Oracle Cloud Infrastructure Documentation

Stream Video Analysis Policy Set Up

To control who has access to Stream Video Analysis and the type of access for each group of users, you must create policies.

This is true whether you're using the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don't have permission or are unauthorized, confirm with an administrator the type of access granted, and which compartment you can work in.

Stream Video Analysis uses other OCI services to process streams. To function correctly, stream video analysis service require permissions to operate those resources on your tenancy or compartment. You must create dynamic groups and policies to use Stream Video Analysis.

Required IAM Policies

To enable Stream Video Analysis functionality, specific policies are needed to access Vision and provide the Stream job access to your resources.

  • Access to Vision

  • Access to Virtual Networking (for Private Endpoints)

  • Stream Job Access to your resources

Policy to Access Vision

Give the user group access to AI service Vision family
By default only the users in the Administrators group have access to all Vision resources. For everyone else who's involved with Vision, you must set up this policy to provide access to Vision:
allow group <group-name> to manage ai-service-vision-family in compartment <compartment-name>

Access to virtual networking (for Private Endpoints)

This provides the necessary access to network resources such as subnets, VCN, route tables, and security lists:
allow group <group-name> to manage virtual-network-family in compartment <compartment-name>

Stream Job Access to Your Resources

You can configure access for Stream Video Analysis jobs in two ways:

Use a Dynamic Group

Dynamic groups let you write more concise policies and reuse the same group. You must create a dynamic group of Vision Stream job, <dynamic-group-name>, in a specific compartment that's authorized to configure and process a stream job. The authentication method uses resource principals.

Configuring Dynamic Groups and Creating Policies in the Dynamic Group
Create a new dynamic group <dynamic-group-name> at compartment level or update an existing dynamic group to add the following rows: 
ANY {(resource.type = 'aivisionstreamjob' and resource.compartment.id = 'ocid1.compartment.oc1..<>')}
Give Stream Video Analysis Access to an Object Storage Bucket Using Resource Principal
allow dynamic group <dynamic-group-name> to manage objects in compartment <compartment-name>
Give Stream Video Analysis Access to Vault Using Resource Principal
allow dynamic group <dynamic-group-name> to use secret-family in compartment <compartment-name>

Use an All-in-one Policy

ALLOW ANY-USER  to use secret-family IN TENANCY WHERE ALL
 {request.principal.type='aivisionstreamjob', request.resource.compartment.id = '<compartment_id>'}
 
ALLOW ANY-USER  to manage objects IN TENANCY WHERE ALL
 {request.principal.type='aivisionstreamjob', request.resource.compartment.id = '<compartment_id>'}