About Speech Policies

Learn about the resource policies including API permissions.

To control who has access to Speech, and the type of access for each group of users, you must create policies. By default, only the users in the Administrators group have access to all Speech resources.

For everyone else who's using the service, you must create policies that assign them proper rights to Speech resources. For a complete list of OCI policies, see Policy Reference.

Resource Types

Speech offers both aggregate and individual resource types for writing policies. You can use aggregate resource types to write fewer policies. For example, instead of allowing a group to manage all individual resource types, you can have a policy that allows the group to manage the aggregate resource type, ai-service-speech-family.

Individual Resource Types
ai-service-speech-transcription-job 
Aggregate Resource Type
ai-service-speech-family

Required IAM Policies

To work with Speech, an administrator must grant you access in an IAM policy.

If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have.

You must provide access to Object Storage to read audio files and generate transcriptions to a bucket by creating policies.

Create a policy with one of the following policies to manage objects:

allow <group-name> SpeechUsers to manage object-family in tenancy

Create a policy with one of the following policies to manage transcription jobs:

allow <subject> to
          manage ai-service-speech-family in tenancy
          group <group-name> | group
          id <group-ocid> |
          dynamic-group <dynamic-group-name> |
        dynamic-group id <dynamic-group-ocid> |
        any-user

Example Policies

Allow users to manage all Speech resources using the aggregate resource:

allow any-user to manage ai-service-speech-family in tenancy

These policies allow users in the SpeechUsers group to manage Speech transcription jobs:

allow group SpeechUsers to manage ai-service-speech-family in tenancy
allow group SpeechUsers to manage object-family in tenancy
allow group SpeechUsers to read tag-namespaces in tenancy
allow group SpeechUsers to inspect tag-namespaces in tenancy

If you want to limit access to a specific compartment, then create a group, and set these policies in that compartment:

allow group SpeechUsers to manage ai-service-speech-family in compartment <compartment-name>
allow group SpeechUsers to manage object-family in compartment <compartment-name>
allow group SpeechUsers to read tag-namespaces in compartment <compartment-name>
allow group SpeechUsers to inspect tag-namespaces in compartment <compartment-name>

Resource Types and Permissions

Resource Permissions
ai-service-speech-transcription-job AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_INSPECT
AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_CREATE
AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_READ
AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_UPDATE
AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_CANCEL
AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_MOVE

Permissions Required for Each API Operation

You can use the individual resource types with API calls to interact with the service.

The following table lists the API operations for the Speech service in a logical order, grouped by resource type, and the permissions required for resource types:

API Operation Permission

CreateTranscriptionJob

AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_CREATE

ListTranscriptionJobs

AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_INSPECT

GetTranscriptionJob

AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_READ

UpdateTranscriptionJob

AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_UPDATE
CancelTranscriptionJob AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_CANCEL
ChangeTranscriptionJobCompartment AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_MOVE
ListTranscriptionTasks AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_READ
GetTranscriptionTask AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_READ
CancelTranscriptionTask

AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_READ

AI_SERVICE_SPEECH_TRANSCRIPTION_JOB_CANCEL