About Speech Policies
Learn about the resource policies including API permissions.
To control who has access to Speech, and the type of access for each group of users, you must create policies. By default, only the users in the Administrators group have access to all Speech resources.
For everyone else who's using the service, you must create policies that assign them proper rights to Speech resources. For a complete list of OCI policies, see Policy Reference.
Resource Types
Speech offers both aggregate and individual resource
types for writing policies. You can use aggregate resource types to write fewer
policies. For example, instead of allowing a group to manage all individual resource
types, you can have a policy that allows the group to manage the aggregate resource
type, ai-service-speech-family.
- Individual Resource Types
-
ai-service-speech-transcription-job - Aggregate Resource Type
-
ai-service-speech-family
Required IAM Policies
To work with Speech, an administrator must grant you access in an IAM policy.
If you get a message that you don't have permission or are unauthorized, verify with your administrator what type of access you have.
You must provide access to Object Storage to read media files and generate transcriptions to a bucket by creating policies.
Create a policy with one of the following policies to manage objects:
allow <group-name> SpeechUsers to manage object-family in
tenancy
Create a policy with one of the following policies to manage transcription jobs:
allow <subject> to
manage ai-service-speech-family in tenancy
group <group-name> | group
id <group-ocid> |
dynamic-group <dynamic-group-name> |
dynamic-group id <dynamic-group-ocid> |
any-userExample Policies
These policies allow users in the SpeechUsers group to manage Speech transcription jobs:
allow group SpeechUsers to manage ai-service-speech-family in tenancy
allow group SpeechUsers to manage object-family in tenancy
allow group SpeechUsers to read tag-namespaces in tenancy
allow group SpeechUsers to inspect tag-namespaces in tenancyIf you want to limit access to a specific compartment, then create a group, and set these policies in that compartment:
allow group SpeechUsers to manage ai-service-speech-family in compartment <compartment-name>
allow group SpeechUsers to manage object-family in compartment <compartment-name>
allow group SpeechUsers to read tag-namespaces in compartment <compartment-name>
allow group SpeechUsers to inspect tag-namespaces in compartment <compartment-name>Allow all users to manage all Speech resources using the aggregate resource:
allow any-user to manage ai-service-speech-family in tenancyResource Types and Permissions
| Resource | Permissions |
|---|---|
ai-service-speech-transcription-job |
AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_INSPECT |
AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_CREATE |
|
AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_READ |
|
AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_UPDATE |
|
AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_CANCEL |
|
AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_DELETE |
|
AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_MOVE |
Permissions Required for Each API Operation
You can use the individual resource types with API calls to interact with the service.
The following table lists the API operations for the Speech service in a logical order, grouped by resource type, and the permissions required for resource types:
| API Operation | Permission |
|---|---|
AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_CREATE |
|
AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_INSPECT |
|
AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_READ |
|
AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_UPDATE |
|
| CancelTranscriptionJob | AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_CANCEL |
| DeleteTranscriptionJob | AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_READAI_SERVICE_SPEECH_TRANSCRIPTION_JOB_DELETE |
| ChangeTranscriptionJobCompartment | AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_MOVE |
| ListTranscriptionTasks | AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_READ |
| GetTranscriptionTask | AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_READ |
| CancelTranscriptionTask |
|