All Products
Search
Document Center

Overview

Last Updated: Jul 28, 2020

Overview

You may want to allow multiple users under the same account to use ApsaraVideo for VOD services. For example, you may need to use ApsaraVideo for VOD in multiple environments, in multiple businesses, or to provide services through multiple channels. In this case, you need to isolate the resources, configurations, and data for these users. ApsaraVideo for VOD provides the multi-application service to isolate multiple users from each other, and uses RAM to manage the permissions of each user. The multi-application service is deactivated by default. You can submit a ticket to activate it.

Scenarios

  • Isolate multiple environments: You can isolate resources (such as videos and images) for multiple environments, such as the test and online environments. You can also isolate configurations and data for these environments. For example, you can configure different callback URLs for them. To do so, use the multi-application service to create an application for each environment, associate different RAM users with these applications, and grant different permissions to the RAM users. In this way, you can prevent development and testing from affecting the online system.

  • Isolate multiple businesses: Your company may have multiple business lines or departments that all need to use ApsaraVideo for VOD. You can use the multi-application service to create an application for each business line or department to isolate them from each other.

  • Isolate multiple channels: If you want to construct platform services based on certain capabilities of ApsaraVideo for VOD to serve multiple channels or customers, use the multi-application service to achieve this goal.

Restrictions

  • You can create up to 10 applications under the same account. If you need to create more applications, submit a ticket.

  • Currently, the multi-application service supports only the media upload, audio and video playback, media asset management, and message callback services. Other services will be supported in the future.

  • The applications are isolated only at the metadata level rather than the physical storage level. Therefore, separate billing for each application is not supported. In the future, physical isolation such as domain name isolation and storage isolation will be gradually supported.

Application management

Application types

After the multi-application service is activated, you can create new custom applications. To ensure that the multi-application service is compatible with both existing and new resources, ApsaraVideo for VOD provides the default system application. The default system application cannot be deleted.

Application type Application description Associated resource Permission management
System Default system application All existing resources generated before the service is activated are associated with the default system application. If you do not specify an application when creating new resources after the service is activated, the new resources are also associated with the default system application. To avoid impacts on your existing business, ApsaraVideo for VOD grants full permissions on the default system application to all identity entities (RAM users or RAM roles) under your Alibaba Cloud account. You can use your Alibaba Cloud account to revoke the permissions of identity entities.
Custom Custom application No resource is associated with a custom application after it is created. You can associate new resources with the application when creating the resources. You can also associate existing resources with the application. An identity entity under your Alibaba Cloud account can access resources associated with an application only after being authorized.

Application ID

  • The ID of the default system application is app-1000000.

  • The ID of a custom application is in the format of app-xxxxxxx.

Management method

You can create, query, update, and delete applications by using the API. For more information, see the multi-application API. You will be able to perform these operations in the ApsaraVideo for VOD console in the future.

Authorization management

The account system of Alibaba Cloud consists of the Alibaba Cloud account and identity entities such as RAM users and RAM roles. You can grant the access permissions on an application to the specified identity entity (RAM user or RAM role).

Permission policies

Currently, ApsaraVideo for VOD provides three permission policies that can be used to authorize identity entities to access applications.

Policy name Description Scope Operation permission
VODAppAdministratorAccess Application administrator permission All applications Authorizes an identity entity to manage all applications under the Alibaba Cloud account and all resources under the applications.
VODAppFullAccess Permission for managing and operating all resources under an application Single application Authorizes an identity entity to manage all resources under an application.
VODAppReadOnlyAccess Permission for accessing all resources under an application in read-only mode Single application Authorizes an identity entity to read all resources under an application. For example, the identity entity can call operations starting with Get, Describe, Search, and List to read resources under the application.

Permissions of the Alibaba Cloud account

The Alibaba Cloud account has the application administrator permission (VODAppAdministratorAccess). You cannot change the permissions of the Alibaba Cloud account. For example, you cannot revoke the permissions of the Alibaba Cloud account on an application. The application administrator permission includes:

  • Create, delete, modify, and query all applications under the Alibaba Cloud account.

  • Create, delete, modify, and query all resources, configurations, and data under each application.

  • Grant application permissions to identity entities (RAM users or RAM roles) under the Alibaba Cloud account, and revoke the permissions of identity entities but not the Alibaba Cloud account.

Permissions of RAM users or RAM roles

To enable a RAM user or RAM role to manage applications in ApsaraVideo for VOD, you must first use your Alibaba Cloud account to grant the AliyunVODFullAccess permission to the RAM user or RAM role in RAM. Then, you can use the multi-application service to grant application permissions to the RAM user or RAM role. That is, the permissions of an identity entity are the intersection of RAM permissions and application permissions granted by the multi-application service in ApsaraVideo for VOD.

  • To ensure that the multi-application service is compatible with both existing and new resources, ApsaraVideo for VOD grants full permissions (VODAppFullAccess) on the default system application to all RAM users and RAM roles. You can use your Alibaba Cloud account or an identity entity with the application administrator permission to manage application permissions of RAM users and RAM roles.

  • You can query the list of applications that an identity entity is authorized to access. After an identity entity is authorized to access an application, the identity entity can perform operations on resources (such as media assets and the message callback configuration) under the application.

  • An identity entity granted the application administrator permission (VODAppAdministratorAccess) can manage all applications and resources under the Alibaba Cloud account.

  • To migrate resources between two applications, an identity entity must have the read and write permissions on both applications.

Authorization method

You can grant application permissions to or revoke application permissions from identity entities by using the API. You will be able to perform these operations in the ApsaraVideo for VOD console in the future.

Start to use

To use the multi-application service, submit a ticket to activate it, and configure the service.