# Manage ACL for Objects

You can manage ACL permission for objects through the DCD, <code class="expression">space.vars.ionos\_cloud\_object\_storage</code> API, or the CLI.

{% hint style="danger" %}
**Note:** Due to the granularity limitations and the complexity of managing permissions across a large scale of resources and users, we recommend using [<mark style="color:blue;">Bucket Policy</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/settings/bucket-policy) instead of ACLs.
{% endhint %}

## ACL permission for objects

The following table shows the ACL permissions that you can configure for objects in a bucket in the <code class="expression">space.vars.ionos\_cloud\_object\_storage</code>:

{% tabs %}
{% tab title="Contract-owned Buckets" %}

|                **Grantee**                | **Console permission** | **ACL permission** |                                  **Access granted**                                 |
| :---------------------------------------: | :--------------------: | :----------------: | :---------------------------------------------------------------------------------: |
| Specific or all users of another contract |     Objects - Read     |        READ        |               Allows grantee to read the object data and its metadata.              |
| Specific or all users of another contract |    Object ACL - Read   |      READ\_ACP     |                      Grants the ability to read the object ACL.                     |
| Specific or all users of another contract |   Object ACL - Write   |     WRITE\_ACP     |            Allows the grantee to write the ACL of the applicable object.            |
|              Group: All users             |     Objects - Read     |        READ        |               Allows anyone to read the object data and its metadata.               |
|              Group: All users             |    Object ACL - Read   |      READ\_ACP     |                        Allows anyone to read the object ACL.                        |
|         Group: Authenticated users        |     Objects - Read     |        READ        | Allows anyone with an IONOS Cloud account to read the object data and its metadata. |
|         Group: Authenticated users        |    Object ACL - Read   |      READ\_ACP     |       Grants read access to object ACL to anyone with an IONOS Cloud account.       |

|         **Grantee**        | **Console permission** | **ACL permission** |                                  **Access granted**                                 |
| :------------------------: | :--------------------: | :----------------: | :---------------------------------------------------------------------------------: |
|            User            |     Objects - Read     |        READ        |               Allows grantee to read the object data and its metadata.              |
|            User            |    Object ACL - Read   |      READ\_ACP     |                      Grants the ability to read the object ACL.                     |
|            User            |   Object ACL - Write   |     WRITE\_ACP     |            Allows the grantee to write the ACL of the applicable object.            |
|      Group: All users      |     Objects - Read     |        READ        |               Allows anyone to read the object data and its metadata.               |
|      Group: All users      |    Object ACL - Read   |      READ\_ACP     |                        Allows anyone to read the object ACL.                        |
| Group: Authenticated users |     Objects - Read     |        READ        | Allows anyone with an IONOS Cloud account to read the object data and its metadata. |
| Group: Authenticated users |    Object ACL - Read   |      READ\_ACP     |       Grants read access to object ACL to anyone with an IONOS Cloud account.       |

These permissions are applied at individual object levels offering a high granularity in access control.

{% hint style="info" %}
**Note:** For security, granting some of the access permissions such as **Public access** `WRITE_ACP` and **Authenticated users** `WRITE_ACP` is possible only through an API call.
{% endhint %}

#### DCD

To manage ACL for objects using the DCD, follow these steps:

{% hint style="info" %}
**Prerequisites:**

* Make sure the user ID of the grantee is known. For more information, see [<mark style="color:blue;">Retrieve User ID</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/how-tos/retrieve-user-id).
* The grantee should already exist. If not, create a user and retrieve the Canonical User ID by following the steps in [<mark style="color:blue;">Retrieve the user ID of a new user</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/how-tos/retrieve-user-id#retrieve-the-user-id-of-a-new-user).
  {% endhint %}

1\. In the **DCD**, go to **Menu** > **Storage & Backup** > **IONOS Object Storage**.

2\. From the drop-down list in the **Buckets** tab, choose either **Show user-owned buckets** or **Show contract-owned buckets**, depending on the bucket type you want to view.

3\. From the **Buckets** list, choose the bucket under which the object ACL to be modified exists.

4\. From the **Objects** list, choose the object for which ACL permissions must be modified.

5\. From the **Object Settings**, go to the **Access Control List (ACL)**.

6\. Depending on the [<mark style="color:blue;">Bucket Types</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/concepts/bucket-types), manage the object access permissions as follows:

{% tabs %}
{% tab title="Contract-owned Buckets" %}

* Select the checkboxes against the access permissions to grant at each user level such as specific or all users of another contract, all users of a group, and authenticated users of a group. For more information, see [<mark style="color:blue;">ACL permission for objects</mark>](#acl-permission-for-objects).
* Add grantees to provide additional users with access permission to the contract-owned bucket's objects.
  * In the **Additional Grantees** section, enter the retrieved **Contract Number** of the grantee.
  * Select the checkboxes on the object ACL permissions to grant, and click **Add**.

![ACL object settings for contract-owned bucket](https://1737632334-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MifAzdGvKLDTtvJP8sm%2Fuploads%2Fgit-blob-591ce19a6eb7c47bac04d4e7e41a2c45bff09cb7%2Fs3-acl-object-settings.png?alt=media)
{% endtab %}

{% tab title="User-owned Buckets" %}

* Select the checkboxes against the access permissions to grant at each user level such as users, all users of a group, authenticated users of a group, and Log Delivery Group. For more information, see [<mark style="color:blue;">ACL permission for objects</mark>](#acl-permission-for-objects).
* Add grantees to provide additional users with access permission to the user-owned bucket's objects.
  * In the **Additional Grantees** section, enter the retrieved **Canonical user ID** of the grantee.
  * Select the checkboxes on the object ACL permissions to grant, and click **Add**.

![ACL object settings for user-owned bucket](https://1737632334-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MifAzdGvKLDTtvJP8sm%2Fuploads%2Fgit-blob-becda62edcf2e20acc65bfdf74af8196f3821fce%2Fs3-acl-object-user-bucket-settings.png?alt=media)
{% endtab %}
{% endtabs %}

7\. Click **Save** to apply ACL permissions and add the grantee to the object.

{% hint style="success" %}
**Result:** The object ACL permissions are successfully applied to the object.
{% endhint %}

#### API

Use the [<mark style="color:blue;">API</mark>](https://api.ionos.com/docs/s3/v2/#tag/ACL/operation/PutObjectAcl) to manage object ACL permissions.

#### CLI

Use [<mark style="color:blue;">CLI</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/s3-tools/awscli/awscli-acl-objects) to manage ACL permission for objects.
{% endtab %}
{% endtabs %}