Media Streams IAM Policies and Permissions

Create IAM policies to control who has access to the Media Streams resources, and to control the type of access for each group of users.

Create policies for users to have necessary rights to the Media Streams resources. The users in the Administrators group have access to all the Media Streams resources.

If you are new to IAM policies, see Getting Started with Policies.

For a complete list of Oracle Cloud Infrastructure policies, see policy reference and Common Policies. For Media Flow policies, see Media Flow Policies.

This section explains the following topics:

To use Media Streams, create a policy that grants the following permissions to the user or groups that interact with the service accordingly.

Media Streams supports the following entities:

Resource Type	Action assigned to the user
media-workflow	Uses the workflows.
media-workflow-job	Runs the workflow jobs to process media.
media-asset	Uses the media asset metadata.
media-family	Includes all the media member resources in one family.
media-stream-distribution-channel	Manages distribution channels.
media-stream-packaging-config	Manages packaging configurations.
media-stream-cdn-config	Manages CDN configurations.

Resource Types and Permissions

List of Media Streams resource types and associated permissions.

To assign permissions to all the Media Services resources, use the media-family aggregate type. To use Media Streams, you need the permissions to all the resource types. For more information, see Permissions.

The following table lists all the resources in media-family:


Family Name	Member Resources
media-family	media-workflow media-workflow-configuration media-workflow-job media-asset media-stream-distribution-channel media-stream-packaging-config media-stream-cdn-config

A policy that uses <verb> media-family is equivalent to writing a policy with a separate <verb> <resource-type> statement for each of the individual resource types.


Resource Type	Permissions
media-asset	MEDIA_ASSET_INSPECT MEDIA_ASSET_CREATE MEDIA_ASSET_READ MEDIA_ASSET_UPDATE MEDIA_ASSET_DELETE MEDIA_ASSET_MOVE
media-stream-cdn-config	MEDIA_STREAM_CDN_CONFIG_CREATE MEDIA_STREAM_CDN_CONFIG_INSPECT MEDIA_STREAM_CDN_CONFIG_READ MEDIA_STREAM_CDN_CONFIG_UPDATE MEDIA_STREAM_CDN_CONFIG_DELETE MEDIA_STREAM_CDN_CONFIG_MOVE
media-stream-distribution-channel	MEDIA_STREAM_DISTRIBUTION_CHANNEL_CREATE MEDIA_STREAM_DISTRIBUTION_CHANNEL_INSPECT MEDIA_STREAM_DISTRIBUTION_CHANNEL_READ MEDIA_STREAM_DISTRIBUTION_CHANNEL_UPDATE MEDIA_STREAM_DISTRIBUTION_CHANNEL_DELETE MEDIA_STREAM_DISTRIBUTION_CHANNEL_MOVE
media-stream-packaging-config	MEDIA_STREAM_PACKAGING_CONFIG_CREATE MEDIA_STREAM_PACKAGING_CONFIG_INSPECT MEDIA_STREAM_PACKAGING_CONFIG_READ MEDIA_STREAM_PACKAGING_CONFIG_UPDATE MEDIA_STREAM_PACKAGING_CONFIG_DELETE MEDIA_STREAM_PACKAGING_CONFIG_MOVE
media-workflow	MEDIA_WORKFLOW_INSPECT MEDIA_WORKFLOW_CREATE MEDIA_WORKFLOW_READ MEDIA_WORKFLOW_UPDATE MEDIA_WORKFLOW_DELETE MEDIA_WORKFLOW_MOVE MEDIA_WORKFLOW_RUN
media-workflow-job	MEDIA_WORKFLOW_JOB_INSPECT MEDIA_WORKFLOW_JOB_CREATE MEDIA_WORKFLOW_JOB_READ MEDIA_WORKFLOW_JOB_UPDATE MEDIA_WORKFLOW_JOB_DELETE MEDIA_WORKFLOW_JOB_MOVE

Supported Variables

Variables are used when adding conditions to a policy.

Media Streams supports the following variables:

Entity: Oracle Cloud Identifier (OCID).
String: Free-form text.
List: List of Entity or String.

See General Variables for All Requests.

Variables are lowercase and hyphen-separated. For example, target.tag-namespace.name, target.display-name. Here name must be unique, and display-name is the description.

Required variables are supplied by the Media Streams service for every request. Automatic variables are supplied by the authorization engine (either service-local with the SDK for a thick client, or on the Identity data plane for a thin client).


Required Variables	Type	Description
`target.compartment.id`	Entity (OCID)	The OCID of the primary resource for the request.
`request.operation`	String	The operation ID (for example, `GetUser`) for the request.
`target.resource.kind`	String	The resource kind name of the primary resource for the request.


Automatic Variables	Type	Description
`request.user.id`	Entity (OCID)	The OCID of the requesting user.
`request.groups.id`	List of entities (OCIDs)	The OCIDs of the groups the requesting user is in.
`target.compartment.name`	String	The name of the compartment specified in `target.compartment.id`.
`target.tenant.id`	Entity (OCID)	The OCID of the target tenant ID.


Dynamic Variables	Type	Description
`request.principal.group.tag.<tagNS>.<tagKey>`	String	The value of each tag on a group of which the principal is a member.
`request.principal.compartment.tag.<tagNS>.<tagKey>`	String	The value of each tag on the compartment that contains the principal.
`target.resource.tag.<tagNS>.<tagKey>`	String	The value of each tag on the target resource. (Computed based on tagSlug supplied by service on each request.)
`target.resource.compartment.tag.<tagNS>.<tagKey>`	String	The value of each tag on the compartment that contains the target resource. (Computed based on tagSlug supplied by service on each request.)

Here's a list of available sources for the variables:

Request: Comes from the request input.
Derived: Comes from the request.
Stored: Comes from the service, retained input.
Computed: Computed from service data.

Details for Verb + Resource Type Combinations

Identify the permissions and API operations covered by each verb for Media Streams resources.

The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell.

For information about granting access, see Permissions.

media-workflow

This table lists the permissions and the APIs that are fully covered by the permissions, for the media-workflow resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`MEDIA_WORKFLOW_INSPECT`	`ListMediaWorkflow` `ListSystemMediaWorkflows`	List the MediaWorkflows and SystemMediaWorkflows in a compartment.
`read`	`inspect+` `MEDIA_WORKFLOW_READ`	`inspect+` `GetMediaWorkflow`	View the details of a MediaWorkflow.
`use`	`read+` `MEDIA_WORKFLOW_UPDATE`	`read+` `UpdateMediaWorkflow`	Update a MediaWorkflow.
`manage`	`use+` `MEDIA_WORKFLOW_CREATE`	`use+` `CreateMediaWorkflow`	Create a MediaWorkflow.
`manage`	`use+` `MEDIA_WORKFLOW_MOVE`	`use+` `ChangeMediaWorkflowCompartment`	Move a MediaWorkflow between compartments.
`manage`	`use+` `MEDIA_WORKFLOW_DELETE`	`use+` `DeleteMediaWorkflow`	Delete a MediaWorkflow.

media-workflow-configuration

This table lists the permissions and the APIs that are fully covered by the permissions, for the media-workflow-configuration resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`MEDIA_WORKFLOW_CONFIGURATION_INSPECT`	`ListMediaWorkflowConfiguration`	List the MediaWorkflowConfiguration objects in a given compartment.
`read`	`inspect+` `MEDIA_WORKFLOW_CONFIGURATION_READ`	`inspect+` `GetMediaWorkflowConfiguration`	View the details of a MediaWorkflowConfiguration.
`use`	`read+` `MEDIA_WORKFLOW_CONFIGURATION_UPDATE`	`read+` `UpdateMediaWorkflowConfiguration`	Update a MediaWorkflowConfiguration.
`manage`	`use+` `MEDIA_WORKFLOW_CONFIGURATION_CREATE`	`use+` `CreateMediaWorkflowConfiguration`	Create a MediaWorkflowConfiguration.
`manage`	`use+` `MEDIA_WORKFLOW_CONFIGURATION_MOVE`	`use+` `ChangeMediaWorkflowConfigurationCompartment`	Move a MediaWorkflowConfiguration between compartments.
`manage`	`use+` `MEDIA_WORKFLOW_CONFIGURATION_DELETE`	`use+` `DeleteMediaWorkflowConfiguration`	Delete a MediaWorkflowConfiguration.

media-workflow-job

This table lists the permissions and the APIs that are fully covered by the permissions, for the media-workflow-job resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`MEDIA_WORKFLOW_JOB_INSPECT`	`ListMediaWorkflowJob`	List the MediaWorkflowJobs in a specific compartment.
`read`	`inspect+` `MEDIA_WORKFLOW_JOB_READ`	`inspect+` `GetMediaWorkflowJob`	View the details of a MediaWorkflowJob.
`use`	`read+` `MEDIA_WORKFLOW_JOB_UPDATE`	`read+` `UpdateMediaWorkflowJob`	Update a MediaWorkflowJob.
`manage`	`use+` `MEDIA_WORKFLOW_JOB_CREATE`	`use+` `CreateMediaWorkflowJob`	Create a MediaWorkflowJob.
`manage`	`use+` `MEDIA_WORKFLOW_JOB_MOVE`	`use+` `ChangeMediaWorkflowJobCompartment`	Move a MediaWorkflowJob between compartments.
`manage`	`use+` `MEDIA_WORKFLOW_JOB_DELETE`	`use+` `DeleteMediaWorkflowJob`	Cancel a MediaWorkflowJob.

media-asset

This table lists the permissions and the APIs that are fully covered by the permissions, for the media-asset resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`MEDIA_ASSET_INSPECT`	`ListMediaAsset`	List all the media assets in a given compartment.
`read`	`inspect+` `MEDIA_ASSET_READ`	`inspect+` `GetMediaAsset`	View all the details of the media asset records.
`use`	`read+` `MEDIA_ASSET_UPDATE`	`read+` `UpdateMediaAsset`	Update the media asset metadata.
`manage`	`use+` `MEDIA_ASSET_CREATE`	`use+` `CreateMediaAsset`	Create media assets.
`manage`	`use+` `MEDIA_ASSET_MOVE`	`use+` `ChangeMediaAsset`	Move media assets between compartments.
`manage`	`use+` `MEDIA_ASSET_DELETE`	`use+` `DeleteMediaAsset`	Delete media assets.

media-stream-distribution-channel

This table lists the permissions and the APIs that are fully covered by the permissions, for the media-stream-distribution-channel resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`MEDIA_STREAM_DISTRIBUTION_CHANNEL_INSPECT`	`ListStreamDistributionChannel`	List the StreamDistributionChannels in a compartment.
`read`	`inspect+` `MEDIA_STREAM_DISTRIBUTION_CHANNEL_READ`	`inspect+` `GetStreamDistributionChannel`	View the details of a StreamDistirbutionChannel.
`use`	`read+` `MEDIA_STREAM_DISTRIBUTION_CHANNEL_UPDATE`	`read+` `UpdateStreamDistributionChannel`	Update the details of a StreamDistirbutionChannel.
`manage`	`use+` `MEDIA_STREAM_DISTRIBUTION_CHANNEL_CREATE`	`use+` `CreateStreamDistributionChannel`	Create a StreamDistirbutionChannel.
`manage`	`use+` `MEDIA_STREAM_DISTRIBUTION_CHANNEL_MOVE`	`use+` `ChangeStreamDistributionChannelCompartment`	Move a StreamDistirbutionChannel between compartments.
`manage`	`use+` `MEDIA_STREAM_DISTRIBUTION_CHANNEL_DELETE`	`use+` `DeleteStreamDistributionChannel`	Delete a StreamDistirbutionChannel.

media-stream-packaging-config

This table lists the permissions and the APIs that are fully covered by the permissions, for the media-stream-packaging-config resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`MEDIA_STREAM_PACKAGING_CONFIG_INSPECT`	`ListStreamCdnConfig`	List the StreamPackagingConfigs in a specific StreamDistributionChannel
`read`	`inspect+` `MEDIA_STREAM_PACKAGING_CONFIG_READ`	`inspect+` `GetStreamCdnConfig`	View the details of a StreamPackagingConfig.
`use`	`read+` `MEDIA_STREAM_PACKAGING_CONFIG_UPDATE`	`read+` `UpdateStreamPackagingConfig`	Update the details of a StreamCdnConfig.
`manage`	`use+` `MEDIA_STREAM_PACKAGING_CONFIG_CREATE`	`use+` `CreateStreamPackagingConfig`	Create a StreamCdnConfig.
`manage`	`use+` `MEDIA_STREAM_PACKAGING_CONFIG_MOVE`	`use+` `ChangeStreamPackagingConfigCompartmentg`	Move a StreamCdnConfig between compartments.
`manage`	`use+` `MEDIA_STREAM_PACKAGING_CONFIG_DELETE`	`use+` `DeleteStreamPackagingConfig`	Delete a StreamCdnConfig.

media-stream-cdn-config

This table lists the permissions and the APIs that are fully covered by the permissions, for the media-stream-cdn-config resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`MEDIA_STREAM_CDN_CONFIG_INSPECT`	`ListStreamCdnConfig`	List StreamCdnConfigs in a specific StreamDistributionChannel.
`read`	`inspect+` `MEDIA_STREAM_CDN_CONFIG_READ`	`inspect+` `GetStreamCdnConfig`	View the details of a specific StreamCdnConfig.
`use`	`read+` `MEDIA_STREAM_CDN_CONFIG_UPDATE`	`read+` `UpdateStreamCdnConfig`	Update the details of a StreamCdnConfig.
`manage`	`use+` `MEDIA_STREAM_CDN_CONFIG_CREATE`	`use+` `CreateStreamCdnConfig`	Create a StreamCdnConfig.
`manage`	`use+` `MEDIA_STREAM_CDN_CONFIG_MOVE`	`use+` `ChangeStreamCdnConfigCompartment`	Move a StreamCdnConfig between compartments
`manage`	`use+` `MEDIA_STREAM_CDN_CONFIG_DELETE`	`use+` `DeleteStreamCdnConfig`	Delete a StreamCdnConfig.

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type. The resource types are media-stream-distribution-channel, media-stream-packaging-config, and media-stream-cdn-config.

For more information, see Permissions.


API Operation	Permissions Required to Use the Operation
`CreateStreamDistributionChannel`	MEDIA_STREAM_DISTRIBUTION_CHANNEL_CREATE
`ListStreamDistributionChannels`	MEDIA_STREAM_DISTRIBUTION_CHANNEL_INSPECT
`GetStreamDistributionChannel`	MEDIA_STREAM_DISTRIBUTION_CHANNEL_READ
`UpdateStreamDistributionChannel`	MEDIA_STREAM_DISTRIBUTION_CHANNEL_UPDATE
`DeleteStreamDistributionChannel`	MEDIA_STREAM_DISTRIBUTION_CHANNEL_DELETE
`ChangeStreamDistributionChannelCompartment`	MEDIA_STREAM_DISTRIBUTION_CHANNEL_MOVE
`CreateStreamPackagingConfig`	MEDIA_STREAM_PACKAGING_CONFIG_CREATE
`ListStreamPackagingConfigs`	MEDIA_STREAM_PACKAGING_CONFIG_INSPECT
`GetStreamPackagingConfig`	MEDIA_STREAM_PACKAGING_CONFIG_READ
`UpdateStreamPackagingConfig`	MEDIA_STREAM_PACKAGING_CONFIG_UPDATE
`DeleteStreamPackagingConfig`	MEDIA_STREAM_PACKAGING_CONFIG_DELETE
`ChangeStreamPackagingConfigCompartment`	MEDIA_STREAM_PACKAGING_CONFIG_MOVE
`CreateStreamCdnConfig`	MEDIA_STREAM_CDN_CONFIG_CREATE
`ListStreamCdnConfigs`	MEDIA_STREAM_CDN_CONFIG_INSPECT
`GetStreamCdnConfig`	MEDIA_STREAM_CDN_CONFIG_READ
`UpdateStreamCdnConfig`	MEDIA_STREAM_CDN_CONFIG_UPDATE
`DeleteStreamCdnConfig`	MEDIA_STREAM_CDN_CONFIG_DELETE
`ChangeStreamCdnConfigCompartment`	MEDIA_STREAM_CDN_CONFIG_MOVE
`CreateStreamDataPlaneCellDeployment`	MEDIA_STREAM_ADMIN_CREATE
`ListStreamDataPlaneCellDeployments`	MEDIA_STREAM_ADMIN_INSPECT
`GetStreamDataPlaneCellDeployment`	MEDIA_STREAM_ADMIN_READ
`UpdateStreamDataPlaneCellDeployment`	MEDIA_STREAM_ADMIN_UPDATE
`DeleteStreamDataPlaneCellDeployment`	MEDIA_STREAM_ADMIN_DELETE
`CreateDistributionChannelAssignmentGroup`	MEDIA_STREAM_ADMIN_CREATE
`ListDistributionChannelAssignmentGroup`	MEDIA_STREAM_ADMIN_INSPECT
`GetDistributionChannelAssignmentGroup`	MEDIA_STREAM_ADMIN_READ
`UpdateDistributionChannelAssignmentGroup`	MEDIA_STREAM_ADMIN_UPDATE
`DeleteDistributionChannelAssignmentGroup`	MEDIA_STREAM_ADMIN_DELETE
`IngestStreamDistributionChannel`	MEDIA_WORKFLOW_JOB_CREATE

Media Streams User Roles

You can use the available permissions/policies to configure access.

Here is a typical user configuration:


System/Actor	Description	OCI Resource Permissions
Digital Asset Library	This group requires access to the media assets that have been created.	read: media-asset
Channel Manager	OCI authorized entity/group that manages distribution channels (all operations).	Manage: media-stream-distribution-channel Manage: media-stream-packaging-config Manage: media-stream-cdn-config
Asset Publisher	OCI authorized entity/group that manages playlist assets within a distribution channel (asset operations).	Manage: media-asset Use: media-stream-distribution-channel Read: object-family
Asset Streamer	This group is the end user of the content. The streaming platforms request tokens on behalf of this actor for granting them access to the content. When the asset streamers send a request to play a video content, the player sends the request to the top-level playlist from Media Streams. The primary playlist request validates the session token and returns a primary playlist of variant streams including ABR media playlists. The location where the subsequent requests are sent for individual bitrate playlists and their associated assets depends on CDN/ Edge specific configuration and the token authentication strategies associated with the CDN/Edge.	No OCI permissions.
Content Management System (CMS)	This OCI authorized entity/group can list and read distribution channels, packaging configurations, CDN configurations, and playlist assets. This entity embeds a video player linkage to the appropriate distribution channel, packaging configuration, and asset combination.	Read: media-stream-distribution-channel Read: media-stream-packaging-config Read: media-stream-cdn-config Read: media-asset
CDN Edge Server	A CDN edge server which is configured to use media service endpoint as its origin server.	No OCI permissions

IAM Policies

Ensure that:

You have configured the streaming policies to enable Media Services to read the object-family in the video compartment of the object store.
The users or groups using Media Streams have the required permissions.

See Creating a Policy for details.

For more details about the syntax, see Policy Syntax.

Creating a Policy

Here's how you create a policy in the Console:

Open the navigation menu and click Identity & Security. Under Identity, click Policies.
In the Policies page, click Create Policy.
In the Create Policy panel, enter a name, description for the policy, and specify the compartment where you want to create the policy.
Under Policy Builder, click the Show manual editor switch to enable the editor.
Enter a policy rule in the following format:
```
Allow service mediaservices to <verb> <resource_type> in <compartment or tenancy details>
```
Click Create.

For instructions on how to create and manage policies using the Console or API, see Managing Policies.

For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference and Common Policies.

Policy Examples

Media Streams policies are required for using various Media Flow resources.

See the instructions in Creating a Policy for creating policies using the Console.

For more details about the syntax, see Policy Syntax.

Following policy examples are provided:

Media Family Policies

To allow a user or dynamic group to manage all the resources in Media Services, create this policy in your tenancy:

Allow <user or dynamic-group> to manage media-family in compartment <compartment_name>

Media Stream Policies

To use Media Streams, create this policy in your tenancy:

Allow any-user to read object-family in compartment id <compartment_id> where all {request.principal.type='streamdistributionchannel', request.resource.compartment.id='<compartment_id>'} 
Allow any-user to read media-family in compartment id <compartment_id> where all {request.principal.type='streamdistributionchannel', request.resource.compartment.id='<compartment_id>'}

To grant the video storage compartment rights to read the object store, create this policy in your tenancy:

Allow any-user to read object-family in compartment id <compartment_id> where all {request.principal.type='streamdistributionchannel', request.resource.compartment.id='<compartment_id>'}

To allow Media Streams to read the media metadata, create this policy in your tenancy:

Allow any-user to read media-family in compartment id <compartment_id> where all {request.principal.type='streamdistributionchannel', request.resource.compartment.id='<compartment_id>'}

Use Keys Policies

If you have configured a packaging configuration to use custom encryption keys, then create this policy in your tenancy, on the compartment holding the encryption keys:

Allow any-user to use keys in compartment id <compartment_id> where all {request.principal.type='streamdistributionchannel', request.resource.compartment.id='<compartment_id>'}

Oracle Cloud Infrastructure Documentation