Create a custom policy - ApsaraVideo Live - Alibaba Cloud Documentation Center

You can use custom policies to meet various requirements for access control. The Resource Access Management (RAM) console allows you to configure custom policies in visualized mode or script mode. This topic describes the terms, scenarios, procedure, syntax, and examples of custom policies.

Scenarios

System policies are coarse-grained. You can create custom RAM policies for fine-grained access control.

For example, if you want to grant a RAM user only the permission to query snapshot settings of streaming domains, you can create a custom policy.

Procedure

The following examples describe how to create a custom policy.

Example 1: Grant a RAM user the permission to query snapshot settings of streaming domains

If you want to grant a RAM user only the permission to query snapshot settings of streaming domains, you can perform the following operations:

On the Visual editor tab of the Create Policy page of the RAM console, choose Media Services-> ApsaraVideo Live.
Unfold Read actions, enter DescribeLiveSnapshotConfig in the Filter actions search box and then select live:DescribeLiveSnapshotConfig. The DescribeLiveSnapshotConfig operation can be called to query snapshot settings of streaming domains.
Click Next to edit policy information.
Specify a name for the policy in the Name field and click OK.
Create a RAM user and attach the policy that you created to the RAM user. For more information, see Create a RAM user and grant permissions to the RAM user.

After you attach the policy to the RAM user, if you call the DescribeLiveSnapshotConfig operation as the RAM user, the system returns snapshot settings of streaming domains. If you call another operation, the system returns a message that indicates you do not have corresponding permissions.

Example 2: Grant a RAM user the permission to query snapshot settings of streaming domains from specific IP addresses

In Example 1, you implement the permission control on the RAM user to call the DescribeLiveSnapshotConfig operation. If you want to perform finer-grained control on the RAM user, for example, to limit the IP addresses that the RAM user use to call the DescribeLiveSnapshotConfig operation, you can perform the following operations:

On the Policies page of the RAM console, enter the name of the policy that you created in Example 1 in the search box to find the policy.
Click the name of the policy to go to the policy details page.
On the Policy Document tab, click Modify Policy Document.
On the Visual editor tab, unfold Condition and click Add condition. In the dialog box that appears, select acs:SourceIp from the Key drop-down list, select IpAddress from the Operator drop-down list, and enter the specific IP addresses that you want to allow the RAM user to use in the Value field. Click OK.
Click Next to edit policy information. On the Modify Policy page, click OK.

After you perform the preceding operations, data can be returned only when the RAM user calls the DescribeLiveSnapshotConfig operation from one of the specified IP addresses. If the RAM user uses another IP address, the system returns a message that indicates the RAM user does not have corresponding permissions.

Note

For more information, see Create custom policies.

Syntax

On the Policy Document tab of the policy details page, the policy is described in the code editor. The following code provides the policy document of Example 2.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "live:DescribeLiveSnapshotConfig",
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "acs:SourceIp": [
                        "127.0.0.1"
                    ]
                }
            }
        }
    ]
}

Description of parameters in the preceding policy document:

Version
The Version parameter defines the version of the policy. The system sets the parameter to 1.
Statement
A single policy can contain multiple statements. Each statement contains the following elements: Action, Effect, Resource, and Condition. The system checks the statements of each request. Matched statements contain the Effect element whose value is Allow or Deny. Matched statements for which Effect is set to Deny take precedence. If all matched statements have the Effect element set to Allow, the request passes the authentication. If one matched statement has the Effect element set to Deny or no statements are matched, the request is denied.
Effect
Effect defines the authorization effect: Allow or Deny.
Action
Actions in ApsaraVideo Live correspond to API operations. The Action value is in the live:<API operation name> format. Example: live:DescribeLiveSnapshotConfig. Separate multiple Action values with commas (,). You can specify multiple Action values to obtain a permission group.
To view all available operations, see List of operations by function.
Resource
Resource specifies one or more ApsaraVideo Live resources that can be accessed by authorized users. Asterisks (*) can be used as wildcards. Resource values are in the acs:{ramCode}:{region}:{accountId}:{relative} format. You can specify multiple resources by using the Resource element. The valid values of the ramCode parameter for ApsaraVideo Live: live, cdn, and live-interaction. Set the region field to an asterisk (*). The value of the accountID parameter is the ID of your Alibaba Cloud account. The relative parameter specifies a specific resource, which is generally set to an asterisk (*), as shown in Example 2. For some API operations, you can set this parameter to a specific resource.
Note
After you configure the policy by using visual editor, the policy automatically matches the ramCode that corresponds to the API operation.

Condition

Condition specifies the access control conditions of the policy. This element is optional.

The following table describes the supported conditions.

Condition	Description	Valid value
acs:SourceIp	Specifies an IP address or a CIDR block.	IP addresses. Asterisks (*) can be used.
acs:SecureTransport	Specifies whether HTTPS is used for access.	true or false
acs:MFAPresent	Specifies whether multi-factor authentication (MFA) is used during user logon.	true or false
acs:CurrentTime	Specifies the valid time when the request is received.	Values based on the ISO 8601 standard. Example: 2012-11-11T23:59:59Z.

Note

For more information about the basic elements and syntax of policies, see Policy elements and Policy structure and syntax.

JSON

After you understand the policy syntax, you may want to configure a policy by editing a JSON script. For example, if you want to add the IP address 127.0.0.2 to the policy created in Example 2 by editing a JSON script, you can perform the following operations:

On the Policies page of the RAM console, enter the name of the policy that you created in Example 1 in the search box to find the policy.
Click the name of the policy to go to the policy details page.
On the Policy Document tab, click Modify Policy Document. On the page that appears, click the JSON tab.
Enter 127.0.0.2 for the acs:SourceIp parameter.
Click Next to edit basic information. On the page that appears, click OK. The IP address is added to the policy.

The following policy document is displayed after you configure the policy.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "live:DescribeLiveSnapshotConfig",
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "acs:SourceIp": [
                        "127.0.0.1",
                        "127.0.0.2"
                    ]
                }
            }
        }
    ]
}

Version management

Sometimes, after you update a policy, you may want to roll back to the previous policy for some reasons. In this case, you can use the version management feature. Procedure: On the policy details page, click the Versions tab. In the Actions column that corresponds to the version to which you want to roll back, click Use This Version.

Important

A maximum of five versions can be maintained for a policy.

Advanced usage

You have learned how to create a custom policy to grant permissions. Now you have the following further business requirements:

You want to control the permissions on calling the AddLiveAppSnapshotConfig operation that configures snapshot settings for streaming domains.
You want the authorized RAM user to configure snapshot settings for only Domain A and Domain B.

To meet the preceding authorization requirements, you can perform the following operations:

On the Visual editor tab of the Create Policy page of the RAM console, choose Media Services-> ApsaraVideo Live.
Unfold Write actions, enter AddLiveAppSnapshotConfig in the Filter actions search box and then select live:AddLiveAppSnapshotConfig. The AddLiveAppSnapshotConfig operation can be called to configure snapshot settings for streaming domains.
In the Resource section, select Specified Resource(s) and click Add resource. In the dialog box that appears, enter an asterisk (*) for the Account parameter and enter Domain A for the Resource parameter. Add Domain B by performing similar operations.
Click Next to edit policy information.

Specify a name for the policy in the Name field and click OK. The following code provides the policy document.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "live:AddLiveAppSnapshotConfig",
            "Resource": [
                "acs:cdn:*:*:domain/domainA",
                "acs:cdn:*:*:domain/domainB"
            ]
        }
    ]
}

Attach the policy that you created to the RAM user.

After you perform the preceding operations, the authorized RAM user can configure snapshot settings only for Domain A and Domain B.

Note

API operations support different resource control formats. We recommend that you use the visual editor to configure fine-grained permission control.