Note:
This document describes the access management feature of VOD. For more information on access management for other Tencent Cloud services, please see CAM-Enabled Products. It is convenient to use a preset policy in CAM to implement authorization, but its granularity of permission control is coarse and cannot be refined to the subapplication and API levels. If you require fine-grained permissions control, you need to create custom policies. Custom Policy Creation Method
There are multiple ways to create a custom policy. The table below shows a comparison of various methods. For detailed directions, please see further below.
Note:
VOD does not support creating custom policies by product feature.
Manual selection means that you can select an object from the candidate list displayed in the console, while syntax description means that you can describe objects through policy syntax.
Policy Syntax Description for Resource
As mentioned above, the resource granularity of permission control in VOD is subapplication. The subapplication description in policy syntax follows the CAM rules. In the example below, the developer's root account ID is 12345678, APPID
is 1250000001 (which is equivalent to the primary application ID), and the developer has created two VOD subapplications with IDs of 1400000001 and 1400000002 respectively. Policy syntax description for all VOD resources
"resource": [
"qcs::vod::uin/12345678:subAppId/*"
]
Policy syntax description for the primary application
"resource": [
"qcs::vod::uin/12345678:subAppId/1250000001"
]
Policy syntax description for a single subapplication
"resource": [
"qcs::vod::uin/12345678:subAppId/1400000001"
]
Policy syntax description for the primary application and a single subapplication
"resource": [
"qcs::vod::uin/12345678:subAppId/1250000001",
"qcs::vod::uin/12345678:subAppId/1400000001"
]
Policy Syntax Description for Action
As mentioned above, the action granularity of permission control in VOD is server API. Server APIs such as DescribeMediaInfos
and DescribeAllClass
are used as examples below.
Policy syntax description for all VOD server APIs
"action": [
"name/vod:*"
]
Policy syntax description for a single server API
"action": [
"name/vod:DescribeMediaInfos"
]
Policy syntax description for multiple server APIs
"action": [
"name/vod:DescribeMediaInfos",
"name/vod:DescribeAllClass"
]
Custom Policy Use Cases
Using policy builder
In the example below, we will create a custom policy, which allows all actions except the server API ProcessMedia
to be performed on VOD subapplication 1400000001.
1. Access the Policy page in the CAM Console as a root account and click Create Custom Policy. 2. Select Create by Policy Generator to enter the policy creation page.
3. Select services and actions.
Select Allow for Effect.
Select VOD for Service.
Check all items for Action.
The Condition configuration item does not need to be configured.
4. Click Next and rename the policy name as needed (or leave it unchanged).
Using policy syntax
In the example below, we will create a custom policy, which allows all actions to be performed on VOD subapplications 1400000001 and 1400000002 but denies ProcessMedia
for subapplication 1400000001.
1. Access the Policy page in the CAM Console as a root account and click Create Custom Policy. 2. Select Create by Policy Syntax to enter the policy creation page.
3. In the Select Template Type box, select Blank Template.
Note:
A policy template is used to create a policy by copying an existing policy (preset or custom) and then making adjustment to the copy. In actual use, you can choose an appropriate policy template based on the actual conditions to reduce the difficulty and workload of writing policy content.
4. Click Next and rename the policy name as needed (or leave it unchanged).
5. Enter the following policy content in the Edit Policy Content box:
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"name/vod:*"
],
"resource": [
"qcs::vod::uin/12345678:subAppId/1400000001",
"qcs::vod::uin/12345678:subAppId/1400000002"
]
},
{
"effect": "deny",
"action": [
"name/vod:ProcessMedia"
],
"resource": [
"qcs::vod::uin/12345678:subAppId/1400000001"
]
}
]
}
Using server API
For most developers, performing permission management operations in the console can meet their business needs. However, if you need to automate and systematize your permission management capabilities, you can use server APIs.
The server APIs related to policies belongs to CAM. For more information, please see the CAM documentation. Only a few main APIs are listed below:
Was this page helpful?