sObject – Sub-User Permissions
Publisher: Psychz Networks, August 08,2025Creating separate credentials for every colleague, script, or application is the safest way to share access to your object storage buckets. You can assign one of four permission levels when you add a sub-user in the /dashboard.
Permission Levels
To maintain data integrity, ensure appropriate access, and enforce security protocols, it is essential to define clear user permission levels within a system. These permission levels determine what actions a user can perform on data storage resources such as buckets and objects.
| Permission Level |
Allowed |
Restricted |
|---|---|---|
|
Read |
|
|
|
Write |
|
|
|
Full |
|
|
How Requests Are Categorised
Understanding how requests are categorized helps in managing and optimizing access. Each operation type corresponds to specific HTTP methods that define what a user can do.
- Read operations use the HTTP GET or HEAD verbs (listing or downloading data).
- Write operations use PUT, POST, DELETE, and multipart-upload calls.
- Full permissions add the ability to change access-control information on top of read/write.
Choosing the Right Level
Selecting the appropriate permission level depends on the intended use case. This ensures users get only the access they need.
- Read – CDN or image hosting that only needs to pull objects
- Write – One-way data ingest (e.g., nightly backups uploaded by a script)
- Full – DevOps or power users who need to manage bucket policies or share access further
Managing Permissions in the Dashboard
The Dashboard provides a simple interface for assigning or editing user permissions. Follow the steps below to manage sub-user access effectively.
- Log in and open Dashboard > Storage > sObject → Manage > Users.
- Select Create Sub-User or choose Edit on an existing sub-user.
- Select the desired Permission (Read, Write, or Full).
- Click Create.
Tip: Create separate sub-users for distinct tasks. For example, one read-only key for your CDN and another read/write key for your CI pipeline while keeping the master account keys offline.
Frequently Asked Questions
- Does a sub-user with Full permissions become a platform admin?
No. Full permission only grants control over bucket-level policies for that account and does not provide platform-wide admin rights.
- Can I restrict a sub-user further using a bucket policy?
Yes. sObject honours standard S3-style bucket policies; the most restrictive rule always wins.
- Is there a limit to how many sub-users I can create?
There is no platform-imposed limit, but it is best practice to keep credentials organised. Each sub-user can have one S3 key pairs.