Media Streams IAM Policies and Permissions

Create IAM policies to control who has access to the Media Streams resources, and to control the type of access for each group of users.

Create policies for users to have necessary rights to the Media Streams resources. The users in the Administrators group have access to all the Media Streams resources.

If you are new to IAM policies, see Getting Started with Policies.

For a complete list of Oracle Cloud Infrastructure policies, see policy reference and Common Policies. For Media Flow policies, see Media Flow Policies.

To use Media Streams, create a policy that grants the following permissions to the user or groups that interact with the service accordingly.

Media Streams supports the following entities:

Resource Type

Action assigned to the user

media-workflow Uses the workflows.
media-workflow-job Runs the workflow jobs to process media.
media-asset Uses the media asset metadata.
media-family Includes all the media member resources in one family.
media-stream-distribution-channel Manages distribution channels.
media-stream-packaging-config Manages packaging configurations.
media-stream-cdn-config Manages CDN configurations.

Resource Types and Permissions

List of Media Streams resource types and associated permissions.

To assign permissions to all the Media Services resources, use the media-family aggregate type. To use Media Streams, you need the permissions to all the resource types. For more information, see Permissions.

The following table lists all the resources in media-family:

Family Name Member Resources
media-family
  • media-workflow
  • media-workflow-configuration
  • media-workflow-job
  • media-asset
  • media-stream-distribution-channel
  • media-stream-packaging-config
  • media-stream-cdn-config

A policy that uses <verb> media-family is equivalent to writing a policy with a separate <verb> <resource-type> statement for each of the individual resource types.

Resource Type Permissions
media-asset
  • MEDIA_ASSET_INSPECT
  • MEDIA_ASSET_CREATE
  • MEDIA_ASSET_READ
  • MEDIA_ASSET_UPDATE
  • MEDIA_ASSET_DELETE
  • MEDIA_ASSET_MOVE
media-stream-cdn-config
  • MEDIA_STREAM_CDN_CONFIG_CREATE
  • MEDIA_STREAM_CDN_CONFIG_INSPECT
  • MEDIA_STREAM_CDN_CONFIG_READ
  • MEDIA_STREAM_CDN_CONFIG_UPDATE
  • MEDIA_STREAM_CDN_CONFIG_DELETE
  • MEDIA_STREAM_CDN_CONFIG_MOVE
media-stream-distribution-channel
  • MEDIA_STREAM_DISTRIBUTION_CHANNEL_CREATE
  • MEDIA_STREAM_DISTRIBUTION_CHANNEL_INSPECT
  • MEDIA_STREAM_DISTRIBUTION_CHANNEL_READ
  • MEDIA_STREAM_DISTRIBUTION_CHANNEL_UPDATE
  • MEDIA_STREAM_DISTRIBUTION_CHANNEL_DELETE
  • MEDIA_STREAM_DISTRIBUTION_CHANNEL_MOVE
media-stream-packaging-config
  • MEDIA_STREAM_PACKAGING_CONFIG_CREATE
  • MEDIA_STREAM_PACKAGING_CONFIG_INSPECT
  • MEDIA_STREAM_PACKAGING_CONFIG_READ
  • MEDIA_STREAM_PACKAGING_CONFIG_UPDATE
  • MEDIA_STREAM_PACKAGING_CONFIG_DELETE
  • MEDIA_STREAM_PACKAGING_CONFIG_MOVE
media-workflow
  • MEDIA_WORKFLOW_INSPECT
  • MEDIA_WORKFLOW_CREATE
  • MEDIA_WORKFLOW_READ
  • MEDIA_WORKFLOW_UPDATE
  • MEDIA_WORKFLOW_DELETE
  • MEDIA_WORKFLOW_MOVE
  • MEDIA_WORKFLOW_RUN
media-workflow-job
  • MEDIA_WORKFLOW_JOB_INSPECT
  • MEDIA_WORKFLOW_JOB_CREATE
  • MEDIA_WORKFLOW_JOB_READ
  • MEDIA_WORKFLOW_JOB_UPDATE
  • MEDIA_WORKFLOW_JOB_DELETE
  • MEDIA_WORKFLOW_JOB_MOVE

Supported Variables

Variables are used when adding conditions to a policy.

Media Streams supports the following variables:

Entity
Oracle Cloud Identifier (OCID).
String
Free-form text.
List
List of Entity or String.

See General Variables for All Requests.

Variables are lowercase and hyphen-separated. For example, target.tag-namespace.name, target.display-name. Here name must be unique, and display-name is the description.

Required variables are supplied by the Media Streams service for every request. Automatic variables are supplied by the authorization engine (either service-local with the SDK for a thick client, or on the Identity data plane for a thin client).

Required Variables Type Description
target.compartment.id Entity (OCID) The OCID of the primary resource for the request.
request.operation String The operation ID (for example, GetUser) for the request.
target.resource.kind String The resource kind name of the primary resource for the request.
Automatic Variables Type Description
request.user.id Entity (OCID) The OCID of the requesting user.
request.groups.id List of entities (OCIDs) The OCIDs of the groups the requesting user is in.
target.compartment.name String The name of the compartment specified in target.compartment.id.
target.tenant.id Entity (OCID) The OCID of the target tenant ID.
Dynamic Variables Type Description
request.principal.group.tag.<tagNS>.<tagKey> String The value of each tag on a group of which the principal is a member.
request.principal.compartment.tag.<tagNS>.<tagKey> String The value of each tag on the compartment that contains the principal.
target.resource.tag.<tagNS>.<tagKey> String The value of each tag on the target resource. (Computed based on tagSlug supplied by service on each request.)
target.resource.compartment.tag.<tagNS>.<tagKey> String The value of each tag on the compartment that contains the target resource. (Computed based on tagSlug supplied by service on each request.)

Here's a list of available sources for the variables:

  • Request: Comes from the request input.
  • Derived: Comes from the request.
  • Stored: Comes from the service, retained input.
  • Computed: Computed from service data.

Details for Verb + Resource Type Combinations

Identify the permissions and API operations covered by each verb for Media Streams resources.

The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell.

For information about granting access, see Permissions.

media-workflow

This table lists the permissions and the APIs that are fully covered by the permissions, for the media-workflow resource.

Verbs Permissions APIs Covered Description
inspect MEDIA_WORKFLOW_INSPECT ListMediaWorkflow

ListSystemMediaWorkflows

List the MediaWorkflows and SystemMediaWorkflows in a compartment.
read

inspect+

MEDIA_WORKFLOW_READ

inspect+

GetMediaWorkflow

View the details of a MediaWorkflow.
use

read+

MEDIA_WORKFLOW_UPDATE

read+

UpdateMediaWorkflow

Update a MediaWorkflow.
manage

use+

MEDIA_WORKFLOW_CREATE

use+

CreateMediaWorkflow

Create a MediaWorkflow.
manage

use+

MEDIA_WORKFLOW_MOVE

use+

ChangeMediaWorkflowCompartment

Move a MediaWorkflow between compartments.
manage

use+

MEDIA_WORKFLOW_DELETE

use+

DeleteMediaWorkflow

Delete a MediaWorkflow.
media-workflow-configuration

This table lists the permissions and the APIs that are fully covered by the permissions, for the media-workflow-configuration resource.

Verbs Permissions APIs Covered Description
inspect MEDIA_WORKFLOW_CONFIGURATION_INSPECT ListMediaWorkflowConfiguration List the MediaWorkflowConfiguration objects in a given compartment.
read

inspect+

MEDIA_WORKFLOW_CONFIGURATION_READ

inspect+

GetMediaWorkflowConfiguration

View the details of a MediaWorkflowConfiguration.
use

read+

MEDIA_WORKFLOW_CONFIGURATION_UPDATE

read+

UpdateMediaWorkflowConfiguration

Update a MediaWorkflowConfiguration.
manage

use+

MEDIA_WORKFLOW_CONFIGURATION_CREATE

use+

CreateMediaWorkflowConfiguration

Create a MediaWorkflowConfiguration.
manage

use+

MEDIA_WORKFLOW_CONFIGURATION_MOVE

use+

ChangeMediaWorkflowConfigurationCompartment

Move a MediaWorkflowConfiguration between compartments.
manage

use+

MEDIA_WORKFLOW_CONFIGURATION_DELETE

use+

DeleteMediaWorkflowConfiguration

Delete a MediaWorkflowConfiguration.
media-workflow-job

This table lists the permissions and the APIs that are fully covered by the permissions, for the media-workflow-job resource.

Verbs Permissions APIs Covered Description
inspect MEDIA_WORKFLOW_JOB_INSPECT ListMediaWorkflowJob List the MediaWorkflowJobs in a specific compartment.
read

inspect+

MEDIA_WORKFLOW_JOB_READ

inspect+

GetMediaWorkflowJob

View the details of a MediaWorkflowJob.
use

read+

MEDIA_WORKFLOW_JOB_UPDATE

read+

UpdateMediaWorkflowJob

Update a MediaWorkflowJob.
manage

use+

MEDIA_WORKFLOW_JOB_CREATE

use+

CreateMediaWorkflowJob

Create a MediaWorkflowJob.
manage

use+

MEDIA_WORKFLOW_JOB_MOVE

use+

ChangeMediaWorkflowJobCompartment

Move a MediaWorkflowJob between compartments.
manage

use+

MEDIA_WORKFLOW_JOB_DELETE

use+

DeleteMediaWorkflowJob

Cancel a MediaWorkflowJob.
media-asset

This table lists the permissions and the APIs that are fully covered by the permissions, for the media-asset resource.

Verbs Permissions APIs Covered Description
inspect MEDIA_ASSET_INSPECT ListMediaAsset List all the media assets in a given compartment.
read

inspect+

MEDIA_ASSET_READ

inspect+

GetMediaAsset

View all the details of the media asset records.
use

read+

MEDIA_ASSET_UPDATE

read+

UpdateMediaAsset

Update the media asset metadata.
manage

use+

MEDIA_ASSET_CREATE

use+

CreateMediaAsset

Create media assets.
manage

use+

MEDIA_ASSET_MOVE

use+

ChangeMediaAsset

Move media assets between compartments.
manage

use+

MEDIA_ASSET_DELETE

use+

DeleteMediaAsset

Delete media assets.
media-stream-distribution-channel
This table lists the permissions and the APIs that are fully covered by the permissions, for the media-stream-distribution-channel resource.
Verbs Permissions APIs Covered Description
inspect MEDIA_STREAM_DISTRIBUTION_CHANNEL_INSPECT ListStreamDistributionChannel List the StreamDistributionChannels in a compartment.
read

inspect+

MEDIA_STREAM_DISTRIBUTION_CHANNEL_READ

inspect+

GetStreamDistributionChannel

View the details of a StreamDistirbutionChannel.
use

read+

MEDIA_STREAM_DISTRIBUTION_CHANNEL_UPDATE

read+

UpdateStreamDistributionChannel

Update the details of a StreamDistirbutionChannel.
manage

use+

MEDIA_STREAM_DISTRIBUTION_CHANNEL_CREATE

use+

CreateStreamDistributionChannel

Create a StreamDistirbutionChannel.
manage

use+

MEDIA_STREAM_DISTRIBUTION_CHANNEL_MOVE

use+

ChangeStreamDistributionChannelCompartment

Move a StreamDistirbutionChannel between compartments.
manage

use+

MEDIA_STREAM_DISTRIBUTION_CHANNEL_DELETE

use+

DeleteStreamDistributionChannel

Delete a StreamDistirbutionChannel.
media-stream-packaging-config

This table lists the permissions and the APIs that are fully covered by the permissions, for the media-stream-packaging-config resource.

Verbs Permissions APIs Covered Description
inspect MEDIA_STREAM_PACKAGING_CONFIG_INSPECT ListStreamCdnConfig List the StreamPackagingConfigs in a specific StreamDistributionChannel
read

inspect+

MEDIA_STREAM_PACKAGING_CONFIG_READ

inspect+

GetStreamCdnConfig

View the details of a StreamPackagingConfig.
use

read+

MEDIA_STREAM_PACKAGING_CONFIG_UPDATE

read+

UpdateStreamPackagingConfig

Update the details of a StreamCdnConfig.
manage

use+

MEDIA_STREAM_PACKAGING_CONFIG_CREATE

use+

CreateStreamPackagingConfig

Create a StreamCdnConfig.
manage

use+

MEDIA_STREAM_PACKAGING_CONFIG_MOVE

use+

ChangeStreamPackagingConfigCompartmentg

Move a StreamCdnConfig between compartments.
manage

use+

MEDIA_STREAM_PACKAGING_CONFIG_DELETE

use+

DeleteStreamPackagingConfig

Delete a StreamCdnConfig.
media-stream-cdn-config
This table lists the permissions and the APIs that are fully covered by the permissions, for the media-stream-cdn-config resource.
Verbs Permissions APIs Covered Description
inspect MEDIA_STREAM_CDN_CONFIG_INSPECT ListStreamCdnConfig List StreamCdnConfigs in a specific StreamDistributionChannel.
read

inspect+

MEDIA_STREAM_CDN_CONFIG_READ

inspect+

GetStreamCdnConfig

View the details of a specific StreamCdnConfig.
use

read+

MEDIA_STREAM_CDN_CONFIG_UPDATE

read+

UpdateStreamCdnConfig

Update the details of a StreamCdnConfig.
manage

use+

MEDIA_STREAM_CDN_CONFIG_CREATE

use+

CreateStreamCdnConfig

Create a StreamCdnConfig.
manage

use+

MEDIA_STREAM_CDN_CONFIG_MOVE

use+

ChangeStreamCdnConfigCompartment

Move a StreamCdnConfig between compartments
manage

use+

MEDIA_STREAM_CDN_CONFIG_DELETE

use+

DeleteStreamCdnConfig

Delete a StreamCdnConfig.

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type. The resource types are media-stream-distribution-channel, media-stream-packaging-config, and media-stream-cdn-config.

For more information, see Permissions.
API Operation Permissions Required to Use the Operation
CreateStreamDistributionChannel MEDIA_STREAM_DISTRIBUTION_CHANNEL_CREATE
ListStreamDistributionChannels MEDIA_STREAM_DISTRIBUTION_CHANNEL_INSPECT
GetStreamDistributionChannel MEDIA_STREAM_DISTRIBUTION_CHANNEL_READ
UpdateStreamDistributionChannel MEDIA_STREAM_DISTRIBUTION_CHANNEL_UPDATE
DeleteStreamDistributionChannel MEDIA_STREAM_DISTRIBUTION_CHANNEL_DELETE
ChangeStreamDistributionChannelCompartment MEDIA_STREAM_DISTRIBUTION_CHANNEL_MOVE
CreateStreamPackagingConfig MEDIA_STREAM_PACKAGING_CONFIG_CREATE
ListStreamPackagingConfigs MEDIA_STREAM_PACKAGING_CONFIG_INSPECT
GetStreamPackagingConfig MEDIA_STREAM_PACKAGING_CONFIG_READ
UpdateStreamPackagingConfig MEDIA_STREAM_PACKAGING_CONFIG_UPDATE
DeleteStreamPackagingConfig MEDIA_STREAM_PACKAGING_CONFIG_DELETE
ChangeStreamPackagingConfigCompartment MEDIA_STREAM_PACKAGING_CONFIG_MOVE
CreateStreamCdnConfig MEDIA_STREAM_CDN_CONFIG_CREATE
ListStreamCdnConfigs MEDIA_STREAM_CDN_CONFIG_INSPECT
GetStreamCdnConfig MEDIA_STREAM_CDN_CONFIG_READ
UpdateStreamCdnConfig MEDIA_STREAM_CDN_CONFIG_UPDATE
DeleteStreamCdnConfig MEDIA_STREAM_CDN_CONFIG_DELETE
ChangeStreamCdnConfigCompartment MEDIA_STREAM_CDN_CONFIG_MOVE
CreateStreamDataPlaneCellDeployment MEDIA_STREAM_ADMIN_CREATE
ListStreamDataPlaneCellDeployments MEDIA_STREAM_ADMIN_INSPECT
GetStreamDataPlaneCellDeployment MEDIA_STREAM_ADMIN_READ
UpdateStreamDataPlaneCellDeployment MEDIA_STREAM_ADMIN_UPDATE
DeleteStreamDataPlaneCellDeployment MEDIA_STREAM_ADMIN_DELETE
CreateDistributionChannelAssignmentGroup MEDIA_STREAM_ADMIN_CREATE
ListDistributionChannelAssignmentGroup MEDIA_STREAM_ADMIN_INSPECT
GetDistributionChannelAssignmentGroup MEDIA_STREAM_ADMIN_READ
UpdateDistributionChannelAssignmentGroup MEDIA_STREAM_ADMIN_UPDATE
DeleteDistributionChannelAssignmentGroup MEDIA_STREAM_ADMIN_DELETE
IngestStreamDistributionChannel MEDIA_WORKFLOW_JOB_CREATE

Media Streams User Roles

You can use the available permissions/policies to configure access.

Here is a typical user configuration:

System/Actor Description OCI Resource Permissions
Digital Asset Library This group requires access to the media assets that have been created. read: media-asset
Channel Manager OCI authorized entity/group that manages distribution channels (all operations).
  • Manage: media-stream-distribution-channel
  • Manage: media-stream-packaging-config
  • Manage: media-stream-cdn-config
Asset Publisher OCI authorized entity/group that manages playlist assets within a distribution channel (asset operations).
  • Manage: media-asset
  • Use: media-stream-distribution-channel
  • Read: object-family
Asset Streamer

This group is the end user of the content. The streaming platforms request tokens on behalf of this actor for granting them access to the content.

When the asset streamers send a request to play a video content, the player sends the request to the top-level playlist from Media Streams. The primary playlist request validates the session token and returns a primary playlist of variant streams including ABR media playlists. The location where the subsequent requests are sent for individual bitrate playlists and their associated assets depends on CDN/ Edge specific configuration and the token authentication strategies associated with the CDN/Edge.

No OCI permissions.
Content Management System (CMS)

This OCI authorized entity/group can list and read distribution channels, packaging configurations, CDN configurations, and playlist assets.

This entity embeds a video player linkage to the appropriate distribution channel, packaging configuration, and asset combination.

  • Read: media-stream-distribution-channel
  • Read: media-stream-packaging-config
  • Read: media-stream-cdn-config
  • Read: media-asset
CDN Edge Server A CDN edge server which is configured to use media service endpoint as its origin server. No OCI permissions

IAM Policies

Ensure that:

  • You have configured the streaming policies to enable Media Services to read the object-family in the video compartment of the object store.
  • The users or groups using Media Streams have the required permissions.

See Creating a Policy for details.

For more details about the syntax, see Policy Syntax.

Creating a Policy

Here's how you create a policy in the Console:

  1. Open the navigation menu and click Identity & Security. Under Identity, click Policies.
  2. In the Policies page, click Create Policy.
  3. In the Create Policy panel, enter a name, description for the policy, and specify the compartment where you want to create the policy.
  4. Under Policy Builder, click the Show manual editor switch to enable the editor.

    Enter a policy rule in the following format:

    Allow service mediaservices to <verb> <resource_type> in <compartment or tenancy details>
  5. Click Create.

For instructions on how to create and manage policies using the Console or API, see Managing Policies.

For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference and Common Policies.

Policy Examples

Media Streams policies are required for using various Media Flow resources.

See the instructions in Creating a Policy for creating policies using the Console.

For more details about the syntax, see Policy Syntax.

Following policy examples are provided:

Media Family Policies
To allow a user or dynamic group to manage all the resources in Media Services, create this policy in your tenancy:
Allow <user or dynamic-group> to manage media-family in compartment <compartment_name>
Media Stream Policies
To use Media Streams, create this policy in your tenancy:
Allow any-user to read object-family in compartment id <compartment_id> where all {request.principal.type='streamdistributionchannel', request.resource.compartment.id='<compartment_id>'} 
Allow any-user to read media-family in compartment id <compartment_id> where all {request.principal.type='streamdistributionchannel', request.resource.compartment.id='<compartment_id>'}
To grant the video storage compartment rights to read the object store, create this policy in your tenancy:
Allow any-user to read object-family in compartment id <compartment_id> where all {request.principal.type='streamdistributionchannel', request.resource.compartment.id='<compartment_id>'}
To allow Media Streams to read the media metadata, create this policy in your tenancy:
Allow any-user to read media-family in compartment id <compartment_id> where all {request.principal.type='streamdistributionchannel', request.resource.compartment.id='<compartment_id>'}
Use Keys Policies
If you have configured a packaging configuration to use custom encryption keys, then create this policy in your tenancy, on the compartment holding the encryption keys:
Allow any-user to use keys in compartment id <compartment_id> where all {request.principal.type='streamdistributionchannel', request.resource.compartment.id='<compartment_id>'}