# Manage ACL for Objects
You can manage ACL permission for objects through the DCD, space.vars.ionos\_cloud\_object\_storage API, or the CLI.
{% hint style="danger" %}
**Note:** Due to the granularity limitations and the complexity of managing permissions across a large scale of resources and users, we recommend using [Bucket Policy](/cloud/backup-and-storage/ionos-object-storage/settings/bucket-policy.md) instead of ACLs.
{% endhint %}
## ACL permission for objects
The following table shows the ACL permissions that you can configure for objects in a bucket in the space.vars.ionos\_cloud\_object\_storage:
{% tabs %}
{% tab title="Contract-owned Buckets" %}
| **Grantee** | **Console permission** | **ACL permission** | **Access granted** |
| :---------------------------------------: | :--------------------: | :----------------: | :-----------------------------------------------------------------------------------------------------------------------------: |
| Specific or all users of another contract | Objects - Read | READ | Allows grantee to read the object data and its metadata. |
| Specific or all users of another contract | Object ACL - Read | READ\_ACP | Grants the ability to read the object ACL. |
| Specific or all users of another contract | Object ACL - Write | WRITE\_ACP | Allows the grantee to write the ACL of the applicable object. |
| Group: All users | Objects - Read | READ | Allows anyone to read the object data and its metadata. |
| Group: All users | Object ACL - Read | READ\_ACP | Allows anyone to read the object ACL. |
| Group: Authenticated users | Objects - Read | READ | Allows anyone with an space.vars.ionos\_cloud account to read the object data and its metadata. |
| Group: Authenticated users | Object ACL - Read | READ\_ACP | Grants read access to object ACL to anyone with an space.vars.ionos\_cloud account. |
| {% endtab %} | | | |
{% tab title="User-owned Buckets" %}
| **Grantee** | **Console permission** | **ACL permission** | **Access granted** |
| :------------------------: | :--------------------: | :----------------: | :-----------------------------------------------------------------------------------------------------------------------------: |
| User | Objects - Read | READ | Allows grantee to read the object data and its metadata. |
| User | Object ACL - Read | READ\_ACP | Grants the ability to read the object ACL. |
| User | Object ACL - Write | WRITE\_ACP | Allows the grantee to write the ACL of the applicable object. |
| Group: All users | Objects - Read | READ | Allows anyone to read the object data and its metadata. |
| Group: All users | Object ACL - Read | READ\_ACP | Allows anyone to read the object ACL. |
| Group: Authenticated users | Objects - Read | READ | Allows anyone with an space.vars.ionos\_cloud account to read the object data and its metadata. |
| Group: Authenticated users | Object ACL - Read | READ\_ACP | Grants read access to object ACL to anyone with an space.vars.ionos\_cloud account. |
| {% endtab %} | | | |
| {% endtabs %} | | | |
These permissions are applied at individual object levels offering a high granularity in access control.
{% hint style="info" %}
**Note:** For security, granting some access permissions such as **Public access** `WRITE_ACP` and **Authenticated users** `WRITE_ACP` is possible only through an API call.
{% endhint %}
### DCD
To manage ACL for objects using the DCD, follow these steps:
{% hint style="info" %}
**Prerequisites:**
* Make sure the user ID of the grantee is known. For more information, see [Retrieve User ID](/cloud/backup-and-storage/ionos-object-storage/how-tos/retrieve-user-id.md).
* The grantee should already exist. If not, create a user and retrieve the Canonical User ID by following the steps in [Retrieve the user ID of a new user](/cloud/backup-and-storage/ionos-object-storage/how-tos/retrieve-user-id.md#retrieve-the-user-id-of-a-new-user).
{% endhint %}
1\. In the **DCD**, go to **Menu** > **Storage & Backup** > **IONOS Object Storage**.
2\. From the drop-down list in the **Buckets** tab, choose either **Show user-owned buckets** or **Show contract-owned buckets**, depending on the bucket type you want to view.
3\. From the **Buckets** list, choose the bucket under which the object ACL to be modified exists.
4\. From the **Objects** list, choose the object for which ACL permissions must be modified.
5\. From the **Object Settings**, go to the **Access Control List (ACL)**.
6\. Depending on the [Bucket Types](/cloud/backup-and-storage/ionos-object-storage/concepts/bucket-types.md), manage the object access permissions as follows:
{% tabs %}
{% tab title="Contract-owned Buckets" %}
* Select the checkboxes against the access permissions to grant at each user level such as specific or all users of another contract, all users of a group, and authenticated users of a group. For more information, see [ACL permission for objects](#acl-permission-for-objects).
* Add grantees to provide additional users with access permission to the contract-owned bucket's objects.
* In the **Additional Grantees** section, enter the retrieved **Contract Number** of the grantee.
* Select the checkboxes on the object ACL permissions to grant, and click **Add**.
{% endtab %}
{% tab title="User-owned Buckets" %}
* Select the checkboxes against the access permissions to grant at each user level such as users, all users of a group, authenticated users of a group, and Log Delivery Group. For more information, see [ACL permission for objects](#acl-permission-for-objects).
* Add grantees to provide additional users with access permission to the user-owned bucket's objects.
* In the **Additional Grantees** section, enter the retrieved **Canonical user ID** of the grantee.
* Select the checkboxes on the object ACL permissions to grant, and click **Add**.
{% endtab %}
{% endtabs %}
7\. Click **Save** to apply ACL permissions and add the grantee to the object.
{% hint style="success" %}
**Result:** The object ACL permissions are successfully applied to the object.
{% endhint %}
### API
Use the [API](https://api.ionos.com/docs/s3/v2/#tag/ACL/operation/PutObjectAcl) to manage object ACL permissions.
### CLI
Use [CLI](/cloud/backup-and-storage/ionos-object-storage/s3-tools/awscli/awscli-acl-objects.md) to manage ACL permission for objects.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.ionos.com/cloud/backup-and-storage/ionos-object-storage/settings/access-control-list/access-control-list-objects.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.