> ## Documentation Index > Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt > Use this file to discover all available pages before exploring further. # About organization access policies > Learn about AI Object Storage organization access policies CoreWeave AI Object Storage organization access policies enforce permissions across your entire organization, automatically covering every resource, bucket, and user in your account. This page is for administrators and security engineers who need to set global access rules for AI Object Storage. When you centralize access rules, you ensure that global security standards and compliance requirements apply consistently. They sit at the top of the policy hierarchy and take effect before any bucket-level rules. Written in JSON with the same syntax as bucket access policies, they apply to both the S3-compatible API and the AI Object Storage API. Because organization access policies override bucket access policies, they apply to every request in your AI Object Storage environment. Set your organization access policies after you create access tokens and keys, and before bucket operations. ## Key considerations AI Object Storage organization access policies have specific aspects and considerations to understand: | Policy aspect | Description | | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Admin access | Principals with the `Object Storage Admin` IAM role (assigned through CoreWeave [IAM access policies](/security/iam/access-policies)) have unrestricted access to all `cwobject:` API actions (control plane), but that role does not grant S3-compatible API access. S3-compatible access must still be granted through Object Storage [organization and bucket access policies](/products/storage/object-storage/auth-access/policies). | | Group usage | Organization access policies don't allow CoreWeave IAM *groups* (created in the Cloud Console). Use individual user UIDs (from Cloud Console) or SAML users and groups instead. | | `s3:PutBucketPolicy` | The `s3:PutBucketPolicy` action is a **global** operation that only evaluates **organization** policies (it ignores bucket-level policies) and requires org policies to explicitly allow `s3:PutBucketPolicy` or `s3:*` with `"resources": ["*"]` or specific bucket names. This behavior prevents users from accidentally locking themselves out of a bucket with a misconfigured bucket access policy. | | Global operations | All `cwobject:` API actions and the `s3:ListAllMyBuckets` operation are global operations that must specify `"resources": ["*"]` in organization access policies. | | Policy evaluation order | CoreWeave evaluates policies in two steps and evaluates organization policies first (before any bucket-level policies). | | Policy management recommendation | Prefer to manage access through organization policies for broad, centralized control. Use bucket policies only for bucket-specific features such as bucket lifecycle configuration. | Learn [how to set an organization access policy](/products/storage/object-storage/auth-access/organization-policies/manage) or [view examples of organization access policies](/products/storage/object-storage/auth-access/organization-policies/examples).