December 17, 2025 - AI Object Storage Console Access for Non-Admin Users
Grant non-admin users access to specific AI Object Storage actions in the Cloud Console
Update Storage Non-admin users can now perform AI Object Storage actions in the Cloud Console when granted specific permissions via organization access policies.
Overview
Previously, only users with the Object Storage Admin IAM role (or legacy admin group membership) could access AI Object Storage features in the Cloud Console. With this update, you can grant non-admin users specific AI Object Storage permissions through organization access policies, enabling them to perform those actions in the Console.
This enables organizations to follow the principle of least privilege — granting users only the specific Object Storage capabilities they need, without requiring full admin access.
What's new
Granular Console permissions
Non-admin users can now perform specific AI Object Storage actions in the Cloud Console when granted the appropriate cwobject: permissions. For example:
| To allow a user to... | Grant these permissions |
|---|---|
| View buckets | cwobject:ListBucketInfo |
| Create buckets | s3:CreateBucket, cwobject:CreateAccessKey |
| Create access keys | cwobject:CreateAccessKey, cwobject:CreateAccessKeySaml |
| Manage organization policies | cwobject:EnsureAccessPolicy, cwobject:ListAccessPolicy |
See the Console Permissions Reference for the complete mapping.
Additional resources
- Console Permissions Reference
- Manage organization access policies
- IAM Access Policies (Nov 20, 2025 release)