If the policies in AparaVideo VOD do not meet your business requirements, you can create a custom policy for fine-grained authorization. For example, you can grant permissions only to specific users to access media resources in ApsaraVideo VOD or grant only permissions on media review to users.
Methods to create a custom policy
Create a custom policy on the Visual editor tab
When you create a custom policy on the Visual Editor Beta tab, you need to select configuration items in the Effect, Service, Action, Resource, and Condition sections. Then, the system checks your configurations. This ensures the validity of the custom policy. On this tab, you can perform simple operations to create a custom policy.
Create a custom policy on the JSON tab.
When you create a custom policy on the JSON tab, you must compile a policy document based on the syntax and structure of Resource Access Management (RAM) policies. On this tab, you can create a custom policy in a flexible manner. This method is suitable for users who are familiar with the syntax and structure of RAM policies.
Create a custom policy by importing a policy template
RAM provides policy templates that are created based on years of business practices and are suitable for common scenarios. For example, RAM provides policy templates that are applicable to system administrators, financial personnel, and network administrators. You need to only import an appropriate policy template and modify the template based on your business requirements. This way, you can create a custom policy in a convenient manner.
Create a custom policy by importing a system policy template
You can import a system policy template and modify the policy template based on your business requirements. This way, you can create a custom policy in a convenient and efficient manner.
Example of how to create a custom policy
The following example shows how to create a custom policy by using the script.
Prerequisites
Before you use a script to specify a policy, you must familiarize yourself with the basic elements and syntax of the policy. For more information, see Policy elements and Policy structure and syntax.
Procedure
Log on to the RAM console by using an Alibaba Cloud account or a RAM user that has administrative rights.
In the left-side navigation pane, choose
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
Enter the following policy content in the code editor and click Next to edit policy information.
For more information about the syntax and structure of RAM policies, see Policy structure and syntax.
Specify the Name and Description fields.
Check and optimize the content of the custom policy.
Basic optimization
The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:
Deletes unnecessary conditions.
Deletes unnecessary arrays.
(Optional) Advanced optimization
You can move the pointer over Optional: advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
Splits resources or conditions that are incompatible with actions.
Narrows down resources.
Deduplicates or merges policy statements.
Click OK.
Custom policy examples
You can obtain the names of API operations listed under Action
from List of operations by function in ApsaraVideo VOD or List of operations by function in OSS.
The policy that prohibits the upload of objects whose ACL is public read to OSS buckets
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:PostObject",
"oss:CopyObject",
"oss:AppendObject",
"oss:InitiateMultipartUpload",
"oss:MultipartUpload",
"oss:UploadPart",
"oss:UploadPartCopy",
"oss:PutObjectAcl",
"oss:PutObject"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"oss:x-oss-object-acl": [
"public-read-write",
"public-read"
]
}
}
}
]
}
The policy that allows requesters only from the IP address 192.168.XX.XX to call playback operations
{
"Version": "1",
"Statement": [
{
"Action": [
"vod:GetPlayInfo",
"vod:GetVideoPlayAuth",
"vod:GetVideoPlayInfo",
"vod:GetVideoInfo"
],
"Resource": "*",
"Effect": "Allow",
"Condition":
{
"IpAddress":
{
"acs:SourceIp": "192.168.XX.XX"
}
}
}
]
}
The policy for media review
To ensure the integrity of permissions, if you add a new API operation to an API group, you must update the Action
list in the following example.
{
"Version": "1",
"Statement": [
{
"Action": [
"vod:SetAuditSecurityIp",
"vod:ListAuditSecurityIp",
"vod:CreateAudit",
"vod:GetAuditHistory",
"vod:SubmitAIMediaAuditJob",
"vod:GetAIMediaAuditJob",
"vod:GetMediaAuditResult",
"vod:GetMediaAuditResultDetail",
"vod:GetMediaAuditResultTimeline"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
The policy for online editing
To ensure the integrity of permissions, if you add a new API operation to an API group, you must update the Action
list in the following example.
{
"Version": "1",
"Statement": [
{
"Action": [
"vod:ProduceEditingProjectVideo",
"vod:AddEditingProject",
"vod:UpdateEditingProject",
"vod:DeleteEditingProject",
"vod:GetEditingProject",
"vod:SearchEditingProject",
"vod:SetEditingProjectMaterials",
"vod:GetEditingProjectMaterials"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
References
For more information about policies, see Policy overview.
After you create a custom policy, you can grant permissions to a RAM user or RAM user group. For more information, see Grant permissions to a RAM user and Grant permissions to a RAM user group.