Policy Reference

This reference includes:

Verbs: A list of the available actions to pair with a resource-type
Resource-Types: A list of the main resource-types
General Variables for All Requests: Variables you can use when writing policies for any resource-type
Analytics Cloud: See Give Users Permissions to Manage Analytics Cloud Instances
Details for API Gateway
Details for Application Performance Monitoring
Classic Migration Service: See Manage Service Access and Security
Artifact Registry: See Artifact Registry Policies
Details for the Audit Service
Bastion: See Bastion Policies
Big Data: See Understand Big Data Service Resources and Permissions in IAM Policies
Blockchain Platform: See About Permissions and Policies to Manage Oracle Blockchain Platform
Cloud Advisor: See Policy Details for Cloud Advisor
Cloud Guard: See Cloud Guard Policies
Details for Container Engine for Kubernetes
Details for the Core Services (this includes Networking, Compute, and Block Volume)
Content Management: See Service Policies
Data Catalog: See Data Catalog Policies
Data Flow: See Data Flow Policies
Data Integration: See Data Integration Policies
Data Labeling: See Data Labeling Policies
Data Safe: See IAM Policies
Data Science: See Data Science Policies
Details for the Database Service
Details for Database Management
Database Migration: See Database Migration Policies
Database Tools: See Database Tools Policies
DevOps: See DevOps Policies
Digital Assistant: See Digital Assistant Policies
Details for the DNS Service
Details for the Email Delivery Service
Details for the Events Service
Details for the File Storage Service
Details for Functions
GoldenGate: See Oracle Cloud Infrastructure GoldenGate Policies
Details for the Health Checks Service
Details for IAM without Identity Domains
Details for the Java Management Service
Integration: See IAM Policy Details for Oracle Integration
Details for Load Balancing
Details for Logging Analytics
Details for Management Agent
Details for Management Dashboard
Details for the Marketplace Service
Details for Monitoring
MySQL Database: See Policy Details for MySQL Database Service
NoSQL Database Cloud: See Details for NoSQL Database Cloud
Details for Network Load Balancer
Details for the Notifications Service
Details for Object Storage, Archive Storage, and Data Transfer
Details for Operations Insights
OS Management: See OS Management Policy Reference
Details for the Quotas Service
Details for Container Registry
Details for Resource Manager
Details for the Search Service
Security Zones: See Security Zone IAM Policies
Details for Service Connector Hub
Details for the Streaming Service
Details for the Vault Service
Details for Oracle Cloud VMware Solution
Vulnerability Scanning: See Scanning Policies
Visual Builder: See IAM Policy Details for Visual Builder
Details for the WAF Service

For instructions on how to create and manage policies using the Console or API, see Managing Policies.

Verbs

The verbs are listed in order of least amount of ability to most. The exact meaning of a each verb depends on which resource-type it's paired with. The tables later in this section show the API operations covered by each combination of verb and resource-type.


Verb	Types of Access Covered	Target User
`inspect`	Ability to list resources, without access to any confidential information or user-specified metadata that may be part of that resource. Important: The operation to list policies includes the contents of the policies themselves, and the list operations for the Networking resource-types return all the information (e.g., the contents of security lists and route tables).	Third-party auditors
`read`	Includes `inspect` plus the ability to get user-specified metadata and the actual resource itself.	Internal auditors
`use`	Includes `read` plus the ability to work with existing resources (the actions vary by resource type). Includes the ability to update the resource, except for resource-types where the "update" operation has the same effective impact as the "create" operation (e.g., `UpdatePolicy`, `UpdateSecurityList`, etc.), in which case the "update" ability is available only with the `manage` verb. In general, this verb does not include the ability to create or delete that type of resource.	Day-to-day end users of resources
`manage`	Includes all permissions for the resource.	Administrators

Resource-Types

The family resource-types are listed below. For the individual resource-types that make up each family, follow the links.

all-resources: All Oracle Cloud Infrastructure resource-types
cluster-family: See Details for Container Engine for Kubernetes
compute-management-family: See Details for the Core Services
data-catalog-family: See Data Catalog Policies
database-family: See Details for the Database Service
dns: See Details for the DNS Service
email-family: See Details for the Email Delivery Service
file-family: See Details for the File Storage Service
instance-agent-command-family : See Details for the Core Services
instance-agent-family: See Details for the Core Services
instance-family: See Details for the Core Services
object-family: See Details for Object Storage, Archive Storage, and Data Transfer
optimizer-api-family: See Policy Details for Cloud Advisor
virtual-network-family: See Details for the Core Services
volume-family: See Details for the Core Services

IAM has no family resource-type, only individual ones. See Details for IAM without Identity Domains.

General Variables for All Requests

You use variables when adding conditions to a policy. For more information, see Conditions. Here are the general variables applicable to all requests.


Name	Type	Description
`request.user.id`	Entity (OCID)	The OCID of the requesting user.
`request.user.mfaTotpVerified`	Boolean	Whether the user has been verified by multi-factor authentication (MFA). To restrict access to only MFA-verified users, add the condition `where request.user.mfaTotpVerified='true'` See Managing Multi-Factor Authentication for information on setting up MFA.
`request.groups.id`	List of entities (OCIDs)	The OCIDs of the groups the requesting user is in.
`request.permission`	String	The underlying permission being requested (see Permissions).
`request.operation`	String	The API operation name being requested (for example, ListUsers).
`request.networkSource.name`	String	The name of the network source group that specifies allowed IP addresses the request may come from. See Managing Network Sources for information.
`request.utc-timestamp`	String	The UTC time that the request is submitted, specified in ISO 8601 format. See Restricting Access to Resources Based on Time Frame for more information.
`request.utc-timestamp.month-of-year`	String	The month that the request is submitted in, specified in numeric ISO 8601 format (for example, '1', '2', '3', ... '12'). See Restricting Access to Resources Based on Time Frame for more information.
`request.utc-timestamp.day-of-month`	String	The day of the month that the request is submitted in, specified in numeric format '1' - '31'. See Restricting Access to Resources Based on Time Frame for more information.
`request.utc-timestamp.day-of-week`	String	The day of the week that the request is submitted in, specified in English (for example, 'Monday', 'Tuesday', 'Wednesday', etc.). See Restricting Access to Resources Based on Time Frame for more information.
`request.utc-timestamp.time-of-day`	String	The UTC time interval that request is submitted during, in ISO 8601 format (for example, '01:00:00Z' AND '02:01:00Z'). See Restricting Access to Resources Based on Time Frame for more information.
`request.region`	String	The 3-letter key for the region the request is made in. Allowed values are: AMS - use for Netherlands Northwest (Amsterdam) ARN - use for Sweden Central (Stockholm) AUH - use for UAE Central (Abu Dhabi) BOM - use for India West (Mumbai) CWL - use for UK West (Newport) DXB - use for UAE East (Dubai) FRA - use for Germany Central (Frankfurt) GRU - use for Brazil East (Sao Paulo) HYD - use for India South (Hyderabad) IAD - use for US East (Ashburn) ICN - use for South Korea Central (Seoul) JED - use for Saudi Arabia West (Jeddah) JNB - use for South Africa Central (Johannesburg) KIX - use for Japan Central (Osaka) LHR - use for UK South (London) LIN - use for Italy Northwest (Milan) MEL - use for Australia Southeast (Melbourne) MRS - use for France South (Marseille) MTZ - use for Israel Central (Jerusalem) NRT - use for Japan East (Tokyo) PHX - use for US West (Phoenix) SCL - use for Chile (Santiago) SIN - use for Singapore (Singapore) SJC - use for US West (San Jose) SYD - use for Australia East (Sydney) VCP - use for Brazil Southeast (Vinhedo) YNY - use for South Korea North (Chuncheon) YUL - use for Canada Southeast (Montreal) YYZ - use for Canada Southeast (Toronto) ZRH - use for Switzerland North (Zurich)
`request.ad`	String	The name of the availability domain the request is made in. To get a list of availability domain names, use the ListAvailabilityDomains operation.
`request.principal.compartment.tag`	String	The tags applied to the compartment that the requesting resource belongs to are evaluated for a match. For usage instructions, see Using Tags to Manage Access.
`request.principal.group.tag`	String	The tags applied to the groups that the user belongs to are evaluated for a match. For usage instructions, see Using Tags to Manage Access.
`target.compartment.name`	String	The name of the compartment specified in `target.compartment.id`.
`target.compartment.id`	Entity (OCID)	The OCID of the compartment containing the primary resource. Note: `target.compartment.id` and `target.compartment.name` cannot be used with a "List" API operation to filter the list based on the requesting user's access to the compartment.
`target.resource.compartment.tag`	String	The tag applied to the target compartment of the request is evaluated. For usage instructions, see Using Tags to Manage Access.
`target.resource.tag`	String	The tag applied to the target resource of the request is evaluated. For usage instructions, see Using Tags to Manage Access.

Oracle Cloud Infrastructure Documentation

Policy Reference

Verbs

Resource-Types

General Variables for All Requests