# Manage ACL for Buckets
You can manage ACL permission for buckets through the DCD, space.vars.ionos\_cloud\_object\_storage API, or the CLI.
{% hint style="danger" %}
**Note:** Due to the granularity limitations and the complexity of managing permissions across a large scale of resources and users, we recommend using [Bucket Policy](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/settings/bucket-policy) instead of ACLs.
{% endhint %}
## ACL permission for buckets
The following table shows the ACL permissions that you can configure for buckets in the space.vars.ionos\_cloud\_object\_storage:
{% tabs %}
{% tab title="Contract-owned Buckets" %}
| **Grantee** | **Console permission** | **ACL permission** | **Access granted** |
| :---------------------------------------: | :--------------------: | :----------------: | :------------------------------------------------------------------------------------------------------------------------------------------------------------------: |
| Specific or all users of another contract | Objects - Read | READ | Allows grantee to list the objects in the bucket. With this permissions, you cannot read the object data and its metadata. |
| Specific or all users of another contract | Objects - Write | WRITE | Allows grantees to create new objects in the bucket. For the bucket and object owners of existing objects, it also allows deletions and overwrites of those objects. |
| Specific or all users of another contract | Bucket ACL - Read | READ\_ACP | Grants the ability to read the ACL of the bucket. |
| Specific or all users of another contract | Bucket ACL - Write | WRITE\_ACP | Allows the grantee to write the ACL of the bucket. |
| Group: All users | Objects - Read | READ | Allows anyone to list the objects in the bucket. With this permission, you cannot read the object data and metadata. |
| Group: All users | Bucket ACL - Read | READ\_ACP | Grants public read access for the bucket ACL. Anyone can access the bucket ACL. |
| Group: Authenticated users | Objects - Read | READ | Allows anyone with an IONOS Cloud account to list the objects in the bucket. With this permssion, you cannot read the object data and its metadata. |
| Group: Authenticated users | Bucket ACL - Read | READ\_ACP | Grants read access to bucket ACL to anyone with an IONOS Cloud account. |
| **Grantee** | **Console permission** | **ACL permission** | **Access granted** |
| :------------------------: | :--------------------: | :----------------: | :------------------------------------------------------------------------------------------------------------------------------------------------------------------: |
| User | Objects - Read | READ | Allows grantee to list the objects in the bucket. With this permissions, you cannot read the object data and its metadata.. |
| User | Objects - Write | WRITE | Allows grantees to create new objects in the bucket. For the bucket and object owners of existing objects, it also allows deletions and overwrites of those objects. |
| User | Bucket ACL - Read | READ\_ACP | Grants the ability to read the ACL of the bucket. |
| User | Bucket ACL - Write | WRITE\_ACP | Allows the grantee to write the ACL of the bucket. |
| Group: All users | Objects - Read | READ | Allows anyone to list the objects in the bucket. With this permission, you cannot read the object data and metadata. |
| Group: All users | Bucket ACL - Read | READ\_ACP | Grants public read access for the bucket ACL. Anyone can access the bucket ACL. |
| Group: Authenticated users | Objects - Read | READ | Allows anyone with an IONOS Cloud account to list the objects in the bucket. With this permssion, you cannot read the object data and its metadata. |
| Authenticated users | Bucket ACL - Read | READ\_ACP | Grants read access to bucket ACL to anyone with an IONOS Cloud account. |
| Log Delivery Group | Objects - Write | WRITE | Enables the group to write server access logs to the bucket. |
{% hint style="info" %}
**Note:** For security, granting some of the access permissions such as **Public access** `WRITE`, **Public access** `WRITE_ACP`, **Authenticated users** `WRITE`, **Authenticated users** `WRITE_ACP` is possible only through an API Call.
{% endhint %}
#### DCD
To manage ACL for buckets using the DCD, follow these steps:
{% hint style="info" %}
**Prerequisites:**
* Make sure the user ID of the grantee is known. For more information, see [Retrieve User ID](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/how-tos/retrieve-user-id).
* The grantee should already exist. If not, create a user and retrieve the Canonical User ID by following the steps in [Retrieve the user ID of a new user](https://docs.ionos.com/sections-test/guides/storage-and-backup/how-tos/retrieve-user-id#retrieve-the-user-id-of-a-new-user).
{% endhint %}
1\. In the **DCD**, go to **Menu** > **Storage & Backup** > **IONOS Object Storage**.
2\. From the drop-down list in the **Buckets** tab, choose either **Show user-owned buckets** or **Show contract-owned buckets** depending on the bucket type you want to view.
3\. From the **Buckets** list, choose the bucket to which you want to manage the ACL.
4\. Click **Bucket settings** and choose the **Access Control List (ACL)** under the **Access management** section.
5\. Depending on the [Bucket Types](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/concepts/bucket-types), manage the access permissions as follows:
{% tabs %}
{% tab title="Contract-owned Buckets" %}
* Select the checkboxes against the access permissions to grant at each user level such as specific or all users of another contract, all users of a group, and authenticated users of a group. For more information, see [ACL permission for buckets](#acl-permission-for-buckets).
* Add grantees to provide additional users with access permission to the contract-owned bucket.
* In the **Additional Grantees** section, enter the retrieved **Contract Number** of the grantee.
* Select the checkboxes on the bucket ACL permissions to grant, and click **Add**.
{% endtab %}
{% tab title="User-owned Buckets" %}
* Select the checkboxes against the access permissions to grant at each user level such as users, all users of a group, authenticated users of a group, and Log Delivery Group. For more information, see [ACL permission for buckets](#acl-permission-for-buckets).
* Add grantees to provide additional users with access permission to the user-owned bucket.
* In the **Additional Grantees** section, enter the retrieved **Canonical user ID** of the grantee.
* Select the checkboxes on the bucket ACL permissions to grant, and click **Add**.
{% endtab %}
{% endtabs %}
6\. Click **Save** to apply ACL permissions and add the grantee to the bucket.
{% hint style="success" %}
**Result:** The ACL permissions are successfully applied on the bucket.
{% endhint %}
{% hint style="info" %}
**Note:** Granting access to a bucket for another IONOS Cloud user does not make the bucket appear in the user's Object Storage in the DCD due to the S3 protocol's architecture. To access the bucket, the user must utilize other [S3 Tools](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/s3-tools) as the granted access does not translate to interface visibility.
{% endhint %}
#### API
Use the [API](https://api.ionos.com/docs/s3/v2/#tag/ACL/operation/PutBucketAcl) to manage bucket ACL permissions.
#### CLI
Use [CLI](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/s3-tools/awscli/awscli-acl-buckets) to manage ACL permission for buckets.
{% endtab %}
{% endtabs %}