Policy Reference
This reference includes:
- Verbs: A list of the available actions to pair with a resource-type
- Resource-Types: A list of the main resource-types
- General Variables for All Requests: Variables you can use when writing policies for any resource-type
- Analytics Cloud: See Give Users Permissions to Manage Analytics Cloud Instances
- Details for the Announcements Service
- Details for API Gateway
- Application Migration: See Manage Service Access and Security
- Details for the Audit Service
- Big Data: See Understand Big Data Service Resources and Permissions in IAM Policies
- Blockchain Platform: See About Permissions and Policies to Manage Oracle Blockchain Platform
- Cloud Guard: See Cloud Guard Policies
- Details for Container Engine for Kubernetes
- Details for the Core Services (this includes Networking, Compute, and Block Volume)
- Content and Experience: See Service Policies
- Data Catalog: See Data Catalog Policies
- Data Flow: See Data Flow Policies
- Data Integration: See Data Integration Policies
- Data Safe: See IAM Policies
- Data Science: See Data Science Policies
- Details for the Database Service
- Digital Assistant: See Digital Assistant Policies
- Details for the DNS Service
- Details for the Email Service
- Details for the Events Service
- Details for the File Storage Service
- Details for Functions
- Details for the Health Checks Service
- Details for IAM
- Integration: See IAM Policy Details for Oracle Integration
- Details for Load Balancing
- Details for Logging Analytics
- Details for Management Agent
- Details for Management Dashboard
- Details for the Marketplace Service
- Details for Monitoring
- MySQL Database: See Policy Details for MySQL Database Service
- NoSQL Database Cloud: See Details for NoSQL Database Cloud
- Details for the Notifications Service
- Details for Object Storage, Archive Storage, and Data Transfer
- Details for Operations Insights
- OS Management: See OS Management Policy Reference
- Details for Registry
- Details for Resource Manager
- Details for the Search Service
- Security Zones: See Security Zone IAM Policies
- Details for the Streaming Service
- Details for the Vault Service
- Details for the WAF Service
For instructions on how to create and manage policies using the Console or API, see Managing Policies.
Verbs
The verbs are listed in order of least amount of ability to most. The exact meaning of a each verb depends on which resource-type it's paired with. The tables later in this section show the API operations covered by each combination of verb and resource-type.
Verb | Types of Access Covered | Target User |
---|---|---|
inspect
|
Ability to list resources, without access to any confidential information or user-specified metadata that may be part of that resource. Important: The operation to list policies includes the contents of the policies themselves, and the list operations for the Networking resource-types return all the information (e.g., the contents of security lists and route tables). | Third-party auditors |
read
|
Includes inspect plus the ability to get user-specified metadata and the actual resource itself. |
Internal auditors |
use
|
Includes read plus the ability to work with existing resources (the actions vary by resource type). Includes the ability to update the resource, except for resource-types where the "update" operation has the same effective impact as the "create" operation (e.g., UpdatePolicy , UpdateSecurityList , etc.), in which case the "update" ability is available only with the manage verb. In general, this verb does not include the ability to create or delete that type of resource. |
Day-to-day end users of resources |
manage
|
Includes all permissions for the resource. | Administrators |
Resource-Types
The family resource-types are listed below. For the individual resource-types that make up each family, follow the links.
all-resources
: All Oracle Cloud Infrastructure resource-typescluster-family
: See Details for Container Engine for Kubernetescompute-management-family
: See Details for the Core Servicesdata-catalog-family
: See Data Catalog Policiesdatabase-family
: See Details for the Database Servicedns
: See Details for the DNS Servicefile-family
: See Details for the File Storage Serviceinstance-family
: See Details for the Core Servicesobject-family
: See Details for Object Storage, Archive Storage, and Data Transfervirtual-network-family
: See Details for the Core Servicesvolume-family
: See Details for the Core Services
IAM has no family resource-type, only individual ones. See Details for IAM.
General Variables for All Requests
You use variables when adding conditions to a policy. For more information, see Conditions. Here are the general variables applicable to all requests.
Name | Type | Description |
---|---|---|
request.user.id
|
Entity (OCID) | The OCID of the requesting user. |
request.user.mfaTotpVerified
|
Boolean |
Whether the user has been verified by multi-factor authentication (MFA). To restrict access to only MFA-verified users, add the condition
See Managing Multi-Factor Authentication for information on setting up MFA. |
request.groups.id
|
List of entities (OCIDs) | The OCIDs of the groups the requesting user is in. |
request.permission
|
String | The underlying permission being requested (see Permissions). |
request.operation
|
String | The API operation name being requested (for example, ListUsers). |
request.networkSource.name
|
String | The name of the network source group that specifies allowed IP addresses the request may come from. See Managing Network Sources for information. |
request.region
|
String |
The 3-letter key for the region the request is made in. Allowed values are:
|
request.ad
|
String | The name of the availability domain the request is made in. To get a list of availability domain names, use the ListAvailabilityDomains operation. |
request.principal.compartment.tag
|
String | The tags applied to the compartment that the requesting resource belongs to are evaluated for a match. For usage instructions, see Using Tags to Manage Access. |
request.principal.group.tag
|
String | The tags applied to the groups that the user belongs to are evaluated for a match. For usage instructions, see Using Tags to Manage Access. |
target.compartment.name
|
String | The name of the compartment specified in target.compartment.id . |
target.compartment.id
|
Entity (OCID) |
The OCID of the compartment containing the primary resource. Note: |
target.resource.compartment.tag
|
The tag applied to the target compartment of the request is evaluated. For usage instructions, see Using Tags to Manage Access. | |
target.resource.tag
|
The tag applied to the target resource of the request is evaluated. For usage instructions, see Using Tags to Manage Access. |