Details for the Email Delivery Service

This topic covers details for writing policies to control access to the Email Delivery service.

Resource-Types

email-domains

email-work-requests

email-family

approved-senders

suppressions

Supported Variables

The Email Delivery Service supports all the general variables (see General Variables for All Requests), plus the ones listed here.


Variable	Variable Type	Comments
`target.approved-sender.email-domain`	String	The value matches the domain portion (right-hand-side) of the email address and the name of the associated `email-domain` object if one exists. Policies should use the U-label form of the domain. Matching is case-insensitive. This is not available for `ListSenders`.
`target.email-domain.name`	String	Scopes permission to domains that match the specified domain name. Policies should use the U-label form of the domain. Matching is case-insensitive. This variable can be used with pattern matching syntax to grant sub-domain access. This is not available for `ListEmailDomains`.
`target.email-domain.id`	Entity (OCID)	Not available for `ListEmailDomains` or `CreateEmailDomain`.
`target.email-work-request.id`	Entity (OCID)	Not available for `ListWorkRequests`.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

email-domains


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	EMAIL_DOMAIN_INSPECT	`ListEmailDomains`	None
read	INSPECT + EMAIL_DOMAIN_READ	`GetEmailDomain`	None
use	READ + EMAIL_DOMAIN_UPDATE	`UpdateEmailDomain`	None
manage	USE + EMAIL_DOMAIN_CREATE EMAIL_DOMAIN_DELETE EMAIL_DOMAIN_MOVE	`CreateEmailDomain` `DeleteEmailDomain` `ChangeEmailDomainCompartment`	None

dkims


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	DKIM_INSPECT	`ListDkims`	None
read	INSPECT + DKIM_READ	`GetDkim`	None
use	READ + DKIM_UPDATE	`UpdateDkim`	None
manage	USE + DKIM_CREATE DKIM_DELETE	`CreateDkim` `DeleteDkim`	None

email-work-requests


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	EMAIL_WORK_REQUEST_INSPECT	`ListWorkRequests`	None
read	INSPECT + EMAIL_WORK_REQUEST_READ	`GetWorkRequest` `ListWorkRequestErrors` `ListWorkRequestLogs`	None

email-family


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	APPROVED_SENDER_INSPECT EMAIL_DOMAIN_INSPECT EMAIL_WORK_REQUEST_INSPECT SUPPRESSION_INSPECT	`ListSenders` `ListEmailDomains` `ListWorkRequestErrors` `ListSuppression`	None
read	INSPECT + APPROVED_SENDER_READ EMAIL_DOMAIN_READ EMAIL_WORK_REQUEST_READ SUPPRESSION_READ	`GetSender` `GetEmailDomain` `ListWorkRequests` `ListWorkRequestErrors` `ListWorkRequestLogs` `GetSuppression`	None
use	READ + APPROVED_SENDER_USE APPROVED_SENDER_UPDATE EMAIL_DOMAIN_UPDATE	`SmtpSend` `UpdateSender` `UpdateEmailDomain`	None
manage	USE + APPROVED_SENDER_CREATE APPROVED_SENDER_DELETE APPROVED_SENDER_MOVE EMAIL_DOMAIN_CREATE EMAIL_DOMAIN_DELETE EMAIL_DOMAIN_MOVE SUPPRESSION_CREATE SUPPRESSION_DELETE	`CreateSender` `DeleteSender` `MoveSender` `CreateEmailDomain` `DeleteEmailDomain` `ChangeEmailDomainCompartment` `CreateSuppression` `DeleteSuppression`	None

approved-senders


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	APPROVED_SENDER_INSPECT	`ListSenders`	None
read	INSPECT + APPROVED_SENDER_READ	`GetSender`	None
use	READ + APPROVED_SENDER_USE	`SmtpSend`	None
manage	USE + APPROVED_SENDER_CREATE APPROVED_SENDER_DELETE APPROVED_SENDER_UPDATE APPROVED_SENDER_MOVE	`CreateSender` `DeleteSender` `UpdateSender` `MoveSender`	None

suppressions


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	SUPPRESSION_INSPECT	`ListSuppression`	None
read	INSPECT + SUPPRESSION_READ	`GetSuppression`	None
use	No extra	None	None
manage	USE + SUPPRESSION_CREATE SUPPRESSION_DELETE	`CreateSuppression` `DeleteSuppression`	None

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type.

For information about permissions, see Permissions.


API Operation	Permissions Required to Use the Operation
`ListEmailDomains`	EMAIL_DOMAIN_INSPECT
`GetEmailDomain`	EMAIL_DOMAIN_READ
`CreateEmailDomain`	EMAIL_DOMAIN_CREATE
`UpdateEmailDomain`	EMAIL_DOMAIN_UPDATE
`DeleteEmailDomain`	EMAIL_DOMAIN_DELETE
`ChangeEmailDomainCompartment`	EMAIL_DOMAIN_MOVE
`ListSenders`	APPROVED_SENDER_INSPECT
`GetSender`	APPROVED_SENDER_READ
`CreateSender`	APPROVED_SENDER_CREATE
`UpdateSender`	APPROVED_SENDER_UPDATE
`DeleteSender`	APPROVED_SENDER_DELETE
`MoveSender`	APPROVED_SENDER_MOVE
`SmtpSend`	APPROVED_SENDER_USE
`ListSuppression`	SUPPRESSION_INSPECT
`GetSuppression`	SUPPRESSION_READ
`CreateSuppression`	SUPPRESSION_CREATE
`DeleteSuppression`	SUPPRESSION_DELETE
`ListWorkRequests`	EMAIL_WORK_REQUEST_INSPECT
`GetWorkRequest`	EMAIL_WORK_REQUEST_READ
`ListWorkRequestErrors`	EMAIL_WORK_REQUEST_INSPECT
`ListWorkRequestLogs`	EMAIL_WORK_REQUEST_INSPECT

Oracle Cloud Infrastructure Documentation

Details for the Email Delivery Service

Resource-Types

Supported Variables

Details for Verb + Resource-Type Combinations

Permissions Required for Each API Operation