Overview

Last updated: 2020-04-02 17:07:25

    VOD has been connected to Tencent Cloud Cloud Access Management (CAM). You can grant specified VOD permissions to sub-accounts as needed. The VOD access control feature can be used directly once the VOD service is activated.
    This document assumes that you already have some knowledge of Tencent Cloud CAM and VOD's subapplication system. The main concepts involved in this document include:

    Use Cases

    The typical use cases of VOD access control are as follows:

    • Permission isolation at Tencent Cloud product level
      Among the various departments using Tencent Cloud in an organization, department A takes charge of the VOD service. Staff of department A need permission to access VOD but not other Tencent Cloud products. To this end, you can create a sub-user and only grant it VOD-related permissions, and then provide it to department A.
    • Permission isolation at VOD subapplication level
      When multiple businesses in an organization are using VOD, isolation is generally needed. Isolation involves resource isolation and permission isolation, of which the former is enabled by VOD's subapplication system and the latter implemented by VOD access control. In this case, sub-users can be created for each business and granted permission to the corresponding subapplications, so that each business can only access the specified subapplication.
    • Permission isolation at VOD operation level
      Product operations staff of a business using VOD in an organization need to access the VOD Console to get statistics (e.g., geographical distribution of traffic and number of playbacks), but they should be forbidden to perform sensitive operations (e.g., deleting files or disabling domain names) so as to protect the business against any faulty operations. To meet such needs, you can create a custom policy that has permissions to log in to the VOD Console and call statistics APIs, create a sub-user and bind it to that policy, and then deliver the sub-user information to the product operations staff.

    Resource Granularity and Operation Granularity

    The core feature of CAM is to allow or forbid an account to perform some operations or manipulate some resources. For VOD, the resource granularity is subapplication, and the operation granularity is server API.

    Limits

    • VOD access control supports authorization at subapplication level but not at finer-grained resource level (e.g., media files and domain names).

    APIs Supporting Authorization at Resource Level

    VOD access control supports authorization at resource level. All its APIs, except those with special limits, support authorization at resource level. Please see below for details.

    List of APIs not supporting authorization at resource level

    API Name Feature Description
    DescribeSubAppIds Queries the list of subapplications All subusers have permission to call this API with no authorization required, and subapplications do not need to be specified.
    ModifySubAppIdStatus Modifies the status of a subapplication This API can disable specified subapplications, which is highly risky. Therefore, it is available to only subusers with full VOD permissions (i.e., QcloudVODFullAccess as described in Preset Policies). Subusers that are granted write permissions to certain subapplications but not QcloudVODFullAccess cannot call this API.

    List of APIs supporting authorization at resource level

    Except those in the above list, all APIs outlined in API Overview support authorization at resource level. In policy syntax, resource descriptions for these APIs are all in the format of qcs::vod::uin/$uin:subAppId/$subAppId.

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback
    Help