Access Policies

Access Policies in Z3

Z3 access policies work the same way as other access policies in Oystehr with additional functionality.

Z3 Scopes

There are two types of Z3 resources managed by access policies:

  • Z3:Bucket
  • Z3:Object

Z3:Bucket

  • Z3:CreateBucket — Grants permission to create a Bucket
  • Z3:DeleteBucket — Grants permission to delete a Bucket
  • Z3:ListBuckets — Grants permission to list some or all Buckets in a project

A Z3 Bucket Resource is referenced by its name inside an access policy rule. To give access to create a Bucket named fruit-vegetables for an actor.

{  
    "action": ["Z3:CreateBucket"],
    "effect": "Allow",
    "resource": "Z3:fruit-vegetables"
}

An asterisk * can be used to reference all Buckets.

{
    "action": ["Z3:CreateBucket"],
    "effect": "Allow",
    "resource": "Z3:*"
}

Z3:Object

  • Z3:GetObject: Grants permission to retrieve objects
  • Z3:DeleteObject: Grants permission to delete objects
  • Z3:PutObject: Grants permission to retrieve presigned URLs to upload files
  • Z3:ListObjects: Grants permission to list objects in a Bucket

Z3 Object resources are referenced by path.

{
    "action": ["Z3:GetObject"],
    "effect": "Deny",
    "resource": "Z3:fruit-vegetables/apple/examples/one.csv"
}

An asterisk * can also be used with Z3 objects.

{
  "action": ["Z3:GetObject"],
  "effect": "Deny",
  "resource": "Z3:fruit-vegetables/apple/examples/*"
}

A string asterisk asterisk ** indicates arbitrary paths.

{
  "action": ["Z3:GetObject"],
  "effect": "Allow",
  "resource": "Z3:fruit-vegetables/apple/**/one.csv",
}

Z3 access policies can be combined to handle the access of a user to specific Buckets and objects.