Permissions required to use IMM - Object Storage Service

To use the features of Intelligent Media Management (IMM) as a RAM user, you must grant the required permissions to the RAM user. This topic describes permissions that are required to use IMM features in Object Storage Service (OSS).

Permission overview

When you access IMM capabilities by using the x-oss-process or x-oss-async-process operation of OSS, you must grant the required permissions:

Grant the RAM user the permissions to perform operations in OSS.
Grant the RAM user the permissions to use the corresponding data processing features of IMM.
Grant the IMM service the permissions to access OSS and other relevant services.
Grant the IMM service the permissions required in data processing scenarios based on batch processors or triggers.

Grant access permissions on OSS to the RAM user

To use the data processing capabilities of IMM as a RAM user based on the x-oss-process or x-oss-async-process operation, you must grant the required OSS access permissions to the RAM user. For more information about how to grant permissions to a RAM user, see Grant permissions to a RAM user. You can grant permissions by using a system policy or a custom policy. The system policy AliyunOSSFullAccess grants full access to OSS. If you use a custom policy to grant custom permissions, make sure that the policy contains the permissions described in the following table.

Permission	Required	Description
oss:GetObject	Yes	Grants read access to OSS objects.
oss:ProcessImm	Yes	Allows the use of data processing capabilities of IMM in OSS.
oss:PostProcessTask	No	Grants access to data processing capabilities by using the POST method. For example, this permission is required to use `x-oss-async-process` to process data.
oss:PutObject	No	Allows data uploads to OSS. This permission is required to save data to OSS (`sys/saveas`).

Grant access permissions on IMM to the RAM user

To use the data processing capabilities of IMM as a RAM user based on the x-oss-process or x-oss-async-process operation, you must grant the required IMM access permissions to the RAM user. For more information about how to configure permissions, see Grant permissions to a RAM user.

The system policy AliyunIMMFullAccess grants full access to IMM. If you require only specific capabilities, you can use a custom policy to grant only the required permissions. The following table describes the permissions corresponding to IMM operations.

Operation	Description	Permission
image/cropping	Automatically crops an image.	imm:DetectImageCropping
image/faces	Detects faces in images.	imm:DetectImageFaces
video/convert	Transcodes a video.	imm:CreateMediaConvertTask
video/animation	Creates an animated image from a video.	imm:CreateMediaConvertTask
video/sprite	Generates a sprite from a video.	imm:CreateMediaConvertTask
video/snapshots	Captures frames from a video.	imm:CreateMediaConvertTask
video/concat	Merges videos.	imm:CreateMediaConvertTask
video/info	Extracts video information.	imm:DetectMediaMeta
audio/convert	Transcodes an audio file.	imm:CreateMediaConvertTask
audio/concat	Merges audio files.	imm:CreateMediaConvertTask
audio/info	Extracts audio information.	imm:DetectMediaMeta
doc/convert	Converts a document into the specified format.	imm:CreateOfficeConversionTask
doc/edit	Edits a document.	imm:GenerateWebofficeToken
doc/preview	Previews a document.	imm:GenerateWebofficeToken
doc/snapshot	Creates a document thumbnail.	imm:CreateOfficeConversionTask
pointcloud/compress	Compresses a point cloud file.	imm:CreateCompressPointCloudTask
hls/m3u8	Generates a video playlist.	imm:GenerateVideoPlaylist
hls/ts	Creates a live transcoding task.	imm:LiveTranscoding

To use IMM capabilities to process data in an OSS bucket, you must bind the bucket to an IMM project. When you create an IMM project, you must specify a service role. By default, the role AliyunIMMDefaultRole applies. If you use a RAM user or RAM role to access the service, the service role specified for the project must have the permission to perform the PassRole operation. The following sample statement grants the permission to perform the PassRole operation:

{
   "Effect": "Allow",
   "Action": "ram:PassRole",
   "Resource": "acs:ram:*:*:role/aliyunimmdefaultrole"  
}

Grant access permissions on other cloud services to IMM

IMM requires access to other relevant services for data processing. For example, to process data that is stored in OSS, write output data to OSS, and send notifications to Simple Message Queue (SMQ), you must authorize IMM to access OSS and SMQ.

The default service role allows IMM to access relevant services. If you want to narrow down permissions, you can create a service role that has only the required permissions and specify the service role when you create a project. For more information, see Configure a service role for a project.

Grant permissions required for batch processor or trigger scenarios

To use batch processors and triggers, you must authorize IMM to access other cloud services, such as OSS. If no service role is available, you can create the default service role on the Cloud Resource Access Authorization page.

Examples

Grant full access permissions

The following sample RAM policy allows a user to access all data processing capabilities of IMM from OSS:

{
    "Statement":[
        {
            "Effect":"Allow",
            "Action":"oss:*",
            "Resource":"*"
        },
        {
            "Effect":"Allow",
            "Action":"imm:*",
            "Resource":"*"
        },
        {
            "Effect": "Allow",
            "Action": "ram:PassRole",
            "Resource": "acs:ram:*:*:role/aliyunimmdefaultrole"
        }
    ],
    "Version":"1"
}

Grant permissions on specific operations

The following sample RAM policy allows a user to access document processing features in a specific OSS bucket:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "oss:GetObject",
                "oss:PutObject",
                "oss:PostProcessTask",
                "oss:ProcessImm"
            ],
            "Resource": [
                "acs:oss:*:*:bucketname1/*",
                "acs:oss:*:*:bucketname2/*"
            ]
        },
        {
            "Action": [
                "imm:CreateOfficeConversionTask",
                "imm:GetWebofficeURL"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Effect": "Allow",
            "Action": "ram:PassRole",
            "Resource": "acs:ram:*:*:role/aliyunimmdefaultrole"
        }
    ],
    "Version": "1"
}

Grant the permissions required in a batch processor or trigger scenario

The following sample RAM policy allows IMM to perform the specified OSS actions:

{
    "Statement":[
        {
            "Action":[
                "oss:Get*",
                "oss:List*",
                "oss:Process*",
                "oss:PostProcess*",
                "oss:Put*",
                "oss:PutBucketInventory",
                "oss:GetBucketInventory",
                "oss:ListBucketInventory",
                "oss:DeleteBucketInventory",
                "oss:PutBucketNotification",
                "oss:DeleteBucketNotification",
                "oss:StartEventRecord",
                "oss:StopEventRecord",
                "oss:GetEventRecordStatus"
            ],
            "Resource":"*",
            "Effect":"Allow"
        }
    ],
    "Version":"1"
}