Instructor: We saw in the video

on shared access signature that we assign permissions,

start date, end date,

perhaps IP address and the allowed protocols.

But once we've created this SAS token, we cannot modify it.

We cannot revoke it.

So you create it, you give it to someone,

and you're pretty much stuck

with having this token out there

unless you invalidate the key.

One way around that is using

what's called a stored access policy.

So a stored access policy is a way

to centrally manage SAS token settings.

It is defined at the container level.

So we go up to...

Under containers, we're looking at first container,

and we right-click on the three three dots,

and we look at Access policy.

So this policy does contain permissions,

a start time, and expiry time,

similar to the way that we would

with a shared access signature.

So I'm gonna call this first policy,

and we're gonna give it Read permissions.

And we're going to choose a one week policy

and say, "OK."

So this, I haven't actually granted anybody any permissions.

I've just created the policy called first policy,

and I'll say, "Save."

Now when I go to the file,

I can go to the one that I uploaded

and I can say, "Generate SAS."

And if I choose the first policy from stored access policy,

it's now prevented me from editing the start

and expiry date and time as well as the permissions.

I can then generate the SAS token with this.

Let's say that I've copied it.

Now if I've given this to somebody

and I want to revoke the permissions,

I'm not only able to do so by invalidating the key,

I can also modify the policy.

So if I go back up to the container

and I go look at access policy,

I can either delete the policy or edit it.

And let's say I want to extend the life of this

for a few more weeks.

So now the permissions,

again, have been embedded in the policy.

So whoever has the SAS token can continue to use it

until the new expiry time.

If I wanted to expire it early,

let's say, I wanna expire it 30 minutes ago,

then I can change the expiry time to a much shorter period.

So now I have editable permissions

on the permissions and the time

without having to regenerate the token

or even contact people.

Now this is best used when you have long lived policies.

You wouldn't do this for just a few hours,

but if you had something that is a six month policy,

that's a long time for something to change.

You need to grant additional permissions

or to change the expired time.

The other benefit, of course, is you can reuse this policy.

So you can grant multiple SAS tokens

pointing to the same policy,

and then modify the start date and end date

and the permissions all at once.

So this is a much more flexible

and useful way of managing SAS tokens if you're gonna use it

to give access to your containers and or your files.