ovh
diff --git a/‎pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.de-de.md‎
Lines changed: 63 additions & 30 deletions b/‎pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.de-de.md‎
Lines changed: 63 additions & 30 deletions
diff --git a/‎pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-asia.md‎
Lines changed: 63 additions & 30 deletions b/‎pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-asia.md‎
Lines changed: 63 additions & 30 deletions
@@ -1,7 +1,7 @@
 ---
 title: Object Storage - Identitäts- und Zugriffsverwaltung (EN)
 excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources
-updated: 2025-08-25
+updated: 2025-08-26
 ---
 
 ## Objective
@@ -23,11 +23,11 @@ Click `Create User`{.action}.
 
 If you already have OpenStack users, you can select one of these:
 
-![Add Object Storage user](images/highperf-identity-and-access-management-20220928085304931.png)
+![Add Object Storage user](images/highperf-identity-and-access-management-20220928085304931.png){.thumbnail}
 
 then
 
-![Add Object Storage user](images/highperf-identity-and-access-management-2022092808554688.png)
+![Add Object Storage user](images/highperf-identity-and-access-management-2022092808554688.png){.thumbnail}
 
 > [!primary]
 >
@@ -36,11 +36,11 @@ then
 
 Otherwise, create a new user:
 
-![Add Object Storage user](images/highperf-identity-and-access-management-20220928085501719.png)
+![Add Object Storage user](images/highperf-identity-and-access-management-20220928085501719.png){.thumbnail}
 
 Once your user has been created, you will see the credentials:
 
-![Credentials](images/highperf-identity-and-access-management-20220928085714656.png)
+![Credentials](images/highperf-identity-and-access-management-20220928085714656.png){.thumbnail}
 
 > [!primary]
 >
@@ -53,46 +53,75 @@ You can define access to your buckets via predefined profiles.
 
 Click on the `...`{.action} at the end of your bucket line, then `Add a user to a container`{.action}.
 
-![Add a user to a container](images/highperf-identity-and-access-management-20220928090844174.png)
+![Add a user to a container](images/highperf-identity-and-access-management-20220928090844174.png){.thumbnail}
 
 Select the user to add to your bucket and click `Next`{.action}.
 
-![Add a user to my container](images/highperf-identity-and-access-management-20220928083641625.png)
+![Add a user to my container](images/highperf-identity-and-access-management-20220928083641625.png){.thumbnail}
 
 Set access to your bucket for this user and click on `Confirm`{.action}.
 
-![Add a user to my container - Role](images/highperf-identity-and-access-management-20220928083800300.png)
+![Add a user to my container - Role](images/highperf-identity-and-access-management-20220928083800300.png){.thumbnail}
 
 ### Manage access to an object via a profile
 
 You can also set access to your objects via predefined profiles.
 
 Click on the `...`{.action} at the end of your object line, then `Add user to my object`{.action}.
 
-![object menu](images/highperf-identity-and-access-management-20220928084137918.png)
+![object menu](images/highperf-identity-and-access-management-20220928084137918.png){.thumbnail}
 
 Select the user and click `Next`{.action}.
 
-![add user to my object](images/highperf-identity-and-access-management-20220928084222940.png)
+![add user to my object](images/highperf-identity-and-access-management-20220928084222940.png){.thumbnail}
 
 Select the access profile for this user and click `Confirm`{.action}.
 
-![add role to my object](images/highperf-identity-and-access-management-20220928084308265.png)
+![add role to my object](images/highperf-identity-and-access-management-20220928084308265.png){.thumbnail}
 
 ### Advanced resource access management
 
+#### Overview
+
+By default, all resources (buckets, objects) and sub-resources (lifecycle configuration, webite configuration, etc.) are private in Object Storage. Only the resource owner, i.e the user account that creates it, has full control.
+
+Access to private resources can be granted via access policies. Access policies can be categorized broadly into 2 types :
+
+- user based: access policies attached to a specific user are called user policies. A user policy is evaluated using Object Storage IAM permissions and applies only to the specific user it is attached to.
+- resource based : bucket policies and ACLs are policies that are attached directly to specific resources
+
+> [!primary]
+>
+> Bucket policies is a feature that is not yet available for Object Storage. This article is about user policies.
+>
+
 You can refine your permissions by importing a JSON configuration file. To do this, go to the `Object Storage Policy Users`{.action} tab.
 
-![Object Storage users](images/highperf-identity-and-access-management-20220928084435242.png)
+![Object Storage users](images/highperf-identity-and-access-management-20220928084435242.png){.thumbnail}
 
 Click on the `...`{.action} at the end of your user's line, then `Import JSON file`{.action}.
 
 > [!primary]
 >
 > If you want to change a user's rights, you may need to download the JSON configuration file in advance by selecting `Download JSON File`{.action}.
+> 
+
+#### Understanding the user policy evaluation process
+
+At the moment, user permissions are evaluated as follows:
+
+1. if exists, evaluate user policy else fallback to ACLs
+    1. check for an explicit deny: if there is an explicit deny, then deny permission, else, check for an explicit allow
+    2. check for an explicit allow: if there is an explicit allow, then allow permission
+    3. if there is no explicit deny nor explicit allow, then fallback to ACLs
+2. fallback to ACLs
+
+> [!primary]
+>
+> This evaluation process will be subject to change with the upcoming implementation of bucket policies.
 >
 
-Some examples of JSON configuration files:
+#### Some examples of JSON configuration files:
 
 **Read/write access to a bucket and its objects**
 
@@ -164,53 +193,57 @@ Some examples of JSON configuration files:
 }
 ```
 
-
-**Allow read access to objects only to specific IPs**
+**Allow all operations to specific IPs by whitelisting authorized IPs**
 
 ```json
 {
   "Statement": {
     "Sid": "ExampleStatement01",
-    "Effect": "Allow",
-    "Action": [
-      "s3:GetObject",
-      "s3:ListBucket",
-      "s3:ListBucketVersions"
-    ],
+    "Effect": "Deny",
+    "Action": "s3:*",
     "Resource": [
+      "arn:aws:s3:::companybucket",
       "arn:aws:s3:::companybucket/*"
     ],
     "Condition": {
-      "IpAddress": {
+      "NotIpAddress": {
         "aws:SourceIp": "10.0.0.5/16"
       }
     }
   }
-}
+} 
 ```
 
-**Allow all operations to specific IPs by whitelisting authorized IPs**
+> [!primary]
+>
+> As a consequence of the current authorization process, **implicit** deny is **not** supported by OVHcloud Object Storage if the user is the bucket owner i.e since ACLs are evaluated by default and since the bucket owner has FULL_CONTROL ACL, if the user is the bucket owner and even if there is no explicit allow in the policy file, he will be authorized.
+> 
+
+The following policy to attempt to allow read access to objects only to specific IPs will **not** work under current conditions if attached to the bucket owner i.e even if the bucket owner makes his requests from IPs that are not in the specified range, he will be authorized.
 
 ```json
 {
   "Statement": {
     "Sid": "ExampleStatement01",
-    "Effect": "Deny",
-    "Action": "s3:*",
+    "Effect": "Allow",
+    "Action": [
+      "s3:GetObject",
+      "s3:ListBucket",
+      "s3:ListBucketVersions"
+    ],
     "Resource": [
-      "arn:aws:s3:::companybucket",
       "arn:aws:s3:::companybucket/*"
     ],
     "Condition": {
-      "NotIpAddress": {
+      "IpAddress": {
         "aws:SourceIp": "10.0.0.5/16"
       }
     }
   }
-} 
+}
 ```
 
-**Deny read access to objects to specific IPs by blacklisting unauthorized IPs**
+The following policy to attempt to deny read access to objects to specific IPs by blacklisting unauthorized IPs will **not** work under current conditions if attached to the bucket owner because there is no explicit deny and requests from the specified IPs will not match the allow, therefore, we fallback to the ACLs.
 
 ```json
 {
 
@@ -1,7 +1,7 @@
 ---
 title: Object Storage - Identity and access management
 excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources
-updated: 2025-08-25
+updated: 2025-08-26
 ---
 
 ## Objective
@@ -23,11 +23,11 @@ Click `Create User`{.action}.
 
 If you already have OpenStack users, you can select one of these:
 
-![Add Object Storage user](images/highperf-identity-and-access-management-20220928085304931.png)
+![Add Object Storage user](images/highperf-identity-and-access-management-20220928085304931.png){.thumbnail}
 
 then
 
-![Add Object Storage user](images/highperf-identity-and-access-management-2022092808554688.png)
+![Add Object Storage user](images/highperf-identity-and-access-management-2022092808554688.png){.thumbnail}
 
 > [!primary]
 >
@@ -36,11 +36,11 @@ then
 
 Otherwise, create a new user:
 
-![Add Object Storage user](images/highperf-identity-and-access-management-20220928085501719.png)
+![Add Object Storage user](images/highperf-identity-and-access-management-20220928085501719.png){.thumbnail}
 
 Once your user has been created, you will see the credentials:
 
-![Credentials](images/highperf-identity-and-access-management-20220928085714656.png)
+![Credentials](images/highperf-identity-and-access-management-20220928085714656.png){.thumbnail}
 
 > [!primary]
 >
@@ -53,46 +53,75 @@ You can define access to your buckets via predefined profiles.
 
 Click on the `...`{.action} at the end of your bucket line, then `Add a user to a container`{.action}.
 
-![Add a user to a container](images/highperf-identity-and-access-management-20220928090844174.png)
+![Add a user to a container](images/highperf-identity-and-access-management-20220928090844174.png){.thumbnail}
 
 Select the user to add to your bucket and click `Next`{.action}.
 
-![Add a user to my container](images/highperf-identity-and-access-management-20220928083641625.png)
+![Add a user to my container](images/highperf-identity-and-access-management-20220928083641625.png){.thumbnail}
 
 Set access to your bucket for this user and click on `Confirm`{.action}.
 
-![Add a user to my container - Role](images/highperf-identity-and-access-management-20220928083800300.png)
+![Add a user to my container - Role](images/highperf-identity-and-access-management-20220928083800300.png){.thumbnail}
 
 ### Manage access to an object via a profile
 
 You can also set access to your objects via predefined profiles.
 
 Click on the `...`{.action} at the end of your object line, then `Add user to my object`{.action}.
 
-![object menu](images/highperf-identity-and-access-management-20220928084137918.png)
+![object menu](images/highperf-identity-and-access-management-20220928084137918.png){.thumbnail}
 
 Select the user and click `Next`{.action}.
 
-![add user to my object](images/highperf-identity-and-access-management-20220928084222940.png)
+![add user to my object](images/highperf-identity-and-access-management-20220928084222940.png){.thumbnail}
 
 Select the access profile for this user and click `Confirm`{.action}.
 
-![add role to my object](images/highperf-identity-and-access-management-20220928084308265.png)
+![add role to my object](images/highperf-identity-and-access-management-20220928084308265.png){.thumbnail}
 
 ### Advanced resource access management
 
+#### Overview
+
+By default, all resources (buckets, objects) and sub-resources (lifecycle configuration, webite configuration, etc.) are private in Object Storage. Only the resource owner, i.e the user account that creates it, has full control.
+
+Access to private resources can be granted via access policies. Access policies can be categorized broadly into 2 types :
+
+- user based: access policies attached to a specific user are called user policies. A user policy is evaluated using Object Storage IAM permissions and applies only to the specific user it is attached to.
+- resource based : bucket policies and ACLs are policies that are attached directly to specific resources
+
+> [!primary]
+>
+> Bucket policies is a feature that is not yet available for Object Storage. This article is about user policies.
+>
+
 You can refine your permissions by importing a JSON configuration file. To do this, go to the `Object Storage Policy Users`{.action} tab.
 
-![Object Storage users](images/highperf-identity-and-access-management-20220928084435242.png)
+![Object Storage users](images/highperf-identity-and-access-management-20220928084435242.png){.thumbnail}
 
 Click on the `...`{.action} at the end of your user's line, then `Import JSON file`{.action}.
 
 > [!primary]
 >
 > If you want to change a user's rights, you may need to download the JSON configuration file in advance by selecting `Download JSON File`{.action}.
+> 
+
+#### Understanding the user policy evaluation process
+
+At the moment, user permissions are evaluated as follows:
+
+1. if exists, evaluate user policy else fallback to ACLs
+    1. check for an explicit deny: if there is an explicit deny, then deny permission, else, check for an explicit allow
+    2. check for an explicit allow: if there is an explicit allow, then allow permission
+    3. if there is no explicit deny nor explicit allow, then fallback to ACLs
+2. fallback to ACLs
+
+> [!primary]
+>
+> This evaluation process will be subject to change with the upcoming implementation of bucket policies.
 >
 
-Some examples of JSON configuration files:
+#### Some examples of JSON configuration files:
 
 **Read/write access to a bucket and its objects**
 
@@ -164,53 +193,57 @@ Some examples of JSON configuration files:
 }
 ```
 
-
-**Allow read access to objects only to specific IPs**
+**Allow all operations to specific IPs by whitelisting authorized IPs**
 
 ```json
 {
   "Statement": {
     "Sid": "ExampleStatement01",
-    "Effect": "Allow",
-    "Action": [
-      "s3:GetObject",
-      "s3:ListBucket",
-      "s3:ListBucketVersions"
-    ],
+    "Effect": "Deny",
+    "Action": "s3:*",
     "Resource": [
+      "arn:aws:s3:::companybucket",
       "arn:aws:s3:::companybucket/*"
     ],
     "Condition": {
-      "IpAddress": {
+      "NotIpAddress": {
         "aws:SourceIp": "10.0.0.5/16"
       }
     }
   }
-}
+} 
 ```
 
-**Allow all operations to specific IPs by whitelisting authorized IPs**
+> [!primary]
+>
+> As a consequence of the current authorization process, **implicit** deny is **not** supported by OVHcloud Object Storage if the user is the bucket owner i.e since ACLs are evaluated by default and since the bucket owner has FULL_CONTROL ACL, if the user is the bucket owner and even if there is no explicit allow in the policy file, he will be authorized.
+> 
+
+The following policy to attempt to allow read access to objects only to specific IPs will **not** work under current conditions if attached to the bucket owner i.e even if the bucket owner makes his requests from IPs that are not in the specified range, he will be authorized.
 
 ```json
 {
   "Statement": {
     "Sid": "ExampleStatement01",
-    "Effect": "Deny",
-    "Action": "s3:*",
+    "Effect": "Allow",
+    "Action": [
+      "s3:GetObject",
+      "s3:ListBucket",
+      "s3:ListBucketVersions"
+    ],
     "Resource": [
-      "arn:aws:s3:::companybucket",
       "arn:aws:s3:::companybucket/*"
     ],
     "Condition": {
-      "NotIpAddress": {
+      "IpAddress": {
         "aws:SourceIp": "10.0.0.5/16"
       }
     }
   }
-} 
+}
 ```
 
-**Deny read access to objects to specific IPs by blacklisting unauthorized IPs**
+The following policy to attempt to deny read access to objects to specific IPs by blacklisting unauthorized IPs will **not** work under current conditions if attached to the bucket owner because there is no explicit deny and requests from the specified IPs will not match the allow, therefore, we fallback to the ACLs.
 
 ```json
 {