edit-icon download-icon

Set subaccounts to log on to the ApsaraVideo Live console by using RAM set

Last Updated: Dec 07, 2017

What is RAM

Through Alibaba Cloud Resource Access Management (RAM), you can provide required permissions to the subaccounts for the live broadcast in the ApsaraVideo Live console.

One primary account can create multiple subaccounts. By authorizing the subaccounts certain access functions, you can restrict their use of resources and functions for the purpose of unified management. For more inforamtion, see What is RAM.

Subaccount permissions mainly include authorization to use ApsaraVideo Live and OSS and CDN resource objects. We recommend that you plan the resource instances of such services for a subaccount, create authorization policies based on the corresponding authorization templates, and then grant the permissions to the subaccount.

RAM restrictions

RAM users cannot possess resources and they are not billed independently. These users are centrally controlled and billed under your Alibaba Cloud account. You can create separate passwords or keys for each RAM user, but these users do not have any operation permissions by default. RAM provides an access-policy-based authorization to help you grant fine-grained authority to the RAM users.

You must grant the following permissions to your subaccounts to use ApsaraVideo Live console functions:

Authorization operations

Authorization on ApsaraVideo Live

If a subaccount is required to use ApsaraVideo Live, you must grant the subaccount the permission to use ApsaraVideo Live. You can directly use the built-inAliyunLiveFullAccessauthorization policy as follows:

  1. Log on to the RAM console.

  2. Click Users.

  3. Select User Name and click Authorize from the Actions column to grant theAliyunLiveFullAccesspermission to the specified subaccount.



Description of custom authorization policy creation

You can customize authorization policies and assign them to specified subaccounts as follows:

  1. Log on to the RAM console.

  2. Click Policies.

  3. Click Custom Policy .

  4. Click Create Authorization Policy to create custom authorization policies as the following samples for the specified resource instance and grant the policies to the specified subaccount.






    Note: After the authorization policies are created for various service resource objects, you can grant the permissions to the corresponding subaccounts.

The following are OSS and CDN authorization policies. You can grant corresponding permissions to subaccounts as needed.

OSS authorization policy

Permission description:

  1. All operation permissions on specified buckets;
  2. Permission to view the bucket list;
  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": [
  6. "oss:*"
  7. ],
  8. "Resource": [
  9. "acs:oss:*:*:$Bucket",
  10. "acs:oss:*:*:$Bucket/*"
  11. ],
  12. "Effect": "Allow"
  13. },
  14. {
  15. "Action": [
  16. "oss:ListBuckets"
  17. ],
  18. "Resource": "*",
  19. "Effect": "Allow"
  20. }
  21. ]
  22. }

CDN authorization policy

Permission description:

  1. All permissions on specified CDN domains;
  2. Permission to query CDN domains;
  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": "cdn:*",
  6. "Resource": [
  7. "acs:cdn:*:$Uid:domain/$DomainName"
  8. ],
  9. "Effect": "Allow"
  10. },
  11. {
  12. "Action": "cdn:Describe*",
  13. "Resource": "*",
  14. "Effect": "Allow"
  15. }
  16. ]
  17. }

The following variables are used in the resource authorization policies of each service. Replace them with your actual resource instance name:

Description of variables

  1. Uid

    $Uid: Alibaba Cloud account ID. You can query it through Alibaba Cloud console > Account Management > Security Settings.


  2. Bucket

    $Bucket: OSS Bucket.

  3. CDN

    $DomainName: Name of the CDN domain.

Thank you! We've received your feedback.