diff --git a/weed/admin/view/app/object_store_users.templ b/weed/admin/view/app/object_store_users.templ
index dedd258e2..686f57e1c 100644
--- a/weed/admin/view/app/object_store_users.templ
+++ b/weed/admin/view/app/object_store_users.templ
@@ -205,12 +205,21 @@ templ ObjectStoreUsers(data dash.ObjectStoreUsersData) {
                         </div>
                         <div class="mb-3">
                             <label for="actions" class="form-label">Permissions</label>
-                            <select multiple class="form-control" id="actions" name="actions">
+                            <select multiple class="form-control" id="actions" name="actions" size="10">
                                 <option value="Admin">Admin (Full Access)</option>
                                 <option value="Read">Read</option>
                                 <option value="Write">Write</option>
                                 <option value="List">List</option>
                                 <option value="Tagging">Tagging</option>
+                                <optgroup label="Object Lock Permissions">
+                                    <option value="BypassGovernanceRetention">Bypass Governance Retention</option>
+                                    <option value="GetObjectRetention">Get Object Retention</option>
+                                    <option value="PutObjectRetention">Put Object Retention</option>
+                                    <option value="GetObjectLegalHold">Get Object Legal Hold</option>
+                                    <option value="PutObjectLegalHold">Put Object Legal Hold</option>
+                                    <option value="GetBucketObjectLockConfiguration">Get Bucket Object Lock Configuration</option>
+                                    <option value="PutBucketObjectLockConfiguration">Put Bucket Object Lock Configuration</option>
+                                </optgroup>
                             </select>
                             <small class="form-text text-muted">Hold Ctrl/Cmd to select multiple permissions</small>
                         </div>
@@ -249,12 +258,21 @@ templ ObjectStoreUsers(data dash.ObjectStoreUsersData) {
                         </div>
                         <div class="mb-3">
                             <label for="editActions" class="form-label">Permissions</label>
-                            <select multiple class="form-control" id="editActions" name="actions">
+                            <select multiple class="form-control" id="editActions" name="actions" size="10">
                                 <option value="Admin">Admin (Full Access)</option>
                                 <option value="Read">Read</option>
                                 <option value="Write">Write</option>
                                 <option value="List">List</option>
                                 <option value="Tagging">Tagging</option>
+                                <optgroup label="Object Lock Permissions">
+                                    <option value="BypassGovernanceRetention">Bypass Governance Retention</option>
+                                    <option value="GetObjectRetention">Get Object Retention</option>
+                                    <option value="PutObjectRetention">Put Object Retention</option>
+                                    <option value="GetObjectLegalHold">Get Object Legal Hold</option>
+                                    <option value="PutObjectLegalHold">Put Object Legal Hold</option>
+                                    <option value="GetBucketObjectLockConfiguration">Get Bucket Object Lock Configuration</option>
+                                    <option value="PutBucketObjectLockConfiguration">Put Bucket Object Lock Configuration</option>
+                                </optgroup>
                             </select>
                         </div>
                     </form>
diff --git a/weed/admin/view/app/object_store_users_templ.go b/weed/admin/view/app/object_store_users_templ.go
index 8d08d5161..a2fc3ac71 100644
--- a/weed/admin/view/app/object_store_users_templ.go
+++ b/weed/admin/view/app/object_store_users_templ.go
@@ -193,7 +193,7 @@ func ObjectStoreUsers(data dash.ObjectStoreUsersData) templ.Component {
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 15, "</small></div></div></div><!-- Create User Modal --><div class=\"modal fade\" id=\"createUserModal\" tabindex=\"-1\" role=\"dialog\"><div class=\"modal-dialog\" role=\"document\"><div class=\"modal-content\"><div class=\"modal-header\"><h5 class=\"modal-title\"><i class=\"fas fa-user-plus me-2\"></i>Create New User</h5><button type=\"button\" class=\"btn-close\" data-bs-dismiss=\"modal\"></button></div><div class=\"modal-body\"><form id=\"createUserForm\"><div class=\"mb-3\"><label for=\"username\" class=\"form-label\">Username *</label> <input type=\"text\" class=\"form-control\" id=\"username\" name=\"username\" required></div><div class=\"mb-3\"><label for=\"email\" class=\"form-label\">Email</label> <input type=\"email\" class=\"form-control\" id=\"email\" name=\"email\"></div><div class=\"mb-3\"><label for=\"actions\" class=\"form-label\">Permissions</label> <select multiple class=\"form-control\" id=\"actions\" name=\"actions\"><option value=\"Admin\">Admin (Full Access)</option> <option value=\"Read\">Read</option> <option value=\"Write\">Write</option> <option value=\"List\">List</option> <option value=\"Tagging\">Tagging</option></select> <small class=\"form-text text-muted\">Hold Ctrl/Cmd to select multiple permissions</small></div><div class=\"mb-3 form-check\"><input type=\"checkbox\" class=\"form-check-input\" id=\"generateKey\" name=\"generateKey\" checked> <label class=\"form-check-label\" for=\"generateKey\">Generate access key automatically</label></div></form></div><div class=\"modal-footer\"><button type=\"button\" class=\"btn btn-secondary\" data-bs-dismiss=\"modal\">Cancel</button> <button type=\"button\" class=\"btn btn-primary\" onclick=\"handleCreateUser()\">Create User</button></div></div></div></div><!-- Edit User Modal --><div class=\"modal fade\" id=\"editUserModal\" tabindex=\"-1\" role=\"dialog\"><div class=\"modal-dialog\" role=\"document\"><div class=\"modal-content\"><div class=\"modal-header\"><h5 class=\"modal-title\"><i class=\"fas fa-user-edit me-2\"></i>Edit User</h5><button type=\"button\" class=\"btn-close\" data-bs-dismiss=\"modal\"></button></div><div class=\"modal-body\"><form id=\"editUserForm\"><input type=\"hidden\" id=\"editUsername\" name=\"username\"><div class=\"mb-3\"><label for=\"editEmail\" class=\"form-label\">Email</label> <input type=\"email\" class=\"form-control\" id=\"editEmail\" name=\"email\"></div><div class=\"mb-3\"><label for=\"editActions\" class=\"form-label\">Permissions</label> <select multiple class=\"form-control\" id=\"editActions\" name=\"actions\"><option value=\"Admin\">Admin (Full Access)</option> <option value=\"Read\">Read</option> <option value=\"Write\">Write</option> <option value=\"List\">List</option> <option value=\"Tagging\">Tagging</option></select></div></form></div><div class=\"modal-footer\"><button type=\"button\" class=\"btn btn-secondary\" data-bs-dismiss=\"modal\">Cancel</button> <button type=\"button\" class=\"btn btn-primary\" onclick=\"handleUpdateUser()\">Update User</button></div></div></div></div><!-- User Details Modal --><div class=\"modal fade\" id=\"userDetailsModal\" tabindex=\"-1\" role=\"dialog\"><div class=\"modal-dialog modal-lg\" role=\"document\"><div class=\"modal-content\"><div class=\"modal-header\"><h5 class=\"modal-title\"><i class=\"fas fa-user me-2\"></i>User Details</h5><button type=\"button\" class=\"btn-close\" data-bs-dismiss=\"modal\"></button></div><div class=\"modal-body\" id=\"userDetailsContent\"><!-- Content will be loaded dynamically --></div><div class=\"modal-footer\"><button type=\"button\" class=\"btn btn-secondary\" data-bs-dismiss=\"modal\">Close</button></div></div></div></div><!-- Access Keys Management Modal --><div class=\"modal fade\" id=\"accessKeysModal\" tabindex=\"-1\" role=\"dialog\"><div class=\"modal-dialog modal-lg\" role=\"document\"><div class=\"modal-content\"><div class=\"modal-header\"><h5 class=\"modal-title\"><i class=\"fas fa-key me-2\"></i>Manage Access Keys</h5><button type=\"button\" class=\"btn-close\" data-bs-dismiss=\"modal\"></button></div><div class=\"modal-body\"><div class=\"d-flex justify-content-between align-items-center mb-3\"><h6>Access Keys for <span id=\"accessKeysUsername\"></span></h6><button type=\"button\" class=\"btn btn-primary btn-sm\" onclick=\"createAccessKey()\"><i class=\"fas fa-plus me-1\"></i>Create New Key</button></div><div id=\"accessKeysContent\"><!-- Content will be loaded dynamically --></div></div><div class=\"modal-footer\"><button type=\"button\" class=\"btn btn-secondary\" data-bs-dismiss=\"modal\">Close</button></div></div></div></div><!-- JavaScript for user management --><script>\n        document.addEventListener('DOMContentLoaded', function() {\n            // Event delegation for user action buttons\n            document.addEventListener('click', function(e) {\n                const button = e.target.closest('[data-action]');\n                if (!button) return;\n                \n                const action = button.getAttribute('data-action');\n                const username = button.getAttribute('data-username');\n                \n                switch (action) {\n                    case 'show-user-details':\n                        showUserDetails(username);\n                        break;\n                    case 'edit-user':\n                        editUser(username);\n                        break;\n                    case 'manage-access-keys':\n                        manageAccessKeys(username);\n                        break;\n                    case 'delete-user':\n                        deleteUser(username);\n                        break;\n                }\n            });\n        });\n\n        // Show user details modal\n        async function showUserDetails(username) {\n            try {\n                const response = await fetch(`/api/users/${username}`);\n                if (response.ok) {\n                    const user = await response.json();\n                    document.getElementById('userDetailsContent').innerHTML = createUserDetailsContent(user);\n                    const modal = new bootstrap.Modal(document.getElementById('userDetailsModal'));\n                    modal.show();\n                } else {\n                    showErrorMessage('Failed to load user details');\n                }\n            } catch (error) {\n                console.error('Error loading user details:', error);\n                showErrorMessage('Failed to load user details');\n            }\n        }\n\n        // Edit user function\n        async function editUser(username) {\n            try {\n                const response = await fetch(`/api/users/${username}`);\n                if (response.ok) {\n                    const user = await response.json();\n                    \n                    // Populate edit form\n                    document.getElementById('editUsername').value = username;\n                    document.getElementById('editEmail').value = user.email || '';\n                    \n                    // Set selected actions\n                    const actionsSelect = document.getElementById('editActions');\n                    Array.from(actionsSelect.options).forEach(option => {\n                        option.selected = user.actions && user.actions.includes(option.value);\n                    });\n                    \n                    // Show modal\n                    const modal = new bootstrap.Modal(document.getElementById('editUserModal'));\n                    modal.show();\n                } else {\n                    showErrorMessage('Failed to load user details');\n                }\n            } catch (error) {\n                console.error('Error loading user:', error);\n                showErrorMessage('Failed to load user details');\n            }\n        }\n\n        // Manage access keys function\n        async function manageAccessKeys(username) {\n            try {\n                const response = await fetch(`/api/users/${username}`);\n                if (response.ok) {\n                    const user = await response.json();\n                    document.getElementById('accessKeysUsername').textContent = username;\n                    document.getElementById('accessKeysContent').innerHTML = createAccessKeysContent(user);\n                    const modal = new bootstrap.Modal(document.getElementById('accessKeysModal'));\n                    modal.show();\n                } else {\n                    showErrorMessage('Failed to load access keys');\n                }\n            } catch (error) {\n                console.error('Error loading access keys:', error);\n                showErrorMessage('Failed to load access keys');\n            }\n        }\n\n        // Delete user function\n        async function deleteUser(username) {\n            if (confirm(`Are you sure you want to delete user \"${username}\"? This action cannot be undone.`)) {\n                try {\n                    const response = await fetch(`/api/users/${username}`, {\n                        method: 'DELETE'\n                    });\n                    \n                    if (response.ok) {\n                        showSuccessMessage('User deleted successfully');\n                        setTimeout(() => window.location.reload(), 1000);\n                    } else {\n                        const error = await response.json();\n                        showErrorMessage('Failed to delete user: ' + (error.error || 'Unknown error'));\n                    }\n                } catch (error) {\n                    console.error('Error deleting user:', error);\n                    showErrorMessage('Failed to delete user: ' + error.message);\n                }\n            }\n        }\n\n        // Handle create user form submission\n        async function handleCreateUser() {\n            const form = document.getElementById('createUserForm');\n            const formData = new FormData(form);\n            \n            const userData = {\n                username: formData.get('username'),\n                email: formData.get('email'),\n                actions: Array.from(document.getElementById('actions').selectedOptions).map(option => option.value),\n                generate_key: document.getElementById('generateKey').checked\n            };\n            \n            try {\n                const response = await fetch('/api/users', {\n                    method: 'POST',\n                    headers: {\n                        'Content-Type': 'application/json',\n                    },\n                    body: JSON.stringify(userData)\n                });\n                \n                if (response.ok) {\n                    const result = await response.json();\n                    showSuccessMessage('User created successfully');\n                    \n                    // Show the created access key if generated\n                    if (result.user && result.user.access_key) {\n                        showNewAccessKeyModal(result.user);\n                    }\n                    \n                    // Close modal and refresh page\n                    const modal = bootstrap.Modal.getInstance(document.getElementById('createUserModal'));\n                    modal.hide();\n                    form.reset();\n                    setTimeout(() => window.location.reload(), 1000);\n                } else {\n                    const error = await response.json();\n                    showErrorMessage('Failed to create user: ' + (error.error || 'Unknown error'));\n                }\n            } catch (error) {\n                console.error('Error creating user:', error);\n                showErrorMessage('Failed to create user: ' + error.message);\n            }\n        }\n\n        // Handle update user form submission\n        async function handleUpdateUser() {\n            const username = document.getElementById('editUsername').value;\n            const formData = new FormData(document.getElementById('editUserForm'));\n            \n            const userData = {\n                email: formData.get('email'),\n                actions: Array.from(document.getElementById('editActions').selectedOptions).map(option => option.value)\n            };\n            \n            try {\n                const response = await fetch(`/api/users/${username}`, {\n                    method: 'PUT',\n                    headers: {\n                        'Content-Type': 'application/json',\n                    },\n                    body: JSON.stringify(userData)\n                });\n                \n                if (response.ok) {\n                    showSuccessMessage('User updated successfully');\n                    \n                    // Close modal and refresh page\n                    const modal = bootstrap.Modal.getInstance(document.getElementById('editUserModal'));\n                    modal.hide();\n                    setTimeout(() => window.location.reload(), 1000);\n                } else {\n                    const error = await response.json();\n                    showErrorMessage('Failed to update user: ' + (error.error || 'Unknown error'));\n                }\n            } catch (error) {\n                console.error('Error updating user:', error);\n                showErrorMessage('Failed to update user: ' + error.message);\n            }\n        }\n\n        // Create user details content\n        function createUserDetailsContent(user) {\n            var detailsHtml = '<div class=\"row\">';\n            detailsHtml += '<div class=\"col-md-6\">';\n            detailsHtml += '<h6 class=\"text-muted\">Basic Information</h6>';\n            detailsHtml += '<table class=\"table table-sm\">';\n            detailsHtml += '<tr><td><strong>Username:</strong></td><td>' + escapeHtml(user.username) + '</td></tr>';\n            detailsHtml += '<tr><td><strong>Email:</strong></td><td>' + escapeHtml(user.email || 'Not set') + '</td></tr>';\n            detailsHtml += '</table>';\n            detailsHtml += '</div>';\n            detailsHtml += '<div class=\"col-md-6\">';\n                         detailsHtml += '<h6 class=\"text-muted\">Permissions</h6>';\n             detailsHtml += '<div class=\"mb-3\">';\n             if (user.actions && user.actions.length > 0) {\n                 detailsHtml += user.actions.map(function(action) {\n                     return '<span class=\"badge bg-info me-1\">' + action + '</span>';\n                 }).join('');\n             } else {\n                 detailsHtml += '<span class=\"text-muted\">No permissions assigned</span>';\n             }\n             detailsHtml += '</div>';\n             detailsHtml += '<h6 class=\"text-muted\">Access Keys</h6>';\n             if (user.access_keys && user.access_keys.length > 0) {\n                 detailsHtml += '<div class=\"mb-2\">';\n                 user.access_keys.forEach(function(key) {\n                     detailsHtml += '<div><code class=\"text-muted\">' + key.access_key + '</code></div>';\n                 });\n                 detailsHtml += '</div>';\n             } else {\n                 detailsHtml += '<p class=\"text-muted\">No access keys</p>';\n             }\n            detailsHtml += '</div>';\n            detailsHtml += '</div>';\n            return detailsHtml;\n        }\n\n        // Create access keys content\n        function createAccessKeysContent(user) {\n            if (!user.access_keys || user.access_keys.length === 0) {\n                return '<p class=\"text-muted\">No access keys available</p>';\n            }\n            \n            var keysHtml = '<div class=\"table-responsive\">';\n            keysHtml += '<table class=\"table table-sm\">';\n            keysHtml += '<thead><tr><th>Access Key</th><th>Status</th><th>Actions</th></tr></thead>';\n            keysHtml += '<tbody>';\n            \n            user.access_keys.forEach(function(key) {\n                keysHtml += '<tr>';\n                keysHtml += '<td><code>' + key.access_key + '</code></td>';\n                keysHtml += '<td><span class=\"badge bg-success\">Active</span></td>';\n                keysHtml += '<td>';\n                keysHtml += '<button class=\"btn btn-outline-danger btn-sm\" onclick=\"deleteAccessKey(\\'' + user.username + '\\', \\'' + key.access_key + '\\')\">';\n                keysHtml += '<i class=\"fas fa-trash\"></i> Delete';\n                keysHtml += '</button>';\n                keysHtml += '</td>';\n                keysHtml += '</tr>';\n            });\n            \n            keysHtml += '</tbody>';\n            keysHtml += '</table>';\n            keysHtml += '</div>';\n            return keysHtml;\n        }\n\n        // Create new access key\n        async function createAccessKey() {\n            const username = document.getElementById('accessKeysUsername').textContent;\n            \n            try {\n                const response = await fetch(`/api/users/${username}/access-keys`, {\n                    method: 'POST',\n                    headers: {\n                        'Content-Type': 'application/json',\n                    },\n                    body: JSON.stringify({})\n                });\n                \n                if (response.ok) {\n                    const result = await response.json();\n                    showSuccessMessage('Access key created successfully');\n                    \n                    // Refresh access keys display\n                    const userResponse = await fetch(`/api/users/${username}`);\n                    if (userResponse.ok) {\n                        const user = await userResponse.json();\n                        document.getElementById('accessKeysContent').innerHTML = createAccessKeysContent(user);\n                    }\n                } else {\n                    const error = await response.json();\n                    showErrorMessage('Failed to create access key: ' + (error.error || 'Unknown error'));\n                }\n            } catch (error) {\n                console.error('Error creating access key:', error);\n                showErrorMessage('Failed to create access key: ' + error.message);\n            }\n        }\n\n        // Delete access key\n        async function deleteAccessKey(username, accessKey) {\n            if (confirm('Are you sure you want to delete this access key?')) {\n                try {\n                    const response = await fetch(`/api/users/${username}/access-keys/${accessKey}`, {\n                        method: 'DELETE'\n                    });\n                    \n                    if (response.ok) {\n                        showSuccessMessage('Access key deleted successfully');\n                        \n                        // Refresh access keys display\n                        const userResponse = await fetch(`/api/users/${username}`);\n                        if (userResponse.ok) {\n                            const user = await userResponse.json();\n                            document.getElementById('accessKeysContent').innerHTML = createAccessKeysContent(user);\n                        }\n                    } else {\n                        const error = await response.json();\n                        showErrorMessage('Failed to delete access key: ' + (error.error || 'Unknown error'));\n                    }\n                } catch (error) {\n                    console.error('Error deleting access key:', error);\n                    showErrorMessage('Failed to delete access key: ' + error.message);\n                }\n            }\n        }\n\n        // Show new access key modal (when user is created with generated key)\n        function showNewAccessKeyModal(user) {\n            // Create a simple alert for now - could be enhanced with a dedicated modal\n            var message = 'New user created!\\n\\n';\n            message += 'Username: ' + user.username + '\\n';\n            message += 'Access Key: ' + user.access_key + '\\n';\n            message += 'Secret Key: ' + user.secret_key + '\\n\\n';\n            message += 'Please save these credentials securely.';\n            alert(message);\n        }\n\n        // Utility functions\n        function showSuccessMessage(message) {\n            // Simple implementation - could be enhanced with toast notifications\n            alert('Success: ' + message);\n        }\n\n        function showErrorMessage(message) {\n            // Simple implementation - could be enhanced with toast notifications\n            alert('Error: ' + message);\n        }\n\n        function escapeHtml(text) {\n            if (!text) return '';\n            const div = document.createElement('div');\n            div.textContent = text;\n            return div.innerHTML;\n        }\n    </script>")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 15, "</small></div></div></div><!-- Create User Modal --><div class=\"modal fade\" id=\"createUserModal\" tabindex=\"-1\" role=\"dialog\"><div class=\"modal-dialog\" role=\"document\"><div class=\"modal-content\"><div class=\"modal-header\"><h5 class=\"modal-title\"><i class=\"fas fa-user-plus me-2\"></i>Create New User</h5><button type=\"button\" class=\"btn-close\" data-bs-dismiss=\"modal\"></button></div><div class=\"modal-body\"><form id=\"createUserForm\"><div class=\"mb-3\"><label for=\"username\" class=\"form-label\">Username *</label> <input type=\"text\" class=\"form-control\" id=\"username\" name=\"username\" required></div><div class=\"mb-3\"><label for=\"email\" class=\"form-label\">Email</label> <input type=\"email\" class=\"form-control\" id=\"email\" name=\"email\"></div><div class=\"mb-3\"><label for=\"actions\" class=\"form-label\">Permissions</label> <select multiple class=\"form-control\" id=\"actions\" name=\"actions\" size=\"10\"><option value=\"Admin\">Admin (Full Access)</option> <option value=\"Read\">Read</option> <option value=\"Write\">Write</option> <option value=\"List\">List</option> <option value=\"Tagging\">Tagging</option> <optgroup label=\"Object Lock Permissions\"><option value=\"BypassGovernanceRetention\">Bypass Governance Retention</option> <option value=\"GetObjectRetention\">Get Object Retention</option> <option value=\"PutObjectRetention\">Put Object Retention</option> <option value=\"GetObjectLegalHold\">Get Object Legal Hold</option> <option value=\"PutObjectLegalHold\">Put Object Legal Hold</option> <option value=\"GetBucketObjectLockConfiguration\">Get Bucket Object Lock Configuration</option> <option value=\"PutBucketObjectLockConfiguration\">Put Bucket Object Lock Configuration</option></optgroup></select> <small class=\"form-text text-muted\">Hold Ctrl/Cmd to select multiple permissions</small></div><div class=\"mb-3 form-check\"><input type=\"checkbox\" class=\"form-check-input\" id=\"generateKey\" name=\"generateKey\" checked> <label class=\"form-check-label\" for=\"generateKey\">Generate access key automatically</label></div></form></div><div class=\"modal-footer\"><button type=\"button\" class=\"btn btn-secondary\" data-bs-dismiss=\"modal\">Cancel</button> <button type=\"button\" class=\"btn btn-primary\" onclick=\"handleCreateUser()\">Create User</button></div></div></div></div><!-- Edit User Modal --><div class=\"modal fade\" id=\"editUserModal\" tabindex=\"-1\" role=\"dialog\"><div class=\"modal-dialog\" role=\"document\"><div class=\"modal-content\"><div class=\"modal-header\"><h5 class=\"modal-title\"><i class=\"fas fa-user-edit me-2\"></i>Edit User</h5><button type=\"button\" class=\"btn-close\" data-bs-dismiss=\"modal\"></button></div><div class=\"modal-body\"><form id=\"editUserForm\"><input type=\"hidden\" id=\"editUsername\" name=\"username\"><div class=\"mb-3\"><label for=\"editEmail\" class=\"form-label\">Email</label> <input type=\"email\" class=\"form-control\" id=\"editEmail\" name=\"email\"></div><div class=\"mb-3\"><label for=\"editActions\" class=\"form-label\">Permissions</label> <select multiple class=\"form-control\" id=\"editActions\" name=\"actions\" size=\"10\"><option value=\"Admin\">Admin (Full Access)</option> <option value=\"Read\">Read</option> <option value=\"Write\">Write</option> <option value=\"List\">List</option> <option value=\"Tagging\">Tagging</option> <optgroup label=\"Object Lock Permissions\"><option value=\"BypassGovernanceRetention\">Bypass Governance Retention</option> <option value=\"GetObjectRetention\">Get Object Retention</option> <option value=\"PutObjectRetention\">Put Object Retention</option> <option value=\"GetObjectLegalHold\">Get Object Legal Hold</option> <option value=\"PutObjectLegalHold\">Put Object Legal Hold</option> <option value=\"GetBucketObjectLockConfiguration\">Get Bucket Object Lock Configuration</option> <option value=\"PutBucketObjectLockConfiguration\">Put Bucket Object Lock Configuration</option></optgroup></select></div></form></div><div class=\"modal-footer\"><button type=\"button\" class=\"btn btn-secondary\" data-bs-dismiss=\"modal\">Cancel</button> <button type=\"button\" class=\"btn btn-primary\" onclick=\"handleUpdateUser()\">Update User</button></div></div></div></div><!-- User Details Modal --><div class=\"modal fade\" id=\"userDetailsModal\" tabindex=\"-1\" role=\"dialog\"><div class=\"modal-dialog modal-lg\" role=\"document\"><div class=\"modal-content\"><div class=\"modal-header\"><h5 class=\"modal-title\"><i class=\"fas fa-user me-2\"></i>User Details</h5><button type=\"button\" class=\"btn-close\" data-bs-dismiss=\"modal\"></button></div><div class=\"modal-body\" id=\"userDetailsContent\"><!-- Content will be loaded dynamically --></div><div class=\"modal-footer\"><button type=\"button\" class=\"btn btn-secondary\" data-bs-dismiss=\"modal\">Close</button></div></div></div></div><!-- Access Keys Management Modal --><div class=\"modal fade\" id=\"accessKeysModal\" tabindex=\"-1\" role=\"dialog\"><div class=\"modal-dialog modal-lg\" role=\"document\"><div class=\"modal-content\"><div class=\"modal-header\"><h5 class=\"modal-title\"><i class=\"fas fa-key me-2\"></i>Manage Access Keys</h5><button type=\"button\" class=\"btn-close\" data-bs-dismiss=\"modal\"></button></div><div class=\"modal-body\"><div class=\"d-flex justify-content-between align-items-center mb-3\"><h6>Access Keys for <span id=\"accessKeysUsername\"></span></h6><button type=\"button\" class=\"btn btn-primary btn-sm\" onclick=\"createAccessKey()\"><i class=\"fas fa-plus me-1\"></i>Create New Key</button></div><div id=\"accessKeysContent\"><!-- Content will be loaded dynamically --></div></div><div class=\"modal-footer\"><button type=\"button\" class=\"btn btn-secondary\" data-bs-dismiss=\"modal\">Close</button></div></div></div></div><!-- JavaScript for user management --><script>\n        document.addEventListener('DOMContentLoaded', function() {\n            // Event delegation for user action buttons\n            document.addEventListener('click', function(e) {\n                const button = e.target.closest('[data-action]');\n                if (!button) return;\n                \n                const action = button.getAttribute('data-action');\n                const username = button.getAttribute('data-username');\n                \n                switch (action) {\n                    case 'show-user-details':\n                        showUserDetails(username);\n                        break;\n                    case 'edit-user':\n                        editUser(username);\n                        break;\n                    case 'manage-access-keys':\n                        manageAccessKeys(username);\n                        break;\n                    case 'delete-user':\n                        deleteUser(username);\n                        break;\n                }\n            });\n        });\n\n        // Show user details modal\n        async function showUserDetails(username) {\n            try {\n                const response = await fetch(`/api/users/${username}`);\n                if (response.ok) {\n                    const user = await response.json();\n                    document.getElementById('userDetailsContent').innerHTML = createUserDetailsContent(user);\n                    const modal = new bootstrap.Modal(document.getElementById('userDetailsModal'));\n                    modal.show();\n                } else {\n                    showErrorMessage('Failed to load user details');\n                }\n            } catch (error) {\n                console.error('Error loading user details:', error);\n                showErrorMessage('Failed to load user details');\n            }\n        }\n\n        // Edit user function\n        async function editUser(username) {\n            try {\n                const response = await fetch(`/api/users/${username}`);\n                if (response.ok) {\n                    const user = await response.json();\n                    \n                    // Populate edit form\n                    document.getElementById('editUsername').value = username;\n                    document.getElementById('editEmail').value = user.email || '';\n                    \n                    // Set selected actions\n                    const actionsSelect = document.getElementById('editActions');\n                    Array.from(actionsSelect.options).forEach(option => {\n                        option.selected = user.actions && user.actions.includes(option.value);\n                    });\n                    \n                    // Show modal\n                    const modal = new bootstrap.Modal(document.getElementById('editUserModal'));\n                    modal.show();\n                } else {\n                    showErrorMessage('Failed to load user details');\n                }\n            } catch (error) {\n                console.error('Error loading user:', error);\n                showErrorMessage('Failed to load user details');\n            }\n        }\n\n        // Manage access keys function\n        async function manageAccessKeys(username) {\n            try {\n                const response = await fetch(`/api/users/${username}`);\n                if (response.ok) {\n                    const user = await response.json();\n                    document.getElementById('accessKeysUsername').textContent = username;\n                    document.getElementById('accessKeysContent').innerHTML = createAccessKeysContent(user);\n                    const modal = new bootstrap.Modal(document.getElementById('accessKeysModal'));\n                    modal.show();\n                } else {\n                    showErrorMessage('Failed to load access keys');\n                }\n            } catch (error) {\n                console.error('Error loading access keys:', error);\n                showErrorMessage('Failed to load access keys');\n            }\n        }\n\n        // Delete user function\n        async function deleteUser(username) {\n            if (confirm(`Are you sure you want to delete user \"${username}\"? This action cannot be undone.`)) {\n                try {\n                    const response = await fetch(`/api/users/${username}`, {\n                        method: 'DELETE'\n                    });\n                    \n                    if (response.ok) {\n                        showSuccessMessage('User deleted successfully');\n                        setTimeout(() => window.location.reload(), 1000);\n                    } else {\n                        const error = await response.json();\n                        showErrorMessage('Failed to delete user: ' + (error.error || 'Unknown error'));\n                    }\n                } catch (error) {\n                    console.error('Error deleting user:', error);\n                    showErrorMessage('Failed to delete user: ' + error.message);\n                }\n            }\n        }\n\n        // Handle create user form submission\n        async function handleCreateUser() {\n            const form = document.getElementById('createUserForm');\n            const formData = new FormData(form);\n            \n            const userData = {\n                username: formData.get('username'),\n                email: formData.get('email'),\n                actions: Array.from(document.getElementById('actions').selectedOptions).map(option => option.value),\n                generate_key: document.getElementById('generateKey').checked\n            };\n            \n            try {\n                const response = await fetch('/api/users', {\n                    method: 'POST',\n                    headers: {\n                        'Content-Type': 'application/json',\n                    },\n                    body: JSON.stringify(userData)\n                });\n                \n                if (response.ok) {\n                    const result = await response.json();\n                    showSuccessMessage('User created successfully');\n                    \n                    // Show the created access key if generated\n                    if (result.user && result.user.access_key) {\n                        showNewAccessKeyModal(result.user);\n                    }\n                    \n                    // Close modal and refresh page\n                    const modal = bootstrap.Modal.getInstance(document.getElementById('createUserModal'));\n                    modal.hide();\n                    form.reset();\n                    setTimeout(() => window.location.reload(), 1000);\n                } else {\n                    const error = await response.json();\n                    showErrorMessage('Failed to create user: ' + (error.error || 'Unknown error'));\n                }\n            } catch (error) {\n                console.error('Error creating user:', error);\n                showErrorMessage('Failed to create user: ' + error.message);\n            }\n        }\n\n        // Handle update user form submission\n        async function handleUpdateUser() {\n            const username = document.getElementById('editUsername').value;\n            const formData = new FormData(document.getElementById('editUserForm'));\n            \n            const userData = {\n                email: formData.get('email'),\n                actions: Array.from(document.getElementById('editActions').selectedOptions).map(option => option.value)\n            };\n            \n            try {\n                const response = await fetch(`/api/users/${username}`, {\n                    method: 'PUT',\n                    headers: {\n                        'Content-Type': 'application/json',\n                    },\n                    body: JSON.stringify(userData)\n                });\n                \n                if (response.ok) {\n                    showSuccessMessage('User updated successfully');\n                    \n                    // Close modal and refresh page\n                    const modal = bootstrap.Modal.getInstance(document.getElementById('editUserModal'));\n                    modal.hide();\n                    setTimeout(() => window.location.reload(), 1000);\n                } else {\n                    const error = await response.json();\n                    showErrorMessage('Failed to update user: ' + (error.error || 'Unknown error'));\n                }\n            } catch (error) {\n                console.error('Error updating user:', error);\n                showErrorMessage('Failed to update user: ' + error.message);\n            }\n        }\n\n        // Create user details content\n        function createUserDetailsContent(user) {\n            var detailsHtml = '<div class=\"row\">';\n            detailsHtml += '<div class=\"col-md-6\">';\n            detailsHtml += '<h6 class=\"text-muted\">Basic Information</h6>';\n            detailsHtml += '<table class=\"table table-sm\">';\n            detailsHtml += '<tr><td><strong>Username:</strong></td><td>' + escapeHtml(user.username) + '</td></tr>';\n            detailsHtml += '<tr><td><strong>Email:</strong></td><td>' + escapeHtml(user.email || 'Not set') + '</td></tr>';\n            detailsHtml += '</table>';\n            detailsHtml += '</div>';\n            detailsHtml += '<div class=\"col-md-6\">';\n                         detailsHtml += '<h6 class=\"text-muted\">Permissions</h6>';\n             detailsHtml += '<div class=\"mb-3\">';\n             if (user.actions && user.actions.length > 0) {\n                 detailsHtml += user.actions.map(function(action) {\n                     return '<span class=\"badge bg-info me-1\">' + action + '</span>';\n                 }).join('');\n             } else {\n                 detailsHtml += '<span class=\"text-muted\">No permissions assigned</span>';\n             }\n             detailsHtml += '</div>';\n             detailsHtml += '<h6 class=\"text-muted\">Access Keys</h6>';\n             if (user.access_keys && user.access_keys.length > 0) {\n                 detailsHtml += '<div class=\"mb-2\">';\n                 user.access_keys.forEach(function(key) {\n                     detailsHtml += '<div><code class=\"text-muted\">' + key.access_key + '</code></div>';\n                 });\n                 detailsHtml += '</div>';\n             } else {\n                 detailsHtml += '<p class=\"text-muted\">No access keys</p>';\n             }\n            detailsHtml += '</div>';\n            detailsHtml += '</div>';\n            return detailsHtml;\n        }\n\n        // Create access keys content\n        function createAccessKeysContent(user) {\n            if (!user.access_keys || user.access_keys.length === 0) {\n                return '<p class=\"text-muted\">No access keys available</p>';\n            }\n            \n            var keysHtml = '<div class=\"table-responsive\">';\n            keysHtml += '<table class=\"table table-sm\">';\n            keysHtml += '<thead><tr><th>Access Key</th><th>Status</th><th>Actions</th></tr></thead>';\n            keysHtml += '<tbody>';\n            \n            user.access_keys.forEach(function(key) {\n                keysHtml += '<tr>';\n                keysHtml += '<td><code>' + key.access_key + '</code></td>';\n                keysHtml += '<td><span class=\"badge bg-success\">Active</span></td>';\n                keysHtml += '<td>';\n                keysHtml += '<button class=\"btn btn-outline-danger btn-sm\" onclick=\"deleteAccessKey(\\'' + user.username + '\\', \\'' + key.access_key + '\\')\">';\n                keysHtml += '<i class=\"fas fa-trash\"></i> Delete';\n                keysHtml += '</button>';\n                keysHtml += '</td>';\n                keysHtml += '</tr>';\n            });\n            \n            keysHtml += '</tbody>';\n            keysHtml += '</table>';\n            keysHtml += '</div>';\n            return keysHtml;\n        }\n\n        // Create new access key\n        async function createAccessKey() {\n            const username = document.getElementById('accessKeysUsername').textContent;\n            \n            try {\n                const response = await fetch(`/api/users/${username}/access-keys`, {\n                    method: 'POST',\n                    headers: {\n                        'Content-Type': 'application/json',\n                    },\n                    body: JSON.stringify({})\n                });\n                \n                if (response.ok) {\n                    const result = await response.json();\n                    showSuccessMessage('Access key created successfully');\n                    \n                    // Refresh access keys display\n                    const userResponse = await fetch(`/api/users/${username}`);\n                    if (userResponse.ok) {\n                        const user = await userResponse.json();\n                        document.getElementById('accessKeysContent').innerHTML = createAccessKeysContent(user);\n                    }\n                } else {\n                    const error = await response.json();\n                    showErrorMessage('Failed to create access key: ' + (error.error || 'Unknown error'));\n                }\n            } catch (error) {\n                console.error('Error creating access key:', error);\n                showErrorMessage('Failed to create access key: ' + error.message);\n            }\n        }\n\n        // Delete access key\n        async function deleteAccessKey(username, accessKey) {\n            if (confirm('Are you sure you want to delete this access key?')) {\n                try {\n                    const response = await fetch(`/api/users/${username}/access-keys/${accessKey}`, {\n                        method: 'DELETE'\n                    });\n                    \n                    if (response.ok) {\n                        showSuccessMessage('Access key deleted successfully');\n                        \n                        // Refresh access keys display\n                        const userResponse = await fetch(`/api/users/${username}`);\n                        if (userResponse.ok) {\n                            const user = await userResponse.json();\n                            document.getElementById('accessKeysContent').innerHTML = createAccessKeysContent(user);\n                        }\n                    } else {\n                        const error = await response.json();\n                        showErrorMessage('Failed to delete access key: ' + (error.error || 'Unknown error'));\n                    }\n                } catch (error) {\n                    console.error('Error deleting access key:', error);\n                    showErrorMessage('Failed to delete access key: ' + error.message);\n                }\n            }\n        }\n\n        // Show new access key modal (when user is created with generated key)\n        function showNewAccessKeyModal(user) {\n            // Create a simple alert for now - could be enhanced with a dedicated modal\n            var message = 'New user created!\\n\\n';\n            message += 'Username: ' + user.username + '\\n';\n            message += 'Access Key: ' + user.access_key + '\\n';\n            message += 'Secret Key: ' + user.secret_key + '\\n\\n';\n            message += 'Please save these credentials securely.';\n            alert(message);\n        }\n\n        // Utility functions\n        function showSuccessMessage(message) {\n            // Simple implementation - could be enhanced with toast notifications\n            alert('Success: ' + message);\n        }\n\n        function showErrorMessage(message) {\n            // Simple implementation - could be enhanced with toast notifications\n            alert('Error: ' + message);\n        }\n\n        function escapeHtml(text) {\n            if (!text) return '';\n            const div = document.createElement('div');\n            div.textContent = text;\n            return div.innerHTML;\n        }\n    </script>")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
diff --git a/weed/s3api/policy_engine/integration.go b/weed/s3api/policy_engine/integration.go
index 2a6a5c8fa..9c4bee9e4 100644
--- a/weed/s3api/policy_engine/integration.go
+++ b/weed/s3api/policy_engine/integration.go
@@ -213,6 +213,50 @@ func convertSingleAction(action, bucketName string) (*PolicyStatement, error) {
 			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", resourcePattern)}
 		}
 
+	case "GetObjectRetention":
+		s3Actions = []string{"s3:GetObjectRetention"}
+		if strings.HasSuffix(resourcePattern, "/*") {
+			bucket := strings.TrimSuffix(resourcePattern, "/*")
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", bucket)}
+		} else {
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", resourcePattern)}
+		}
+
+	case "PutObjectRetention":
+		s3Actions = []string{"s3:PutObjectRetention"}
+		if strings.HasSuffix(resourcePattern, "/*") {
+			bucket := strings.TrimSuffix(resourcePattern, "/*")
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", bucket)}
+		} else {
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", resourcePattern)}
+		}
+
+	case "GetObjectLegalHold":
+		s3Actions = []string{"s3:GetObjectLegalHold"}
+		if strings.HasSuffix(resourcePattern, "/*") {
+			bucket := strings.TrimSuffix(resourcePattern, "/*")
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", bucket)}
+		} else {
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", resourcePattern)}
+		}
+
+	case "PutObjectLegalHold":
+		s3Actions = []string{"s3:PutObjectLegalHold"}
+		if strings.HasSuffix(resourcePattern, "/*") {
+			bucket := strings.TrimSuffix(resourcePattern, "/*")
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", bucket)}
+		} else {
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", resourcePattern)}
+		}
+
+	case "GetBucketObjectLockConfiguration":
+		s3Actions = []string{"s3:GetBucketObjectLockConfiguration"}
+		resources = []string{fmt.Sprintf("arn:aws:s3:::%s", resourcePattern)}
+
+	case "PutBucketObjectLockConfiguration":
+		s3Actions = []string{"s3:PutBucketObjectLockConfiguration"}
+		resources = []string{fmt.Sprintf("arn:aws:s3:::%s", resourcePattern)}
+
 	default:
 		return nil, fmt.Errorf("unknown action type: %s", actionType)
 	}
@@ -280,6 +324,24 @@ func GetActionMappings() map[string][]string {
 		"BypassGovernanceRetention": {
 			"s3:BypassGovernanceRetention",
 		},
+		"GetObjectRetention": {
+			"s3:GetObjectRetention",
+		},
+		"PutObjectRetention": {
+			"s3:PutObjectRetention",
+		},
+		"GetObjectLegalHold": {
+			"s3:GetObjectLegalHold",
+		},
+		"PutObjectLegalHold": {
+			"s3:PutObjectLegalHold",
+		},
+		"GetBucketObjectLockConfiguration": {
+			"s3:GetBucketObjectLockConfiguration",
+		},
+		"PutBucketObjectLockConfiguration": {
+			"s3:PutBucketObjectLockConfiguration",
+		},
 	}
 }
 
diff --git a/weed/s3api/s3_constants/s3_actions.go b/weed/s3api/s3_constants/s3_actions.go
index a565ec115..e476eeaee 100644
--- a/weed/s3api/s3_constants/s3_actions.go
+++ b/weed/s3api/s3_constants/s3_actions.go
@@ -1,15 +1,21 @@
 package s3_constants
 
 const (
-	ACTION_READ                        = "Read"
-	ACTION_READ_ACP                    = "ReadAcp"
-	ACTION_WRITE                       = "Write"
-	ACTION_WRITE_ACP                   = "WriteAcp"
-	ACTION_ADMIN                       = "Admin"
-	ACTION_TAGGING                     = "Tagging"
-	ACTION_LIST                        = "List"
-	ACTION_DELETE_BUCKET               = "DeleteBucket"
-	ACTION_BYPASS_GOVERNANCE_RETENTION = "BypassGovernanceRetention"
+	ACTION_READ                          = "Read"
+	ACTION_READ_ACP                      = "ReadAcp"
+	ACTION_WRITE                         = "Write"
+	ACTION_WRITE_ACP                     = "WriteAcp"
+	ACTION_ADMIN                         = "Admin"
+	ACTION_TAGGING                       = "Tagging"
+	ACTION_LIST                          = "List"
+	ACTION_DELETE_BUCKET                 = "DeleteBucket"
+	ACTION_BYPASS_GOVERNANCE_RETENTION   = "BypassGovernanceRetention"
+	ACTION_GET_OBJECT_RETENTION          = "GetObjectRetention"
+	ACTION_PUT_OBJECT_RETENTION          = "PutObjectRetention"
+	ACTION_GET_OBJECT_LEGAL_HOLD         = "GetObjectLegalHold"
+	ACTION_PUT_OBJECT_LEGAL_HOLD         = "PutObjectLegalHold"
+	ACTION_GET_BUCKET_OBJECT_LOCK_CONFIG = "GetBucketObjectLockConfiguration"
+	ACTION_PUT_BUCKET_OBJECT_LOCK_CONFIG = "PutBucketObjectLockConfiguration"
 
 	SeaweedStorageDestinationHeader = "x-seaweedfs-destination"
 	MultipartUploadsFolder          = ".uploads"