Custom Policy

Last updated: 2020-09-07 16:13:49

    Note:

    This document describes the access management feature of VOD. For more information on access management for other Tencent Cloud services, please see CAM-Enabled Products.

    It is convenient to use a preset policy in CAM to implement authorization, but its granularity of permission control is coarse and cannot be refined to the subapplication and API levels. If you require fine-grained permissions control, you need to create custom policies.

    Custom Policy Creation Method

    There are multiple ways to create a custom policy. The table below shows a comparison of various methods. For detailed directions, please see further below.

    Creation Entry Creation Method Effect
    Resource
    Action
    Flexibility Difficulty
    Console Policy builder Manual selection Syntax description Manual selection Medium Medium
    Console Policy syntax Syntax description Syntax description Syntax description High High
    Server API CreatePolicy Syntax description Syntax description Syntax description High High

    Note:

    • VOD does not support creating custom policies by product feature.
    • Manual selection means that you can select an object from the candidate list displayed in the console, while syntax description means that you can describe objects through policy syntax.

    Policy-Syntax-Description-for-Resource">

    Policy Syntax Description for Resource

    As mentioned above, the resource granularity of permission control in VOD is subapplication. The subapplication description in policy syntax follows the CAM rules. In the example below, the developer's root account ID is 12345678, APPID is 1250000001 (which is equivalent to the primary application ID), and the developer has created two VOD subapplications with IDs of 1400000001 and 1400000002 respectively.

    • Policy syntax description for all VOD resources
      "resource": [
        "qcs::vod::uin/12345678:subAppId/*"
      ]
    • Policy syntax description for the primary application
      "resource": [
        "qcs::vod::uin/12345678:subAppId/1250000001"
      ]
    • Policy syntax description for a single subapplication
      "resource": [
        "qcs::vod::uin/12345678:subAppId/1400000001"
      ]
    • Policy syntax description for the primary application and a single subapplication
      "resource": [
        "qcs::vod::uin/12345678:subAppId/1250000001",
        "qcs::vod::uin/12345678:subAppId/1400000001"
      ]

    Policy-Syntax-Description-for-Action">

    Policy Syntax Description for Action

    As mentioned above, the action granularity of permission control in VOD is server API. Server APIs such as DescribeMediaInfos and DescribeAllClass are used as examples below.

    • Policy syntax description for all VOD server APIs
      "action": [
        "name/vod:*"
      ]
    • Policy syntax description for a single server API
      "action": [
        "name/vod:DescribeMediaInfos"
      ]
    • Policy syntax description for multiple server APIs
      "action": [
        "name/vod:DescribeMediaInfos",
        "name/vod:DescribeAllClass"
      ]

    Custom Policy Use Cases

    Using policy builder

    In the example below, we will create a custom policy, which allows all actions except the server API ProcessMedia to be performed on VOD subapplication 1400000001.

    1. Access the Policy page in the CAM Console as a root account and click Create Custom Policy.
    2. Select Create by Policy Builder to enter the policy creation page.
    3. Select services and actions.
      • Select Allow for Effect.
      • Select VOD for Service.
      • Check all items for Action.
      • Enter qcs::vod::uin/12345678:subAppId/1400000001 for Resource according to the syntax description for resource.
      • The Condition configuration item does not need to be configured.
      • Click Add Statement and a statement saying that "Any action is allowed on VOD subapplication 1400000001" will appear at the bottom of the page.
    4. Continue adding another statement on the same page.
      • Select Deny for Effect.
      • Select VOD for Service.
      • Check ProcessMedia (which can be selected by search) for Action.
      • Enter qcs::vod::uin/12345678:subAppId/1400000001 for Resource according to the syntax description for resource.
      • The Condition configuration item does not need to be configured.
      • Click Add Statement and a statement saying that "The ProcessMedia action is denied on VOD subapplication 1400000001" will appear at the bottom of the page.
    5. Click Next and rename the policy name as needed (or leave it unchanged).
    6. Click Complete to create the custom policy. Subsequently, this policy can be granted to subusers in the same way as granting full permissions of VOD to existing subusers.

    Using policy syntax

    In the example below, we will create a custom policy, which allows all actions to be performed on VOD subapplications 1400000001 and 1400000002 but denies ProcessMedia for subapplication 1400000001.

    1. Access the Policy page in the CAM Console as a root account and click Create Custom Policy.
    2. Select Create by Policy Syntax to enter the policy creation page.
    3. In the Select Template Type box, select Blank Template.

      Note:

      A policy template is used to create a policy by copying an existing policy (preset or custom) and then making adjustment to the copy. In actual use, you can choose an appropriate policy template based on the actual conditions to reduce the difficulty and workload of writing policy content.

    4. Click Next and rename the policy name as needed (or leave it unchanged).
    5. Enter the following policy content in the Edit Policy Content box:
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "name/vod:*"
               ],
               "resource": [
                   "qcs::vod::uin/12345678:subAppId/1400000001",
                   "qcs::vod::uin/12345678:subAppId/1400000002"
               ]
           },
           {
               "effect": "deny",
               "action": [
                   "name/vod:ProcessMedia"
               ],
               "resource": [
                   "qcs::vod::uin/12345678:subAppId/1400000001"
               ]
           }
       ]
      }

      Note:

      The policy content should follow the CAM policy syntax rules, where the syntax of "resource" and "action" is as shown above in Policy Syntax Description for Resource and Policy Syntax Description for Action.

    6. Click Create Policy to create the custom policy. Subsequently, this policy can be granted to subusers in the same way as the example of granting full permissions of VOD to existing subusers.

    Using server API

    For most developers, performing permission management operations in the console can meet their business needs. However, if you need to automate and systematize your permission management capabilities, you can use server APIs.
    The server APIs related to policies belongs to CAM. For more information, please see the CAM documentation. Only a few main APIs are listed below:

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback
    Help