Media Streams IAM Policies and Permissions
Create IAM policies to control who has access to the Media Streams resources, and to control the type of access for each group of users.
Create policies for users to have necessary rights to the Media Streams resources. The users in the Administrators
group have access to all the Media Streams resources.
If you are new to IAM policies, see Getting Started with Policies.
For a complete list of Oracle Cloud Infrastructure policies, see policy reference and Common Policies. For Media Flow policies, see Media Flow Policies.
To use Media Streams, create a policy that grants the following permissions to the user or groups that interact with the service accordingly.
Media Streams supports the following entities:
Resource Type |
Action assigned to the user |
---|---|
media-workflow | Uses the workflows. |
media-workflow-job | Runs the workflow jobs to process media. |
media-asset | Uses the media asset metadata. |
media-family | Includes all the media member resources in one family. |
media-stream-distribution-channel | Manages distribution channels. |
media-stream-packaging-config | Manages packaging configurations. |
media-stream-cdn-config | Manages CDN configurations. |
Resource Types and Permissions
List of Media Streams resource types and associated permissions.
To assign permissions to all the Media Services resources, use the media-family
aggregate type. To use Media Streams, you need the permissions to all the resource types. For more information, see Permissions.
The following table lists all the resources in media-family
:
Family Name | Member Resources |
---|---|
media-family |
|
A policy that uses <verb> media-family
is equivalent to writing a policy with a separate <verb>
<resource-type>
statement for each of the individual resource types.
Resource Type | Permissions |
---|---|
media-asset |
|
media-stream-cdn-config |
|
media-stream-distribution-channel |
|
media-stream-packaging-config |
|
media-workflow |
|
media-workflow-job |
|
Supported Variables
Variables are used when adding conditions to a policy.
Media Streams supports the following variables:
- Entity
- Oracle Cloud Identifier (OCID).
- String
- Free-form text.
- List
- List of Entity or String.
See General Variables for All Requests.
Variables are lowercase and hyphen-separated. For example, target.tag-namespace.name
, target.display-name
. Here name
must be unique, and display-name
is the description.
Required variables are supplied by the Media Streams service for every request. Automatic variables are supplied by the authorization engine (either service-local with the SDK for a thick client, or on the Identity data plane for a thin client).
Required Variables | Type | Description |
---|---|---|
target.compartment.id |
Entity (OCID) | The OCID of the primary resource for the request. |
request.operation |
String | The operation ID (for example, GetUser ) for the request. |
target.resource.kind |
String | The resource kind name of the primary resource for the request. |
Automatic Variables | Type | Description |
---|---|---|
request.user.id |
Entity (OCID) | The OCID of the requesting user. |
request.groups.id |
List of entities (OCIDs) | The OCIDs of the groups the requesting user is in. |
target.compartment.name |
String | The name of the compartment specified in target.compartment.id . |
target.tenant.id |
Entity (OCID) | The OCID of the target tenant ID. |
Dynamic Variables | Type | Description |
---|---|---|
request.principal.group.tag.<tagNS>.<tagKey> |
String | The value of each tag on a group of which the principal is a member. |
request.principal.compartment.tag.<tagNS>.<tagKey> |
String | The value of each tag on the compartment that contains the principal. |
target.resource.tag.<tagNS>.<tagKey> |
String | The value of each tag on the target resource. (Computed based on tagSlug supplied by service on each request.) |
target.resource.compartment.tag.<tagNS>.<tagKey> |
String | The value of each tag on the compartment that contains the target resource. (Computed based on tagSlug supplied by service on each request.) |
Here's a list of available sources for the variables:
- Request: Comes from the request input.
- Derived: Comes from the request.
- Stored: Comes from the service, retained input.
- Computed: Computed from service data.
Details for Verb + Resource Type Combinations
Identify the permissions and API operations covered by each verb for Media Streams resources.
The level of access is cumulative as you go from inspect
to read
to use
to manage
. A plus sign (+)
in a table cell indicates incremental access when compared to the preceding cell.
For information about granting access, see Permissions.
This table lists the permissions and the APIs that are fully covered by the permissions, for the media-workflow
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
MEDIA_WORKFLOW_INSPECT |
ListMediaWorkflow
|
List the MediaWorkflows and SystemMediaWorkflows in a compartment. |
read |
|
|
View the details of a MediaWorkflow. |
use |
|
|
Update a MediaWorkflow. |
manage |
|
|
Create a MediaWorkflow. |
manage |
|
|
Move a MediaWorkflow between compartments. |
manage |
|
|
Delete a MediaWorkflow. |
This table lists the permissions and the APIs that are fully covered by the permissions, for the media-workflow-configuration
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
MEDIA_WORKFLOW_CONFIGURATION_INSPECT |
ListMediaWorkflowConfiguration |
List the MediaWorkflowConfiguration objects in a given compartment. |
read |
|
|
View the details of a MediaWorkflowConfiguration. |
use |
|
|
Update a MediaWorkflowConfiguration. |
manage |
|
|
Create a MediaWorkflowConfiguration. |
manage |
|
|
Move a MediaWorkflowConfiguration between compartments. |
manage |
|
|
Delete a MediaWorkflowConfiguration. |
This table lists the permissions and the APIs that are fully covered by the permissions, for the media-workflow-job
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
MEDIA_WORKFLOW_JOB_INSPECT |
ListMediaWorkflowJob |
List the MediaWorkflowJobs in a specific compartment. |
read |
|
|
View the details of a MediaWorkflowJob. |
use |
|
|
Update a MediaWorkflowJob. |
manage |
|
|
Create a MediaWorkflowJob. |
manage |
|
|
Move a MediaWorkflowJob between compartments. |
manage |
|
|
Cancel a MediaWorkflowJob. |
This table lists the permissions and the APIs that are fully covered by the permissions, for the media-asset
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
MEDIA_ASSET_INSPECT |
ListMediaAsset |
List all the media assets in a given compartment. |
read |
|
|
View all the details of the media asset records. |
use |
|
|
Update the media asset metadata. |
manage |
|
|
Create media assets. |
manage |
|
|
Move media assets between compartments. |
manage |
|
|
Delete media assets. |
media-stream-distribution-channel
resource.Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
MEDIA_STREAM_DISTRIBUTION_CHANNEL_INSPECT |
ListStreamDistributionChannel |
List the StreamDistributionChannels in a compartment. |
read |
|
|
View the details of a StreamDistirbutionChannel. |
use |
|
|
Update the details of a StreamDistirbutionChannel. |
manage |
|
|
Create a StreamDistirbutionChannel. |
manage |
|
|
Move a StreamDistirbutionChannel between compartments. |
manage |
|
|
Delete a StreamDistirbutionChannel. |
This table lists the permissions and the APIs that are fully covered by the permissions, for the media-stream-packaging-config
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
MEDIA_STREAM_PACKAGING_CONFIG_INSPECT |
ListStreamCdnConfig |
List the StreamPackagingConfigs in a specific StreamDistributionChannel |
read |
|
|
View the details of a StreamPackagingConfig. |
use |
|
|
Update the details of a StreamCdnConfig. |
manage |
|
|
Create a StreamCdnConfig. |
manage |
|
|
Move a StreamCdnConfig between compartments. |
manage |
|
|
Delete a StreamCdnConfig. |
media-stream-cdn-config
resource.Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
MEDIA_STREAM_CDN_CONFIG_INSPECT |
ListStreamCdnConfig |
List StreamCdnConfigs in a specific StreamDistributionChannel. |
read |
|
|
View the details of a specific StreamCdnConfig. |
use |
|
|
Update the details of a StreamCdnConfig. |
manage |
|
|
Create a StreamCdnConfig. |
manage |
|
|
Move a StreamCdnConfig between compartments |
manage |
|
|
Delete a StreamCdnConfig. |
Permissions Required for Each API Operation
The following table lists the API operations in a logical order, grouped by resource type. The resource types are media-stream-distribution-channel
, media-stream-packaging-config
, and media-stream-cdn-config
.
API Operation | Permissions Required to Use the Operation |
---|---|
CreateStreamDistributionChannel |
MEDIA_STREAM_DISTRIBUTION_CHANNEL_CREATE |
ListStreamDistributionChannels |
MEDIA_STREAM_DISTRIBUTION_CHANNEL_INSPECT |
GetStreamDistributionChannel |
MEDIA_STREAM_DISTRIBUTION_CHANNEL_READ |
UpdateStreamDistributionChannel |
MEDIA_STREAM_DISTRIBUTION_CHANNEL_UPDATE |
DeleteStreamDistributionChannel |
MEDIA_STREAM_DISTRIBUTION_CHANNEL_DELETE |
ChangeStreamDistributionChannelCompartment |
MEDIA_STREAM_DISTRIBUTION_CHANNEL_MOVE |
CreateStreamPackagingConfig |
MEDIA_STREAM_PACKAGING_CONFIG_CREATE |
ListStreamPackagingConfigs |
MEDIA_STREAM_PACKAGING_CONFIG_INSPECT |
GetStreamPackagingConfig |
MEDIA_STREAM_PACKAGING_CONFIG_READ |
UpdateStreamPackagingConfig |
MEDIA_STREAM_PACKAGING_CONFIG_UPDATE |
DeleteStreamPackagingConfig |
MEDIA_STREAM_PACKAGING_CONFIG_DELETE |
ChangeStreamPackagingConfigCompartment |
MEDIA_STREAM_PACKAGING_CONFIG_MOVE |
CreateStreamCdnConfig |
MEDIA_STREAM_CDN_CONFIG_CREATE |
ListStreamCdnConfigs |
MEDIA_STREAM_CDN_CONFIG_INSPECT |
GetStreamCdnConfig |
MEDIA_STREAM_CDN_CONFIG_READ |
UpdateStreamCdnConfig |
MEDIA_STREAM_CDN_CONFIG_UPDATE |
DeleteStreamCdnConfig |
MEDIA_STREAM_CDN_CONFIG_DELETE |
ChangeStreamCdnConfigCompartment |
MEDIA_STREAM_CDN_CONFIG_MOVE |
CreateStreamDataPlaneCellDeployment |
MEDIA_STREAM_ADMIN_CREATE |
ListStreamDataPlaneCellDeployments |
MEDIA_STREAM_ADMIN_INSPECT |
GetStreamDataPlaneCellDeployment |
MEDIA_STREAM_ADMIN_READ |
UpdateStreamDataPlaneCellDeployment |
MEDIA_STREAM_ADMIN_UPDATE |
DeleteStreamDataPlaneCellDeployment |
MEDIA_STREAM_ADMIN_DELETE |
CreateDistributionChannelAssignmentGroup |
MEDIA_STREAM_ADMIN_CREATE |
ListDistributionChannelAssignmentGroup |
MEDIA_STREAM_ADMIN_INSPECT |
GetDistributionChannelAssignmentGroup |
MEDIA_STREAM_ADMIN_READ |
UpdateDistributionChannelAssignmentGroup |
MEDIA_STREAM_ADMIN_UPDATE |
DeleteDistributionChannelAssignmentGroup |
MEDIA_STREAM_ADMIN_DELETE |
IngestStreamDistributionChannel |
MEDIA_WORKFLOW_JOB_CREATE |
Media Streams User Roles
You can use the available permissions/policies to configure access.
Here is a typical user configuration:
System/Actor | Description | OCI Resource Permissions |
---|---|---|
Digital Asset Library | This group requires access to the media assets that have been created. | read: media-asset |
Channel Manager | OCI authorized entity/group that manages distribution channels (all operations). |
|
Asset Publisher | OCI authorized entity/group that manages playlist assets within a distribution channel (asset operations). |
|
Asset Streamer |
This group is the end user of the content. The streaming platforms request tokens on behalf of this actor for granting them access to the content. When the asset streamers send a request to play a video content, the player sends the request to the top-level playlist from Media Streams. The primary playlist request validates the session token and returns a primary playlist of variant streams including ABR media playlists. The location where the subsequent requests are sent for individual bitrate playlists and their associated assets depends on CDN/ Edge specific configuration and the token authentication strategies associated with the CDN/Edge. |
No OCI permissions. |
Content Management System (CMS) |
This OCI authorized entity/group can list and read distribution channels, packaging configurations, CDN configurations, and playlist assets. This entity embeds a video player linkage to the appropriate distribution channel, packaging configuration, and asset combination. |
|
CDN Edge Server | A CDN edge server which is configured to use media service endpoint as its origin server. | No OCI permissions |
IAM Policies
Ensure that:
- You have configured the streaming policies to enable Media Services to read the
object-family
in the video compartment of the object store. - The users or groups using Media Streams have the required permissions.
See Creating a Policy for details.
For more details about the syntax, see Policy Syntax.
Creating a Policy
Here's how you create a policy in the Console:
For instructions on how to create and manage policies using the Console or API, see Managing Policies.
For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference and Common Policies.
Policy Examples
Media Streams policies are required for using various Media Flow resources.
See the instructions in Creating a Policy for creating policies using the Console.
For more details about the syntax, see Policy Syntax.
Following policy examples are provided:
Allow <user or dynamic-group> to manage media-family in compartment <compartment_name>
Allow any-user to read object-family in compartment id <compartment_id> where all {request.principal.type='streamdistributionchannel', request.resource.compartment.id='<compartment_id>'}
Allow any-user to read media-family in compartment id <compartment_id> where all {request.principal.type='streamdistributionchannel', request.resource.compartment.id='<compartment_id>'}
Allow any-user to read object-family in compartment id <compartment_id> where all {request.principal.type='streamdistributionchannel', request.resource.compartment.id='<compartment_id>'}
Allow any-user to read media-family in compartment id <compartment_id> where all {request.principal.type='streamdistributionchannel', request.resource.compartment.id='<compartment_id>'}
Allow any-user to use keys in compartment id <compartment_id> where all {request.principal.type='streamdistributionchannel', request.resource.compartment.id='<compartment_id>'}