Creating groups for an S3 tenant

You can manage permissions for S3 user groups by importing federated groups or creating local groups.

Before you begin

Steps

  1. Select Access Control > Groups.

    screenshot showing Access Control > Groups page
  2. Click Add.
    The Add Group page appears.
    screenshot showing Add Group dialog box
  3. For the group's type, select Local to create a local group, or select Federated to import a group from the previously configured identity source.
    Attention: If single sign-on (SSO) is enabled for your StorageGRID system, users belonging to local groups will not be able to sign in to the Tenant Manager, although they can use client applications to manage the tenant's resources, based on group permissions.
  4. Enter the group's name.
    If you selected... Enter...
    Local Both a display name and a unique name for this group. You can edit the display name later.
    Federated The unique name of the federated group.
    Note: For Active Directory, the unique name is the name associated with the sAMAccountName attribute. For OpenLDAP, the unique name is the name associated with the uid attribute.
  5. Select the tenant account permissions you want to assign to this group.
    See "Tenant management permissions."
  6. From the Group Policy drop-down, select how you want to create the group policy that defines which S3 access permissions members of this group will have.
    Option Description
    No S3 Access Default. Users in this group do not have access to S3 resources, unless access is granted with a bucket policy. If you select this option, only the root user will have access to S3 resources by default.
    Read Only Access Users in this group have read-only access to S3 resources. For example, users in this group can list objects and read object data, metadata, and tags. When you select this option, the JSON string for a read-only group policy appears in the text box. You cannot edit this string.
    Full Access Users in this group have full access to S3 resources, including buckets. When you select this option, the JSON string for a full-access group policy appears in the text box. You cannot edit this string.
    Custom Users in the group are granted the permissions you specify in the text box.

    See the instructions for implementing an S3 client application for detailed information about group policies, including language syntax and examples.

  7. If you selected Custom, enter the group policy.
    Note: Each group policy has a size limit of 5,120 bytes. You must enter a valid JSON formatted string.
    Example
    In this example, members of the group are only permitted to list and access their specific folder (key prefix) in the specified bucket. Note that access permissions from other group policies and the bucket policy should be considered when determining the privacy of these folders.
    Adding a custom group policy to a tenant group
  8. Click Save.

    New group policies might take up to 15 minutes to take effect because of caching.