All Products
Search
Document Center

ApsaraVideo VOD:Create a custom policy

Last Updated:Jan 22, 2024

If the policies in AparaVideo VOD do not meet your business requirements, you can create a custom policy for fine-grained authorization. For example, you can grant permissions only to specific users to access media resources in ApsaraVideo VOD or grant only permissions on media review to users.

Methods to create a custom policy

  • Create a custom policy on the Visual editor tab

    When you create a custom policy on the Visual Editor Beta tab, you need to select configuration items in the Effect, Service, Action, Resource, and Condition sections. Then, the system checks your configurations. This ensures the validity of the custom policy. On this tab, you can perform simple operations to create a custom policy.

  • Create a custom policy on the JSON tab.

    When you create a custom policy on the JSON tab, you must compile a policy document based on the syntax and structure of Resource Access Management (RAM) policies. On this tab, you can create a custom policy in a flexible manner. This method is suitable for users who are familiar with the syntax and structure of RAM policies.

  • Create a custom policy by importing a policy template

    RAM provides policy templates that are created based on years of business practices and are suitable for common scenarios. For example, RAM provides policy templates that are applicable to system administrators, financial personnel, and network administrators. You need to only import an appropriate policy template and modify the template based on your business requirements. This way, you can create a custom policy in a convenient manner.

  • Create a custom policy by importing a system policy template

    You can import a system policy template and modify the policy template based on your business requirements. This way, you can create a custom policy in a convenient and efficient manner.

Example of how to create a custom policy

Note

The following example shows how to create a custom policy by using the script.

Prerequisites

Before you use a script to specify a policy, you must familiarize yourself with the basic elements and syntax of the policy. For more information, see Policy elements and Policy structure and syntax.

Procedure

  1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user that has administrative rights.

  2. In the left-side navigation pane, choose Permissions > Policies

  3. On the Policies page, click Create Policy.

  4. On the Create Policy page, click the JSON tab.

  5. Enter the following policy content in the code editor and click Next to edit policy information.

    For more information about the syntax and structure of RAM policies, see Policy structure and syntax.

  6. Specify the Name and Description fields.

  7. Check and optimize the content of the custom policy.

    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.

      • Deletes unnecessary arrays.

    • (Optional) Advanced optimization

      You can move the pointer over Optional: advanced optimize and click Perform. The system performs the following operations during the advanced optimization:

      • Splits resources or conditions that are incompatible with actions.

      • Narrows down resources.

      • Deduplicates or merges policy statements.

  8. Click OK.

Custom policy examples

Note

You can obtain the names of API operations listed under Action from List of operations by function in ApsaraVideo VOD or List of operations by function in OSS.

The policy that prohibits the upload of objects whose ACL is public read to OSS buckets

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "oss:PostObject",
        "oss:CopyObject",
        "oss:AppendObject",
        "oss:InitiateMultipartUpload",
        "oss:MultipartUpload",
        "oss:UploadPart",
        "oss:UploadPartCopy",
        "oss:PutObjectAcl",
        "oss:PutObject"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "oss:x-oss-object-acl": [
            "public-read-write",
            "public-read"
          ]
        }
      }
    }
  ]
}

The policy that allows requesters only from the IP address 192.168.XX.XX to call playback operations

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vod:GetPlayInfo",
                "vod:GetVideoPlayAuth",
                "vod:GetVideoPlayInfo",
                "vod:GetVideoInfo"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition":
             {
                "IpAddress":
                 {
                    "acs:SourceIp": "192.168.XX.XX"
                  }
              }
        }
    ]
}

The policy for media review

Note

To ensure the integrity of permissions, if you add a new API operation to an API group, you must update the Action list in the following example.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vod:SetAuditSecurityIp",
                "vod:ListAuditSecurityIp",
                "vod:CreateAudit",
                "vod:GetAuditHistory",
                "vod:SubmitAIMediaAuditJob",
                "vod:GetAIMediaAuditJob",
                "vod:GetMediaAuditResult",
                "vod:GetMediaAuditResultDetail",
                "vod:GetMediaAuditResultTimeline"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

The policy for online editing

Note

To ensure the integrity of permissions, if you add a new API operation to an API group, you must update the Action list in the following example.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vod:ProduceEditingProjectVideo",
                "vod:AddEditingProject",
                "vod:UpdateEditingProject",
                "vod:DeleteEditingProject",
                "vod:GetEditingProject",
                "vod:SearchEditingProject",
                "vod:SetEditingProjectMaterials",
                "vod:GetEditingProjectMaterials"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

References