Note:This document describes the access management feature of VOD. For more information on access management for other Tencent Cloud services, please see CAM-Enabled Products.
It is convenient to use a preset policy in CAM to implement authorization, but its granularity of permission control is coarse and cannot be refined to the subapplication and API levels. If you require fine-grained permissions control, you need to create custom policies.
There are multiple ways to create a custom policy. The table below shows a comparison of various methods. For detailed directions, please see further below.
Creation Entry | Creation Method | Effect |
Resource |
Action |
Flexibility | Difficulty |
---|---|---|---|---|---|---|
Console | Policy builder | Manual selection | Syntax description | Manual selection | Medium | Medium |
Console | Policy syntax | Syntax description | Syntax description | Syntax description | High | High |
Server API | CreatePolicy | Syntax description | Syntax description | Syntax description | High | High |
Note:
- VOD does not support creating custom policies by product feature.
- Manual selection means that you can select an object from the candidate list displayed in the console, while syntax description means that you can describe objects through policy syntax.
As mentioned above, the resource granularity of permission control in VOD is subapplication. The subapplication description in policy syntax follows the CAM rules. In the example below, the developer's root account ID is 12345678, APPID
is 1250000001 (which is equivalent to the primary application ID), and the developer has created two VOD subapplications with IDs of 1400000001 and 1400000002 respectively.
Policy syntax description for all VOD resources
"resource": [
"qcs::vod::uin/12345678:subAppId/*"
]
Policy syntax description for the primary application
"resource": [
"qcs::vod::uin/12345678:subAppId/1250000001"
]
Policy syntax description for a single subapplication
"resource": [
"qcs::vod::uin/12345678:subAppId/1400000001"
]
Policy syntax description for the primary application and a single subapplication
"resource": [
"qcs::vod::uin/12345678:subAppId/1250000001",
"qcs::vod::uin/12345678:subAppId/1400000001"
]
As mentioned above, the action granularity of permission control in VOD is server API. Server APIs such as DescribeMediaInfos
and DescribeAllClass
are used as examples below.
Policy syntax description for all VOD server APIs
"action": [
"name/vod:*"
]
Policy syntax description for a single server API
"action": [
"name/vod:DescribeMediaInfos"
]
Policy syntax description for multiple server APIs
"action": [
"name/vod:DescribeMediaInfos",
"name/vod:DescribeAllClass"
]
In the example below, we will create a custom policy, which allows all actions except the server API ProcessMedia
to be performed on VOD subapplication 1400000001.
qcs::vod::uin/12345678:subAppId/1400000001
for Resource according to the syntax description for resource.
4. Click Next and rename the policy name as needed (or leave it unchanged).
5. Click Complete to create the custom policy. Subsequently, this policy can be granted to subusers in the same way as granting full permissions of VOD to existing subusers.
In the example below, we will create a custom policy, which allows all actions to be performed on VOD subapplications 1400000001 and 1400000002 but denies ProcessMedia
for subapplication 1400000001.
Note:A policy template is used to create a policy by copying an existing policy (preset or custom) and then making adjustment to the copy. In actual use, you can choose an appropriate policy template based on the actual conditions to reduce the difficulty and workload of writing policy content.
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"name/vod:*"
],
"resource": [
"qcs::vod::uin/12345678:subAppId/1400000001",
"qcs::vod::uin/12345678:subAppId/1400000002"
]
},
{
"effect": "deny",
"action": [
"name/vod:ProcessMedia"
],
"resource": [
"qcs::vod::uin/12345678:subAppId/1400000001"
]
}
]
}
Note:The policy content should follow the CAM policy syntax rules, where the syntax of "resource" and "action" is as shown above in Policy Syntax Description for Resource and Policy Syntax Description for Action.
For most developers, performing permission management operations in the console can meet their business needs. However, if you need to automate and systematize your permission management capabilities, you can use server APIs.
The server APIs related to policies belongs to CAM. For more information, please see the CAM documentation. Only a few main APIs are listed below:
Was this page helpful?