Permissions Management
If you need to assign different permissions to employees in your enterprise to access your Live resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely access Huawei Cloud resources. If your Huawei account can meet your requirements and you do not need an IAM account to manage user permissions, skip this section.
IAM is a free service. You only pay for the resources in your account.
With IAM, you can control access to specific Huawei Cloud resources. For example, if you want some software developers in your enterprise to use Live resources but do not want them to delete Live resources or perform any other high-risk operations, you can grant the permission to use Live resources but not the permission to delete them.
IAM supports role/policy-based authorization and identity policy-based authorization.
The following table describes the differences between these two authorization methods.
|
Authorization Model |
Core Relationship |
Permissions |
Authorization Method |
Description |
|---|---|---|---|---|
|
Role/Policy |
User-permission-authorization scope |
|
Assigning roles or policies to principals |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It is hard to provide fine-grained permissions control using authorization by user groups and a limited number of condition keys. This method is suitable for small- and medium-sized enterprises. |
|
Identity policy |
User-policy |
|
|
You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises. |
Assume that you want to grant IAM users the permissions needed to use Live in CN North-Beijing4 and OBS buckets in CN South-Guangzhou. With role/policy-based authorization, the administrator needs to create two custom policies and assign both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom identity policy and configure the condition key g:RequestedRegion for the policy, and then attach the policy to the principals or grant the principals the access permissions to the specified regions. Identity policy-based authorization is more flexible than role/policy-based authorization.
Policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. For details about system-defined permissions of the two models, see Role/Policy-based Authorization and Identity Policy-based Authorization.
For details about IAM, see What Is IAM?.
Role/Policy-based Authorization
Live supports role/policy-based authorization. By default, new IAM users do not have any permissions. You need to add them to one or more groups, and then add permissions policies or roles to these groups. The users inherit permissions from their groups and can then perform specified operations on cloud services.
Live is a project-level service deployed in different physical regions. When you set Scope to Region-specific projects and select the specified projects (for example, ap-southeast-2) in the specified regions (for example, AP-Bangkok), the users only have permissions on Live resources in the selected projects. If you set Scope to All resources, the users have permissions on Live resources in all region-specific projects. When accessing Live, the users need to switch to a region where they have been authorized to use Live.
When assigning permissions to a user group in IAM, you cannot select Enterprise projects when setting Specify the authorization scope on the Select Scope page.
Table 2 lists all system-defined permissions on Live. System-defined policies in role/policy-based authorization and identity policy-based authorization are not interoperable.
|
System Role/Policy Name |
Description |
Category |
Dependency |
|---|---|---|---|
|
Live FullAccess |
Has all permissions on Live. |
System-defined policy |
None |
|
Live ReadOnlyAccess |
Has the read-only permission on Live. |
System-defined policy |
None |
Table 3 lists the common operations supported by the system-defined permissions on Live.
|
Operation |
Live FullAccess |
Live ReadOnlyAccess |
|---|---|---|
|
Creating a domain name |
√ |
x |
|
Modifying a domain name |
√ |
x |
|
Deleting a domain name |
√ |
x |
|
Querying domain names |
√ |
√ |
|
Mapping domain names |
√ |
x |
|
Deleting a domain name mapping |
√ |
x |
|
Adding or overwriting stream notification configurations |
√ |
x |
|
Querying stream notification configurations |
√ |
√ |
|
Deleting stream notification configurations |
√ |
x |
|
Creating a domain name configuration item |
√ |
x |
|
Modifying a domain name configuration item |
√ |
x |
|
Querying domain name configuration items |
√ |
√ |
|
Deleting a domain name configuration item |
√ |
x |
|
Querying IP ACLs |
√ |
√ |
|
Modifying an IP ACL |
√ |
x |
|
Obtaining the list of regions where Live is available |
√ |
√ |
|
Modifying the list of regions where Live is available |
√ |
x |
|
Configuring a referer validation ACL |
√ |
x |
|
Deleting a referer validation ACL |
√ |
x |
|
Querying referer validation ACLs |
√ |
√ |
|
Querying HTTPS certificate information |
√ |
√ |
|
Obtaining the link for downloading playback logs |
√ |
√ |
|
Creating a recording template |
√ |
x |
|
Querying recording templates |
√ |
√ |
|
Modifying a recording template |
√ |
x |
|
Deleting a recording template |
√ |
x |
|
Querying recording templates |
√ |
√ |
|
Querying recorded content |
√ |
√ |
|
Submitting a recording command |
√ |
x |
|
Creating a recording callback |
√ |
x |
|
Querying recording callbacks |
√ |
√ |
|
Modifying a recording callback |
√ |
x |
|
Querying recording callbacks |
√ |
√ |
|
Deleting a recording callback |
√ |
x |
|
Configuring a snapshot capturing template |
√ |
x |
|
Modifying a snapshot capturing template |
√ |
x |
|
Querying snapshot capturing templates |
√ |
√ |
|
Deleting a snapshot capturing template |
√ |
x |
|
Disabling a stream |
√ |
x |
|
Querying disabled streams |
√ |
√ |
|
Resuming a stream |
√ |
x |
|
Modifying the attribute of a disabled stream |
√ |
x |
|
Disconnecting a stream |
√ |
x |
|
Querying ongoing streams |
√ |
√ |
|
Creating a task for ingesting streams from external networks |
√ |
x |
|
Deleting a task for ingesting streams from external networks |
√ |
x |
|
Querying tasks for ingesting streams from external networks |
√ |
√ |
|
Configuring the billing mode |
√ |
x |
|
Querying tenant information |
√ |
√ |
|
Creating a transcoding template |
√ |
x |
|
Deleting a transcoding template |
√ |
x |
|
Modifying a transcoding template |
√ |
x |
|
Querying transcoding templates |
√ |
√ |
|
Adding transcoding SEI |
√ |
x |
|
Querying HTTP status codes for pulling streams |
√ |
√ |
|
Querying the stream frame rate |
√ |
√ |
|
Querying the stream bitrate |
√ |
√ |
|
Querying the real-time stream bitrate |
√ |
√ |
|
Querying the real-time stream frame rate |
√ |
√ |
|
Querying the duration of recordings |
√ |
√ |
|
Querying the number of snapshots |
√ |
√ |
|
Querying the number of streams by domain name |
√ |
√ |
|
Querying historical streams |
√ |
√ |
|
Querying playback profiles |
√ |
√ |
|
Querying the number of online streamers |
√ |
√ |
|
Querying the playback bandwidth trend |
√ |
√ |
|
Querying the playback traffic trend |
√ |
√ |
|
Querying the peak playback bandwidth |
√ |
√ |
|
Querying the total playback traffic |
√ |
√ |
|
Querying the upstream bandwidth |
√ |
√ |
|
Querying the distribution of metrics in each region |
√ |
√ |
|
Querying the playback bandwidth trend |
√ |
√ |
|
Querying the playback traffic trend |
√ |
√ |
|
Querying the real-time upstream bandwidth |
√ |
√ |
|
Querying the real-time downstream bandwidth |
√ |
√ |
|
Querying the real-time stream bandwidth |
√ |
√ |
|
Querying details about the real-time downstream bandwidth |
√ |
√ |
|
Querying the bandwidth trend by stream |
√ |
√ |
|
Querying the duration of transcoded outputs |
√ |
√ |
|
Querying the number of transcoding tasks |
√ |
√ |
|
Querying the number of streams for real-time transcoding |
√ |
√ |
|
Querying the viewer trend by stream |
√ |
√ |
|
Querying the number of online viewers by stream |
√ |
√ |
|
Querying the number of online viewers |
√ |
√ |
|
Querying details about the number of online viewers |
√ |
√ |
Roles or Policies Required for Live Console Operations
- To authorize Live console access through a custom policy instead of the system-defined policies Live FullAccess and Live ReadOnlyAccess, the permission live:tenant:getTenantInformation must be included in the custom policy.
- After assigning an IAM user the Live FullAccess permission, you need to assign the user the following Cloud Eye permissions to monitor metrics of Live:
- CES ReadOnlyAccess: On the Cloud Eye console, choose Cloud Service Monitoring > Live to view resource monitoring metrics of Live.
- CES FullAccess: On the Cloud Eye console, choose Cloud Service Monitoring > Live to view resource monitoring metrics of Live and perform operations.
|
Console Operation |
Dependency |
Policy/Role Required |
|---|---|---|
|
Authorizing access to OBS buckets |
Object Storage Service (OBS) |
After granting an IAM user the Live FullAccess permission, you need to add the following OBS permissions in sequence:
|
|
Querying enterprise projects |
Enterprise Project Management Service (EPS) |
After granting the Live FullAccess permission to an IAM user, you need to add the EPS ReadOnlyAccess permission so that the user can view the enterprise project list when adding a domain name on the Domains page. |
|
Purchasing a pay-per-use prepaid Live resource package |
Billing Center |
After granting an IAM user the Live FullAccess permission, you need to add the BSS Operator permission so that the user can purchase a pay-per-use prepaid Live resource package. |
|
Querying the downstream bandwidth/traffic (old version) |
Identity and Access Management (IAM) |
After granting the Live FullAccess permission to an IAM user, you need to add the Tenant Guest permission so that the user can query the downstream bandwidth/traffic. |
Identity Policy-based Authorization
Live supports identity policy-based authorization. Table 5 lists all the system-defined identity policies for Live. System-defined policies in identity policy-based authorization are not interoperable with those in role/policy-based authorization.
|
Policy Name |
Description |
Policy Type |
|---|---|---|
|
LiveFullAccessPolicy |
Has all permissions on Live. |
System-defined identity policy |
|
LiveReadOnlyPolicy |
Has the read-only permission on Live. |
System-defined identity policy |
Table 6 lists the common operations supported by the system-defined identity policies for Live.
|
Operation |
LiveFullAccessPolicy |
LiveReadOnlyPolicy |
|---|---|---|
|
Creating a domain name |
√ |
x |
|
Modifying a domain name |
√ |
x |
|
Deleting a domain name |
√ |
x |
|
Querying domain names |
√ |
√ |
|
Mapping domain names |
√ |
x |
|
Deleting a domain name mapping |
√ |
x |
|
Adding or overwriting stream notification configurations |
√ |
x |
|
Querying stream notification configurations |
√ |
√ |
|
Deleting stream notification configurations |
√ |
x |
|
Creating a domain name configuration item |
√ |
x |
|
Modifying a domain name configuration item |
√ |
x |
|
Querying domain name configuration items |
√ |
√ |
|
Deleting a domain name configuration item |
√ |
x |
|
Querying IP ACLs |
√ |
√ |
|
Modifying an IP ACL |
√ |
x |
|
Obtaining the list of regions where Live is available |
√ |
√ |
|
Modifying the list of regions where Live is available |
√ |
x |
|
Configuring a referer validation ACL |
√ |
x |
|
Deleting a referer validation ACL |
√ |
x |
|
Querying referer validation ACLs |
√ |
√ |
|
Querying HTTPS certificate information |
√ |
√ |
|
Obtaining the link for downloading playback logs |
√ |
√ |
|
Creating a recording template |
√ |
x |
|
Querying recording templates |
√ |
√ |
|
Modifying a recording template |
√ |
x |
|
Deleting a recording template |
√ |
x |
|
Querying recording templates |
√ |
√ |
|
Querying recorded content |
√ |
√ |
|
Submitting a recording command |
√ |
x |
|
Creating a recording callback |
√ |
x |
|
Querying recording callbacks |
√ |
√ |
|
Modifying a recording callback |
√ |
x |
|
Querying recording callbacks |
√ |
√ |
|
Deleting a recording callback |
√ |
x |
|
Configuring a snapshot capturing template |
√ |
x |
|
Modifying a snapshot capturing template |
√ |
x |
|
Querying snapshot capturing templates |
√ |
√ |
|
Deleting a snapshot capturing template |
√ |
x |
|
Disabling a stream |
√ |
x |
|
Querying disabled streams |
√ |
√ |
|
Resuming a stream |
√ |
x |
|
Modifying the attribute of a disabled stream |
√ |
x |
|
Disconnecting a stream |
√ |
x |
|
Querying ongoing streams |
√ |
√ |
|
Creating a task for ingesting streams from external networks |
√ |
x |
|
Deleting a task for ingesting streams from external networks |
√ |
x |
|
Querying tasks for ingesting streams from external networks |
√ |
√ |
|
Configuring the billing mode |
√ |
x |
|
Querying tenant information |
√ |
√ |
|
Creating a transcoding template |
√ |
x |
|
Deleting a transcoding template |
√ |
x |
|
Modifying a transcoding template |
√ |
x |
|
Querying transcoding templates |
√ |
√ |
|
Adding transcoding SEI |
√ |
x |
|
Querying HTTP status codes for pulling streams |
√ |
√ |
|
Querying the stream frame rate |
√ |
√ |
|
Querying the stream bitrate |
√ |
√ |
|
Querying the real-time stream bitrate |
√ |
√ |
|
Querying the real-time stream frame rate |
√ |
√ |
|
Querying the duration of recordings |
√ |
√ |
|
Querying the number of snapshots |
√ |
√ |
|
Querying the number of streams by domain name |
√ |
√ |
|
Querying historical streams |
√ |
√ |
|
Querying playback profiles |
√ |
√ |
|
Querying the number of online streamers |
√ |
√ |
|
Querying the playback bandwidth trend |
√ |
√ |
|
Querying the playback traffic trend |
√ |
√ |
|
Querying the peak playback bandwidth |
√ |
√ |
|
Querying the total playback traffic |
√ |
√ |
|
Querying the upstream bandwidth |
√ |
√ |
|
Querying the distribution of metrics in each region |
√ |
√ |
|
Querying the playback bandwidth trend |
√ |
√ |
|
Querying the playback traffic trend |
√ |
√ |
|
Querying the real-time upstream bandwidth |
√ |
√ |
|
Querying the real-time downstream bandwidth |
√ |
√ |
|
Querying the real-time stream bandwidth |
√ |
√ |
|
Querying details about the real-time downstream bandwidth |
√ |
√ |
|
Querying the bandwidth trend by stream |
√ |
√ |
|
Querying the duration of transcoded outputs |
√ |
√ |
|
Querying the number of transcoding tasks |
√ |
√ |
|
Querying the number of streams for real-time transcoding |
√ |
√ |
|
Querying the viewer trend by stream |
√ |
√ |
|
Querying the number of online viewers by stream |
√ |
√ |
|
Querying the number of online viewers |
√ |
√ |
|
Querying details about the number of online viewers |
√ |
√ |
Identity Policies Required for Live Console Operations
|
Console Operation |
Dependency |
Identity Policy Required |
|---|---|---|
|
Authorizing access to OBS buckets |
Object Storage Service (OBS) |
After granting an IAM user the LiveFullAccessPolicy permission, you need to add the OBSOperateAccess permission so that the user can view the OBS bucket list on the OBS Authorization page and authorize Live to access OBS buckets. |
Helpful Links
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
