The multi-application service allows you to isolate the resources, configurations, and data of different users within the same account. You can call API operations to manage applications and grant permissions to identity entities. This topic describes the usage scenarios and limits of the multi-application service. This topic also describes how to manage applications and grant permissions to identity entities.
Introduction
When you use ApsaraVideo VOD, you may need to isolate the resources, configurations, and data of multiple users within the same account. Multiple users include multiple environments, business lines, or channels.
ApsaraVideo VOD provides the multi-application service to implement isolation between multiple users. By default, the multi-application service is deactivated. You can apply to activate the service and complete the related configurations. You can also use Resource Access Management (RAM) to manage permissions. For more information, see Overview of the multi-application service.
Scenarios
Isolation of multiple environments:
In testing and online environments, resources such as videos and images, configurations, and data must be isolated. For example, different callback URL configurations must be isolated. You can use the multi-application service to create an application for each environment, associate different RAM users with these applications, and grant permissions to the RAM users. This helps prevent impacts from applications that are being tested or developed on online applications.
Isolation of multiple business lines:
When your business has multiple business lines or multiple departments that need to use ApsaraVideo VOD, you can use the multi-application service to create an application for each business line or department for isolation.
Isolation of multiple channels:
If you want to build platform services based on the capabilities of ApsaraVideo VOD for multiple channels or users, you can use the multi-application service.
Limits
You can create up to 10 applications within the same account. If you want to increase the quota, submit a request on Yida.
The multi-application service supports isolation only for media upload, audio and video playback, media management, and callbacks.
The multi-application service implements isolation only at the metadata level, not at the physical storage level. Separate billing for each application is not supported. Physical isolation such as domain name isolation and storage isolation will be supported in the future.
The multi-application service is unavailable in the China (Hong Kong) region.
Application management
Application types
After you activate the multi-application service, you can create custom applications. To ensure that the multi-application service is compatible with new and existing resources, ApsaraVideo VOD provides the default application. The default application cannot be deleted. The following table describes the two types of applications.
Application type
Description
Associated resource
Permission
System
Default application
All existing resources are in the default application. If you do not specify an application when you create new resources, the new resources are also created in the default application.
To prevent impacts on your existing business, all the identity entities (RAM users or RAM roles) within your Alibaba Cloud account are granted full permissions on the default application. The permissions can be revoked by the Alibaba Cloud account.
Custom
Custom application
By default, no resources exist in custom applications. You can create new resources in custom applications. You can also migrate existing resources to custom applications.
Identity entities within your Alibaba Cloud account can access the resources in an application only after the identity entities are granted access permissions.
Application IDs
The ID of the default application is
app-1000000
.The IDs of custom applications are in the
app-xxxxxxx
format.
NoteYou can call the ListAppInfo operation to query the IDs of applications that you are authorized to access.
Management
You can call API operations of the multi-application service to create, query, update, and delete applications. For more information, see the "Multi-application service" section of the List of operations by function topic. The multi-application service will be available in the ApsaraVideo VOD console in the future.
Account authorization
Accounts in Alibaba Cloud include Alibaba Cloud accounts, RAM users, and RAM roles. You can grant the access permissions of an application to a specified identity entity (RAM user or RAM role).
Policies
ApsaraVideo VOD provides the following policies to grant permissions to identity entities.
Policy
Limit
Scope
Operation permission
VODAppAdministratorAccess
Grants all permissions of the application administrator
All applications
Permissions to manage all applications in the Alibaba Cloud account and all resources in the applications
VODAppFullAccess
Grants permissions to manage all resources in a specified application
Single application
Permissions to manage all resources in a specified application
VODAppReadOnlyAccess
Grants read-only permissions on all resources in a specified application
Single application
Permissions to perform read operations on all resources in a specified application, such as operations that start with Get, Describe, Search, and List
Permissions of Alibaba Cloud accounts
An Alibaba Cloud account has all the permissions of the application administrator (VODAppAdministratorAccess). The permissions of an Alibaba Cloud account cannot be changed. For example, the permissions of the Alibaba Cloud account on an application cannot be revoked. The application administrator has the following permissions:
Create, delete, modify, and query all applications in the Alibaba Cloud account.
Create, delete, modify, and query all resources, configurations, and data in each application.
Grant permissions to identity entities (RAM users or RAM roles) in the Alibaba Cloud account or revoke the permissions. The application administrator cannot revoke its own permissions.
Permissions of RAM users or RAM roles
Before a RAM user or a RAM role can use the multi-application service, the Alibaba Cloud account of the RAM user or the RAM role must attach the VODFullAccess policy to the RAM user or the RAM role in the RAM console. To grant fine-grained permissions on resources in ApsaraVideo VOD, you must use the multi-application service. The permissions of an identity entity are the intersection of RAM permissions and the permissions granted by the multi-application service in ApsaraVideo VOD.
To ensure that the multi-application service is compatible with new and existing resources, the VODAppFullAccess policy that allows full access to the default application is attached to all RAM users and RAM roles. The application administrator can revoke or re-grant the permissions.
A RAM user or a RAM role can query the applications that the RAM user or the RAM role is authorized to access. After the RAM user or the RAM role is granted permissions on an application, the RAM user or the RAM role can perform related operations on resources such as media assets and callbacks in this application.
If a RAM user or a RAM role is attached to the VODAppAdministratorAccess policy, the RAM user or the RAM role can manage all applications and resources in the Alibaba Cloud account.
To migrate resources between two applications, a RAM user or a RAM role must have the read and write permissions on both applications.
Authorization method
You can call API operations to grant permissions on applications to identity entities or revoke the permissions. For more information, see the "Multi-application service" section in the Multi-application service topic.