Custom policies - ApsaraVideo VOD - Alibaba Cloud Documentation Center

If system policies do not meet your requirements, configure custom policies to implement the principle of least privilege and achieve fine-grained control over permissions.

Before you begin

To learn how to create a custom policy, see Create custom policies.
VOD defines the values that you can use in the Action element of a policy statement. For details, see RAM authorization.
The custom policies for VOD may involve access to and management of OSS resources. For details, see List of operations by function (OSS).

Common scenarios and sample custom policies

Prohibit upload of objects whose ACL is public read to OSS buckets

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "oss:PostObject",
        "oss:CopyObject",
        "oss:AppendObject",
        "oss:InitiateMultipartUpload",
        "oss:MultipartUpload",
        "oss:UploadPart",
        "oss:UploadPartCopy",
        "oss:PutObjectAcl",
        "oss:PutObject"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "oss:x-oss-object-acl": ["public-read-write", "public-read"]
        }
      }
    }
  ]
}

Allow requesters only from 192.168.XX.XX to call specified playback operations

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vod:GetPlayInfo",
                "vod:GetVideoPlayAuth",
                "vod:GetVideoPlayInfo",
                "vod:GetVideoInfo"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition":
             {
                "IpAddress":
                 {
                    "acs:SourceIp": "192.168.XX.XX"
                  }
              }
        }
    ]
}

Grant permissions for media review

Note

To ensure the integrity of permissions, if you add a new API operation to an API group, you must update the Action list in the following example.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vod:SetAuditSecurityIp",
                "vod:ListAuditSecurityIp",
                "vod:CreateAudit",
                "vod:GetAuditHistory",
                "vod:SubmitAIMediaAuditJob",
                "vod:GetAIMediaAuditJob",
                "vod:GetMediaAuditResult",
                "vod:GetMediaAuditResultDetail",
                "vod:GetMediaAuditResultTimeline"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Grant permissions for online editing

Note

To ensure the integrity of permissions, if you add a new API operation to an API group, you must update the Action list in the following example.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vod:ProduceEditingProjectVideo",
                "vod:AddEditingProject",
                "vod:UpdateEditingProject",
                "vod:DeleteEditingProject",
                "vod:GetEditingProject",
                "vod:SearchEditingProject",
                "vod:SetEditingProjectMaterials",
                "vod:GetEditingProjectMaterials"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}