服务策略

您使用授权策略来控制对租户中资源的访问权限。例如,您可以创建策略以授权用户创建和管理 Oracle Content Management 实例。

可以使用 Infrastructure 控制台创建策略。请参见管理策略

以下信息与 Oracle Content Management 的服务策略相关:

Oracle Content Management 的资源类型

此表列出了 Oracle Content Management 的资源类型。

资源类型 说明
oce-instance 单个 Oracle Content Management 实例
oce-instances 一个或多个 Oracle Content Management 实例。
oce-workrequest 单个 Oracle Content Management 工作请求

Oracle Content Management 实例上执行的每个操作都会创建一个工作请求。例如,创建、更新、终止等操作。
oce-workrequests 一个或多个 Oracle Content Management 工作请求。

支持的变量

这些变量的值由 Oracle Content Management 提供。此外,还支持其他通用变量。请参见适用于所有请求的通用变量

此表列出了 Oracle Content Management 支持的变量。

变量 类型 说明 示例值
target.compartment.id 实体 请求的主资源的 OCID。 target.compartment.id = 'ocid1.compartment.oc1..<unique_ID>'
request.operation 字符串 请求的操作 ID(例如 "GetUser")。 request.operation = 'ocid1.compartment.oc1..<unique_ID>'
target.resource.kind 字符串 请求的主资源的资源种类名称。 target.resource.kind = 'ocid1.contentexperiencecloudservice.oc1..<unique_ID>'

有关动词和资源类型组合的详细信息

Oracle Cloud Infrastructure 提供了一组标准的动词来定义各种 Oracle Cloud Infrastructure 资源的权限(INSPECTREADUSEMANAGE)。这些表列出了与每个动词关联的 Oracle Content Management 权限。从 INSPECTREAD、再到 USE、再到 MANAGE,访问级别是累加的。

INSPECT

资源类型 INSPECT 权限
  • oce-instance
  • oce-instances
  • OCE_INSTANCE_INSPECT
  • oce-workrequest
  • oce-workrequests
  • OCE_INSTANCE_WORKREQUEST_INSPECT
  • oce-instance-family
  • OCE_INSTANCE_INSPECT
  • OCE_INSTANCE_WORKREQUEST_INSPECT

READ

资源类型 READ 权限
  • oce-instance
  • oce-instances
  • OCE_INSTANCE_INSPECT
  • OCE_INSTANCE_READ
  • oce-workrequest
  • oce-workrequests
  • OCE_INSTANCE_WORKREQUEST_INSPECT
  • OCE_INSTANCE_WORKREQUEST_READ
  • oce-instance-family
  • OCE_INSTANCE_INSPECT
  • OCE_INSTANCE_READ
  • OCE_INSTANCE_WORKREQUEST_INSPECT
  • OCE_INSTANCE_WORKREQUEST_READ

USE

资源类型 USE 权限
  • oce-instance
  • oce-instances
  • OCE_INSTANCE_INSPECT
  • OCE_INSTANCE_READ
  • OCE_INSTANCE_UPDATE
  • oce-workrequest
  • oce-workrequests
  • OCE_INSTANCE_WORKREQUEST_INSPECT
  • OCE_INSTANCE_WORKREQUEST_READ
  • oce-instance-family
  • OCE_INSTANCE_INSPECT
  • OCE_INSTANCE_READ
  • OCE_INSTANCE_UPDATE
  • OCE_INSTANCE_WORKREQUEST_INSPECT
  • OCE_INSTANCE_WORKREQUEST_READ

MANAGE

资源类型 MANAGE 权限
  • oce-instance
  • oce-instances
  • OCE_INSTANCE_INSPECT
  • OCE_INSTANCE_READ
  • OCE_INSTANCE_CREATE
  • OCE_INSTANCE_UPDATE
  • OCE_INSTANCE_DELETE
  • oce-workrequest
  • oce-workrequests
  • OCE_INSTANCE_WORKREQUEST_INSPECT
  • OCE_INSTANCE_WORKREQUEST_READ
  • oce-instance-family
  • OCE_INSTANCE_INSPECT
  • OCE_INSTANCE_READ
  • OCE_INSTANCE_CREATE
  • OCE_INSTANCE_UPDATE
  • OCE_INSTANCE_DELETE
  • OCE_INSTANCE_WORKREQUEST_INSPECT
  • OCE_INSTANCE_WORKREQUEST_READ

每个 API 操作所需的权限

此表按资源类型分组显示了可用于 Oracle Content Management 的 API 操作。

REST API 操作 CLI 命令操作 使用操作所需的权限
ListOceInstances oce-instance list OCE_INSTANCE_INSPECT
GetOceInstance oce-instance get OCE_INSTANCE_READ
CreateOceInstance oce-instance create OCE_INSTANCE_CREATE
DeleteOceInstance oce-instance delete OCE_INSTANCE_DELETE
UpdateOceInstance oce-instance update OCE_INSTANCE_UPDATE
ChangeOceInstanceCompartment oce-instance change-compartment OCE_INSTANCE_UPDATE
ListWorkRequests work-request list OCE_INSTANCE_WORKREQUEST_INSPECT
GetWorkRequest work-request get OCE_INSTANCE_WORKREQUEST_READ
ListWorkRequestErrors work-request-error list OCE_INSTANCE_WORKREQUEST_INSPECT
ListWorkRequestLogs work-request-log list OCE_INSTANCE_WORKREQUEST_INSPECT

管理 Oracle Content Management 实例的策略语句示例

下面提供了在授权访问 Oracle Content Management 实例时您可能会使用的典型策略语句。

为租户创建策略时,您会通过策略继承授予用户对所有区间的访问权限。或者,也可以限制对单个 Oracle Content Management 实例或区间的访问权限。

允许管理员组中的用户完全管理任何 Oracle Content Management 实例

# Full admin permissions (CRUD)
allow group Administrators to manage oce-instances in tenancy
allow group Administrators to manage oce-workrequests in tenancy
# Full admin permissions (CRUD) using family
allow group Administrators to manage oce-instance-family in tenancy

允许 group1 组中的用户检查任何 Oracle Content Management 实例及其关联的工作请求

# Inspect permissions (list oce instances and work requests) using metaverbs:
allow group group1 to inspect oce-instances in tenancy
allow group group1 to inspect oce-workrequests in tenancy
# Inspect permissions (list oce instances and work requests) using permission names:
allow group group1 to {OCE_INSTANCE_INSPECT} in tenancy
allow group group1 to {OCE_INSTANCE_WORKREQUEST_INSPECT} in tenancy

允许 group2 组中的用户读取有关任何 Oracle Content Management 实例及其关联工作请求的详细信息

# Read permissions (read complete oce instance and work request metadata) using metaverbs:
allow group group2 to read oce-instances in tenancy
allow group group2 to read oce-workrequests in tenancy
# Read permissions (read complete oce instance and work request metadata) using permission names:
allow group group2 to {OCE_INSTANCE_INSPECT, OCE_INSTANCE_READ} in tenancy
allow group group2 to {OCE_INSTANCE_WORKREQUEST_INSPECT, OCE_INSTANCE_WORKREQUEST_READ} in tenancy

允许 group3 组中的用户读取所有 Oracle Content Management 实例及其关联的工作请求

# Use permissions (read on oce instance, read on work request) using metaverbs:
allow group group3 to use oce-instances in tenancy
allow group group3 to read oce-workrequests in tenancy
# Use permissions (read on oce instance, read on work request) using permission names:
allow group group3 to {OCE_INSTANCE_INSPECT, OCE_INSTANCE_READ, OCE_INSTANCE_UPDATE} in tenancy
allow group group3 to {OCE_INSTANCE_WORKREQUEST_INSPECT, OCE_INSTANCE_WORKREQUEST_READ} in tenancy

允许 group4 组中的用户管理任何 Oracle Content Management 实例及其关联的工作请求

# Manage permissions (use/delete on oce instance, read/cancel on work request) using metaverbs:
allow group group4 to manage oce-instances in tenancy
allow group group4 to manage oce-workrequests in tenancy
# Manage permissions (use/delete on oce instance, read/cancel on work request) using permission names:
allow group group4 to {OCE_INSTANCE_INSPECT, OCE_INSTANCE_READ, OCE_INSTANCE_UPDATE,OCE_INSTANCE_CREATE, OCE_INSTANCE_DELETE} in tenancy
allow group group4 to {OCE_INSTANCE_WORKREQUEST_INSPECT, OCE_INSTANCE_WORKREQUEST_READ} in tenancy