Home > Storage > ObjectScale and ECS > Product Documentation > ECS: Overview and Architecture > Object tagging
Object tagging allows categorization of objects by assigning tags to the individual objects. A single object can have multiple tags that are associated with it, enabling multidimensional categorization.
A tag could describe some sort of sensitive information like a health record, or you can tag an object to a certain product that can be categorized as confidential. Tagging is a sub-resource of an object that has a life cycle integrated with object operations. You can add tags to new objects when you upload them or add tags to existing objects. It is acceptable to use tags to label objects containing confidential data, such as personally identifiable information (PII) or protected health information (PHI). The tags must not contain any confidential information, as tags can be viewed without having the actual read permission to an object.
This section provides information about object tagging in IAM, object tagging with bucket policies, handling object tagging during TSO/PSO, and object tagging during object lifecycle management. Here are additional considerations:
The key function of object tagging as categorization system comes when it is integrated with IAM policies. This allows admin to configure specific user permissions. For example, admin can add a policy that allows everyone to access objects with a specified tag or you can configure and grant permissions to users, who can manage the tags on specific objects. The other key aspect with object tagging is how and where the tags are persisted. This is important because it has a direct impact on various aspects of the system.
Object tagging allows you to categorize the objects, additionally tagging gets integrated with various policies. Lifecycle management policy allows you to configure at a bucket level. Earlier versions of ECS supports Expiration, Abort Incomplete Uploads, and Deletion of Expired Object Tagging Delete Marker. The filter could include multiple conditions including a tag-based condition. Each tag in the filter condition must match the key and the value.
Object tagging is another entry set in system metadata; no special handling is required during TSO/PSO. There is a set limit on the number of tags that are allowed to be associated with each object, size of system metadata along with object tagging is well within the memory limits.
Object tagging is part of system metadata and handled simultaneously with system metadata handling, during lifecycle management. The Expiration Logic and Lifecycle Delete Scanner requires to understand tag-based policies. Object tags enable fine-grained object lifecycle management in which you can specify a tag-based filter, in addition to a key name prefix, in a lifecycle rule.
See the latest ECS Security Configuration Guide for further information about ECS object tagging.