You can separate users at the folder level. Users will share a common bucket, but each user will have their own folder that is not accessible by other users who have access to the same bucket.
At a high level, separating user access involves:
Creating a storage bucket for users to share
Creating folders within the bucket for each sub-user
Creating sub-users
Creating an IAM policy for each sub-user to limit their access to just their folder within the storage bucket
Attaching the IAM policy to your sub-user
If your company has hundreds or thousands of sub-user requirements, you can use an automated approach as described in Automating Infrastructure Design for Wasabi.
The following instructions consider a Wasabi account that manages storage for multiple companies with multiple clients (sub-users) in each company. Each company has its own storage bucket, and each sub-user within a company has their own folder with private access within that bucket. Company-A, for example, has two sub-users: Molly Bright and Dave Starsky. These two sub-users cannot see each other's data, so they will be given access to their own folders within the company bucket. In summary, the following instructions will work with:
Bucket name:
bucket-company-a
Sub-users:
molly-bright
dave-starsky
Sub-user folders:
molly-brights-folder
Separating User Access
Log in to your Wasabi Root account. (Create an account if you do not already have one.)
Create a bucket for your company. In this example, a bucket named bucket-company-a is created.

Create two folders within the bucket, one folder for each sub-user: molly-brights-folder and dave-starskys-folder.

Create two sub-users: molly-bright and dave-starsky.

Create a policy for each sub-user: molly-bright-separation and dave-starsky-separation. For example:

The policy syntax below limits sub-user molly-bright access to molly-brights-folder inside the bucket-company-a bucket.
{ "Version":"2012-10-17", "Statement": [ { "Sid": "AllowUserToSeeBucketListInTheConsole", "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketCompliance"], "Effect": "Allow", "Resource": ["arn:aws:s3:::*"] }, { "Sid": "AllowRootAndHomeListingOfCompanyBucket", "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::bucket-company-a"], "Condition":{"StringEquals":{"s3:prefix":["","molly-brights-folder/"],"s3:delimiter":["/"]}} }, { "Sid": "AllowListingOfUserFolder", "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::bucket-company-a"], "Condition":{"StringLike":{"s3:prefix":["molly-brights-folder/*"]}} }, { "Sid": "AllowAllS3ActionsInUserFolder", "Effect": "Allow", "Action": ["s3:*"], "Resource": ["arn:aws:s3:::bucket-company-a/molly-brights-folder/*"] } ] }This policy limits sub-user dave-starsky access to dave-starskys-folder inside the bucket-company-a bucket.
{ "Version":"2012-10-17", "Statement": [ { "Sid": "AllowUserToSeeBucketListInTheConsole", "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketCompliance"], "Effect": "Allow", "Resource": ["arn:aws:s3:::*"] }, { "Sid": "AllowRootAndHomeListingOfCompanyBucket", "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::bucket-company-a"], "Condition":{"StringEquals":{"s3:prefix":["","dave-starskys-folder/"],"s3:delimiter":["/"]}} }, { "Sid": "AllowListingOfUserFolder", "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::bucket-company-a"], "Condition":{"StringLike":{"s3:prefix":["dave-starskys-folder/*"]}} }, { "Sid": "AllowAllS3ActionsInUserFolder", "Effect": "Allow", "Action": ["s3:*"], "Resource": ["arn:aws:s3:::bucket-company-a/dave-starskys-folder/*"] } ] }You would edit this to provide the bucket and folder names in your actual use case.
Attach the appropriate policy to each sub-user. For example:
Click Users.
Click sub-user molly-bright.
Click Policies and attach the molly-bright-separation policy.

Sub-user molly-bright will be able to access ONLY molly-brights-folder within the bucket-company-a bucket.
Complete the same steps to attach the dave-starsky-separation policy to the sub-user dave-starsky. Then, dave-starsky will be able to access ONLY dave-starskys-folder within the bucket-company-a bucket.