Creating groups for an S3 tenant

You can manage the access permissions for an S3 tenant account by creating local groups or by importing federated groups. As required, you can also specify S3 policies for each group.

Before you begin


  1. Select Access Control > Groups.

    screenshot showing Access Control > Groups page
  2. Click Add.
  3. Select Local to create a local group, or select Federated to import a group from the previously configured identity source.
  4. Enter the group's name.
    If you selected... Enter...
    Local Both a display name and a unique name for this group. You can edit the display name later.
    Federated The unique name of the federated group.
    Note: For Active Directory, the unique name is the name associated with the sAMAccountName attribute. For OpenLDAP, the unique name is the name associated with the uid attribute.
  5. In the Management Permissions section, select the tenant account permissions you want to assign to this group.
    See "Tenant management permissions."
  6. To attach a group policy to this group, enter a JSON formatted string in the S3 Policy text box.
    Attention: The S3 group policy controls the access permissions for specific S3 resources, including buckets. Non root users have no access to these resources by default.

    screenshot showing Add Group dialog box

    The JSON string is validated as it is entered, and you can only save group policy strings that are valid.

    Each group policy has a size limit of 5,120 bytes.

    For example, the following group policy gives group members permission to perform all operations on all resources owned by the S3 tenant account:

     "Statement": [
       "Action": "s3:*",
       "Effect": "Allow",
       "Resource": "urn:sgws:s3:::*"
    Note: See the instructions for implementing an S3 client application for detailed information about group policies, including language syntax and examples.
  7. Click Save.

    New group policies might take up to 15 minutes to take effect because of caching.