sAMAccountName attribute. For OpenLDAP, the unique name is the name associated with the uid attribute.
  5. In the Management Permissions section, select the tenant account permissions you want to assign to this group.
    See "Tenant management permissions."
  6. If you want to attach a group policy to this group, enter a JSON formatted string in the S3 Policy text box.

    screenshot showing Add Group dialog box

    The JSON string is validated as it is entered, and you can only save group policy strings that are valid.

    Each group policy has a size limit of 5,120 bytes.

    Policy statements are built using this structure to specify permissions:
    <Principal> is allowed/denied to perform <Action> to <Resource> when <Condition> applies

    For a group policy, you do not need to specify <Principal>. The principal is simply the group for which you are specifying the policy.

    For example, the following group policy gives group members permission to perform all operations on all resources owned by the S3 tenant account:

     "Statement": [
       "Action": "s3:*",
       "Effect": "Allow",
       "Resource": "urn:sgws:s3:::*"
    Note: See the S3 (Simple Storage Service) Implementation Guide for detailed information about group policies, including language syntax and examples.
  7. Click Save.

    New group policies might take up to 15 minutes to take effect because of caching.