[Yandex Cloud documentation](../../../../index.md) > [Yandex Object Storage](../../../index.md) > API reference > [AWS S3 REST](../../index.md) > [REST](../index.md) > ACL > XML structure of ACL configuration

# ACL configuration in XML format

The typical ACL format is as follows:

```xml
<AccessControlPolicy>
  <Owner>
    <ID>8caede4d8w78r43d14f2e7fagrbf45c78ejc7c6cde********</ID>
    <DisplayName>CustomersName@amazon.com</DisplayName>
  </Owner>
  <AccessControlList>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
			xsi:type="CanonicalUser">
        <ID>8caede4d8w78r43d14f2e7fagrbf45c78ejc7c6cde********</ID>
        <DisplayName>YandexCloudUserName</DisplayName>
      </Grantee>
      <Permission>WRITE</Permission>
    </Grant>
  </AccessControlList>
</AccessControlPolicy>
```


## Elements {#elements}

Element | Description
----- | -----
`AccessControlPolicy` | Root element.<br/><br/>Path: `/AccessControlPolicy`.
`Owner` | User information.<br/><br/>Users can specify this element for `objectPutAcl` and `bucketPutAcl` requests. If the element is specified, Object Storage will check if the provided ID matches the actual one during the ACL upload. If there is no match, it will return code 403.<br/><br/>Path: `/AccessControlPolicy/Owner`.
`AccessControlList` | Access control list. It cannot contain more than 100 access permissions.<br/><br/>Path: `/AccessControlPolicy/AccessControlList`.
`Grant` | Access description.<br/><br/>Path: `/AccessControlPolicy/AccessControlList/Grant`.
`Grantee` | Type of permission grantee. The possible values for `type` include:<ul><li>`CanonicalUser`: For a user, [service account](../../../../iam/concepts/users/service-accounts.md), or [user group](../../../../organization/concepts/groups.md).</li><li>`Group`: For a [public group](../../../concepts/acl.md#public-groups).</li></ul>Path: `/AccessControlPolicy/AccessControlList/Grant/Grantee`.
`ID` | ID of a user, [service account](../../../../iam/concepts/users/service-accounts.md), or [user group](../../../../organization/concepts/groups.md). It is used with the `CanonicalUser` permission grantee type.<br/><br/>A response to a `bucketGetAcl` request contains the ID of the folder where the bucket is located.<br/><br/>Paths: `/AccessControlPolicy/Owner/ID`, `/AccessControlPolicy/AccessControlList/Grant/Grantee/ID`.
`DisplayName` | Username. It is ignored for the `objectPutAcl` and `bucketPutAcl` requests.<br/><br/>Paths: `/AccessControlPolicy/Owner/DisplayName`, `/AccessControlPolicy/AccessControlList/Grant/Grantee/DisplayName`.
`URI` | Public group ID. It is used with the `Group` type of permission grantee. The possible values are:<ul><li>`http://acs.amazonaws.com/groups/global/AllUsers`: All internet users.</li><li>`http://acs.amazonaws.com/groups/global/AuthenticatedUsers`: All authenticated Yandex Cloud users.</li></ul>Path: `/AccessControlPolicy/AccessControlList/Grant/Grantee/URI`.
`Permission` | User permissions.<br/><br/>You can specify the following permissions: `READ`, `WRITE`, and `FULL_CONTROL`. When granting permissions for an object, you can also specify `READ_ACP` and `WRITE_ACP`. Learn more in [Access control lists (ACLs)](../../../concepts/acl.md).<br/><br/>Path: `/AccessControlPolicy/AccessControlList/Grant/Grantee/DisplayName`.

#### Related articles {#related-articles}

* [Access control list (ACL)](../../../concepts/acl.md)

#### See also {#see-also}

* [Getting started with the AWS S3 API in Yandex Object Storage](../../s3-api-quickstart.md)

* [Debugging requests using the AWS CLI](../../signing-requests.md#debugging)

* [Example of sending a signed request using curl](../../../api-ref/authentication.md#s3-api-example)

* [Code example for generating a signature](../../../concepts/pre-signed-urls.md#code-examples)