Help Center/ Video On Demand/ User Guide/ Permissions Management/ Creating a User and Granting VOD Permissions
Updated on 2024-07-19 GMT+08:00

Creating a User and Granting VOD Permissions

This chapter describes how to use IAM to implement fine-grained permissions control for your VOD resources. With IAM, you can:

  • Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing VOD resources.
  • Grant only the permissions required for users to perform a specific task.
  • Entrust a Huawei Cloud account or cloud service to perform efficient O&M on your VOD resources.

If your Huawei Cloud account does not require individual IAM users, skip this section.

This section describes the procedure for granting permissions (see Figure 1).

Prerequisites

Learn about the permissions (see Permissions Management) supported by VOD and choose policies or roles according to your requirements.

Process Flow

Figure 1 Process of granting VOD read-only permissions
  1. Create a user group and assign permissions to it.

    Create a user group on the IAM console, and attach the VOD Guest policy to the group.

  2. Create an IAM user.

    Create a user on the IAM console and add the user to the group created in 1.

  3. Log in and verify permissions.

    Log in to the console by using the user created, and verify that the user only has read permissions for VOD.

    • Choose Service List > Video on Demand. The VOD console is displayed. If a message is displayed indicating insufficient permissions for performing the operation, the VOD Guest policy has already taken effect.
    • Choose any other service in the Service List. If a message appears indicating insufficient permissions to access the service, the VOD Guest policy has already taken effect.

Creating a User for Media Isolation

VOD provides nine system policies: VOD Administrator, VOD Operator, VOD Guest, VOD Group Administrator, VOD Group Operator, VOD Group Guest, VOD FullAccess, VOD ReadOnlyAccess, and VOD CommonOperations. For details, see Permissions Management. The VOD Administrator, VOD Operator, and VOD Guest system policies can only be used to assign operation permissions. To isolate media files stored in VOD, you are advised to use the VOD Group Administrator, VOD Group Operator, and VOD Group Guest system policies, which can also be used to assign operation permissions. Media isolation indicates that only users in the same group can access or manage media created by other users in the group.

Table 1 shows an example of media isolation.

Table 1 Account permissions

Policy Group

User A (for Management)

User B (for Uploading)

User C (for Watching)

VOD Group Administrator

-

-

VOD Group Operator

-

-

VOD Group Guest

-

-

Regardless of whether an account in the preceding three policy groups is a low-permission or a high-permission one, the account can only operate media created by users in the same group. That is, users A, B, and C can only access media in their own groups.

If user A wants to operate media created by user B, user A must join the VOD Group Operator policy group to which user B belongs.