TEAM Cloud
Documentation

Updated 2024-10-17

Media Flow IAM Policies and Permissions

Create IAM policies to control who has access to Media Flow resources, and to control the type of access for each group of users.

Create policies for users to have necessary rights to the Media Flow resources. The users in the Administrators group have access to all the Media Flow resources.

If you are new to IAM policies, see Getting Started with Policies.

For a complete list of Oracle Cloud Infrastructure policies, see policy reference and Common Policies.

This section explains the following topics:

To use OCI Media Flow, create a policy that grants the following permissions to the user or groups that interact with the service accordingly.

Media Services supports the following entities:

Permissions

Action assigned to the user
media-workflow Defines the workflows.
media-workflow-job Runs the workflow jobs to process media.
media-asset Manages the media asset metadata.
media-workflow-configuration Manages reusable configurations.
media-family Includes all the media member resources in one family.

Resource Types and Permissions

List of Media Flow resource types and associated permissions.

To assign permissions to all the OCI Media Services resources, use the media-family aggregate type.

To create media workflows, you need the manage media-workflow permission.

To run jobs, you need use media-workflow and manage media-workflow-job permissions.

For more information, see Permissions.

The following table lists all the resources in the media-family:

Family Name Member Resources
media-family
  • media-workflow
  • media-workflow-configuration
  • media-workflow-job
  • media-asset
  • media-stream-distribution-channel
  • media-stream-packaging-config
  • media-stream-cdn-config

A policy that uses <verb> media-family is equivalent to writing a policy with a separate <verb> <resource-type> statement for each of the individual resource types.

Resource Type Permissions
media-asset
  • MEDIA_ASSET_INSPECT
  • MEDIA_ASSET_CREATE
  • MEDIA_ASSET_READ
  • MEDIA_ASSET_UPDATE
  • MEDIA_ASSET_DELETE
  • MEDIA_ASSET_MOVE
media-workflow
  • MEDIA_WORKFLOW_INSPECT
  • MEDIA_WORKFLOW_CREATE
  • MEDIA_WORKFLOW_READ
  • MEDIA_WORKFLOW_UPDATE
  • MEDIA_WORKFLOW_DELETE
  • MEDIA_WORKFLOW_MOVE
  • MEDIA_WORKFLOW_RUN
media-workflow-configuration
  • MEDIA_WORKFLOW_CONFIGURATION_INSPECT
  • MEDIA_WORKFLOW_CONFIGURATION_CREATE
  • MEDIA_WORKFLOW_CONFIGURATION_READ
  • MEDIA_WORKFLOW_CONFIGURATION_UPDATE
  • MEDIA_WORKFLOW_CONFIGURATION_DELETE
  • MEDIA_WORKFLOW_CONFIGURATION_MOVE
media-workflow-job
  • MEDIA_WORKFLOW_JOB_INSPECT
  • MEDIA_WORKFLOW_JOB_CREATE
  • MEDIA_WORKFLOW_JOB_READ
  • MEDIA_WORKFLOW_JOB_UPDATE
  • MEDIA_WORKFLOW_JOB_DELETE
  • MEDIA_WORKFLOW_JOB_MOVE

Supported Variables

Variables are used when adding conditions to a policy.

Media Flow supports the following variables:

  • Entity
    : Oracle Cloud Identifier (OCID)
  • String
    : Free-form text.
  • List
    : List of Entity or String.

See General Variables for All Requests.

Variables are lowercase and hyphen-separated. For example, target.tag-namespace.name, target.display-name. Here name must be unique, and display-name is the description.

Required variables are supplied by the Media Flow service for every request. Automatic variables are supplied by the authorization engine (either service-local with the SDK for a thick client or on the Identity data plane for a thin client).

Required Variables Type Description
target.compartment.id Entity (OCID) The OCID of the primary resource for the request.
request.operation String The operation ID (for example, GetUser) for the request.
target.resource.kind String The resource kind name of the primary resource for the request.
Automatic Variables Type Description
request.user.id Entity (OCID) The OCID of the requesting user.
request.groups.id List of entities (OCIDs) The OCIDs of the groups the requesting user is in.
target.compartment.name String The name of the compartment specified in target.compartment.id.
target.tenant.id Entity (OCID) The OCID of the target tenant ID.
Dynamic Variables Type Description
request.principal.group.tag.<tagNS>.<tagKey> String The value of each tag on a group of which the principal is a member.
request.principal.compartment.tag.<tagNS>.<tagKey> String The value of each tag on the compartment that contains the principal.
target.resource.tag.<tagNS>.<tagKey> String The value of each tag on the target resource. (Computed based on tagSlug supplied by service on each request.)
target.resource.compartment.tag.<tagNS>.<tagKey> String The value of each tag on the compartment that contains the target resource. (Computed based on tagSlug supplied by service on each request.)

Here's a list of available sources for the variables:

  • Request: Comes from the request input.
  • Derived: Comes from the request.
  • Stored: Comes from the service, retained input.
  • Computed: Computed from service data.

Details for Verb + Resource Type Combinations

Identify the permissions and API operations covered by each verb for Media Flow resources.

The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell.

For information about granting access, see Permissions.

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type. The resource types are media-workflow, media-workflow-configuration, media-workflow-job, and media-asset.

For more information, see Permissions.
API Operation Permissions Required to Use the Operation
ListMediaWorkflows MEDIA_WORKFLOW_INSPECT
CreateMediaWorkflow MEDIA_WORKFLOW_CREATE
DeleteMediaWorkflow MEDIA_WORKFLOW_DELETE
UpdateMediaWorkflow MEDIA_WORKFLOW_UPDATE
GetMediaWorkflow MEDIA_WORKFLOW_READ
RunMediaWorkflow
  • MEDIA_WORKFLOW_RUN
  • MEDIA_WORKFLOW_READ
  • MEDIA_WORKFLOW_CONFIGURATION_READ
GetMediaWorkflowJob
  • MEDIA_WORKFLOW_EXECUTE
  • MEDIA_WORKFLOW_READ
CancelMediaWorkflowJob
  • MEDIA_WORKFLOW_EXECUTE
  • MEDIA_WORKFLOW_READ
ChangeMediaWorkflowCompartment MEDIA_WORKFLOW_MOVE
ListMediaWorkflowConfigurations MEDIA_WORKFLOW_CONFIGURATION_INSPECT
CreateMediaWorkflowConfiguration MEDIA_WORKFLOW_CONFIGURATION_CREATE
DeleteMediaWorkflowConfiguration MEDIA_WORKFLOW_CONFIGURATION_DELETE
UpdateMediaWorkflowConfiguration MEDIA_WORKFLOW_CONFIGURATION_UPDATE
GetMediaWorkflowConfiguration MEDIA_WORKFLOW_CONFIGURATION_READ
ChangeMediaWorkflowConfigurationCompartment MEDIA_WORKFLOW_CONFIGURATION_MOVE
ListMediaWorkflowJob MEDIA_WORKFLOW_JOB_INSPECT
CreateMediaWorkflowJob MEDIA_WORKFLOW_JOB_CREATE
DeleteMediaWorkflowJob MEDIA_WORKFLOW_JOB_DELETE
UpdateMediaWorkflowJob MEDIA_WORKFLOW_JOB_UPDATE
GetMediaWorkflowJob MEDIA_WORKFLOW_JOB_READ
ChangeMediaWorkflowJobCompartment MEDIA_WORKFLOW_JOB_MOVE
ListMediaAsset MEDIA_ASSET_INSPECT
CreateMediaAsset MEDIA_ASSET_CREATE
DeleteMediaAsset MEDIA_ASSET_DELETE
UpdateMediaAsset MEDIA_ASSET_UPDATE
GetMediaAsset MEDIA_ASSET_READ
ChangeMediaAssetCompartment MEDIA_ASSET_MOVE

Media Flow User Roles

You can use the available permissions or policies to configure access. Here is a typical user configuration:

System/Actor Description OCI Resource Permissions
Workflow Manager This use or group defines the workflows used for processing content.
  • manage: media-workflow
  • manage: media-workflow-configuration
Content Processor This user or group runs jobs to process the content and must have read/write permissions for the input/output buckets in the object store.
  • read: media-workflow
  • read: media-workflow-configuration
  • manage: media-workflow-job
  • manage: media-asset
Digital Asset Library This group requires access to the media assets that have been created. read: media-asset

IAM Policies

Learn about the required IAM policies for Media Flow.

Ensure that:

  • You have configured the streaming policies to enable Media Services to read the object-family in the video compartment of the object Store.
  • The users or groups using OCI Media Streams have the required permissions.

See Creating a Policy for details.

For more details about the syntax, see Policy Syntax.

If you're using the Speech, Language, and Vision services, see Speech Policies, Vision Policies, and Language Policies for details.

Creating a Policy

Here's how you create a policy in the Console:

  1. Open the navigation menu and click Identity & Security. Under Identity, click Policies.
  2. In the Policies page, click Create Policy.
  3. In the Create Policy panel, enter a name, description for the policy, and specify the compartment where you want to create the policy.
  4. Under Policy Builder, click the Show manual editor switch to enable the editor.

    Enter a policy rule in the following format: 

    Allow service mediaservices to <verb> <resource_type> in <compartment or tenancy details>
  5. Click Create.

For instructions on how to create and manage policies using the Console or API, see Managing Policies.

For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference and Common Policies.

Policy Examples

Media Flow policies are required for using various Media Flow resources.

See the instructions in Creating a Policy for creating policies using the Console.

For more details about the syntax, see Policy Syntax.

If you're using Media Streams, see Media Streams IAM Policies for details.

Following policy examples are provided:

Updated 2024-10-17