> ## Documentation Index > Fetch the complete documentation index at: https://docs.xloud.tech/llms.txt > Use this file to discover all available pages before exploring further. # Object Storage Access Control > Configure read and write ACLs on Xloud Object Storage containers to control cross-project access and enable public or restricted sharing. ## Overview Container ACLs control which users and projects can read from or write to a container. By default, containers are private — only the owning project has access. ACLs are set as container metadata headers and can grant access to specific users, entire projects, or the public. **Prerequisites** * An active Xloud account with appropriate permissions * Access to the **Xloud Dashboard** or CLI configured with credentials * API credentials sourced (`source openrc.sh`) *** ## ACL Format Reference | Value | Meaning | | ------------------------ | ----------------------------------- | | `:` | Specific user in a specific project | | `:*` | All users in a specific project | | `.r:*` | Public anonymous read access | | `.r:*,.rlistings` | Public read AND directory listing | *** ## Configure ACLs Navigate to the container and click the **Edit** icon. In the **Access Control** section: * **Read ACL**: Comma-separated list of `:` pairs, or `.r:*` for public read access * **Write ACL**: Comma-separated list of `:` pairs controlling write access ACL values of `.r:*` or `.r:*,.rlistings` grant public anonymous read access. Verify this is intentional before saving — objects in publicly accessible containers are reachable by anyone with the URL. ```bash title="Grant read access to a specific user" theme={null} openstack container set \ --property "X-Container-Read=:" \ app-backups ``` ```bash title="Grant read access to all users in a project" theme={null} openstack container set \ --property "X-Container-Read=:*" \ shared-data ``` ```bash title="Grant public read access" theme={null} openstack container set \ --property "X-Container-Read=.r:*,.rlistings" \ public-assets ``` ```bash title="Grant write access to another project" theme={null} openstack container set \ --property "X-Container-Write=:*" \ shared-uploads ``` ```bash title="Remove all ACLs (make private)" theme={null} openstack container set \ --property "X-Container-Read=" \ --property "X-Container-Write=" \ app-backups ``` *** ## View Current ACLs ```bash title="Show container ACLs" theme={null} openstack container show app-backups | grep -i "read\|write" ``` *** ## Account-Level Access Control The object store account (project) supports an additional read ACL at the account level: ```bash title="Show account metadata including ACLs" theme={null} openstack object store account show ``` ```bash title="Set account-level read ACL" theme={null} openstack object store account set \ --property X-Account-Meta-Access-Control-Allow-Origin="https://app.example.com" ``` *** ## Best Practices * Grant the minimum required access — prefer `:` over `:*` * Only use `.r:*` for containers explicitly intended for public access * Use `.rlistings` only when directory browsing is intentionally public Review containers with non-empty read or write ACLs quarterly. Revoke access for decommissioned projects and users immediately: ```bash title="Check all container ACLs in your project" theme={null} for c in $(openstack container list -f value -c Name); do echo "=== $c ==="; openstack container show "$c" | grep -i "read\|write" done ``` *** ## Next Steps Upload objects to your access-controlled container Enable version retention for objects in the container Resolve 403 access errors on containers Platform-wide security and ACL governance