We developed an Access control list (ACL) mechanism for object-based storage systems. The proposed ACL mechanism affords Object-based storage devices (OSDs) much more flexibility in managing who can and how she accesses the object and makes it possible to implement completely distributed security for object-based storage systems. By enabling the ACL capability of inheritance and sharing, the mechanism reduces the number of ACLs needing to be stored and maintained. And by allowing the use of public key certificates as identifications of remote users, our ACL mechanism allows access control to extend beyond the local machine's realm to acrossorganizational users. Experimental results show that the overhead of access control is sufficiently small, with a bandwidth overhead of no more than 5%.