General Variables for All Requests

You use variables when adding conditions to a policy. For more information, see Conditions. Here are the general variables applicable to all requests.

Name Type Description
request.user.id Entity (OCID) The OCID of the requesting user.
request.user.name String Name of the requesting user.
request.user.mfaTotpVerified Boolean

Whether the user has been verified by multi-factor authentication (MFA). To restrict access to only MFA-verified users, add the condition

where request.user.mfaTotpVerified='true'

See Managing Multi-Factor Authentication for information on setting up MFA.

request.groups.id List of entities (OCIDs) The OCIDs of the groups the requesting user is in.
request.permission String The underlying permission being requested (see Permissions).
request.operation String The API operation name being requested (for example, ListUsers).
request.networkSource.name String The name of the network source group that specifies allowed IP addresses the request may come from. See Managing Network Sources for information.
request.utc-timestamp String The UTC time that the request is submitted, specified in ISO 8601 format. See Restricting Access to Resources Based on Time Frame for more information.
request.utc-timestamp.month-of-year String The month that the request is submitted in, specified in numeric ISO 8601 format (for example, '1', '2', '3', ... '12'). See Restricting Access to Resources Based on Time Frame for more information.
request.utc-timestamp.day-of-month String The day of the month that the request is submitted in, specified in numeric format '1' - '31'. See Restricting Access to Resources Based on Time Frame for more information.
request.utc-timestamp.day-of-week String The day of the week that the request is submitted in, specified in English (for example, 'Monday', 'Tuesday', 'Wednesday', etc.). See Restricting Access to Resources Based on Time Frame for more information.
request.utc-timestamp.time-of-day String The UTC time interval that request is submitted during, in ISO 8601 format (for example, '01:00:00Z' AND '02:01:00Z'). See Restricting Access to Resources Based on Time Frame for more information.
request.region String

The 3-letter key for the region the request is made in. Allowed values are:

Note

For quota policies, the region name must be specified instead of the following 3-letter key values. Also see Sample Quotas for more information.
  • AMS - use for Netherlands Northwest (Amsterdam)
  • ARN - use for Sweden Central (Stockholm)
  • AUH - use for UAE Central (Abu Dhabi)
  • BOM - use for India West (Mumbai)
  • CDG - use for France Central (Paris)
  • CWL - use for UK West (Newport)
  • DXB - use for UAE East (Dubai)
  • FRA - use for Germany Central (Frankfurt)
  • GRU - use for Brazil East (Sao Paulo)
  • HYD - use for India South (Hyderabad)
  • IAD - use for US East (Ashburn)
  • ICN - use for South Korea Central (Seoul)
  • JED - use for Saudi Arabia West (Jeddah)
  • JNB - use for South Africa Central (Johannesburg)
  • KIX - use for Japan Central (Osaka)
  • LHR - use for UK South (London)
  • LIN - use for Italy Northwest (Milan)
  • MAD - use for Spain Central (Madrid)
  • MEL - use for Australia Southeast (Melbourne)
  • MRS - use for France South (Marseille)
  • MTZ - use for Israel Central (Jerusalem)
  • NRT - use for Japan East (Tokyo)
  • PHX - use for US West (Phoenix)
  • QRO - use for Mexico Central (Queretaro)
  • SCL - use for Chile (Santiago)
  • SIN - use for Singapore (Singapore)
  • SJC - use for US West (San Jose)
  • SYD - use for Australia East (Sydney)
  • VCP - use for Brazil Southeast (Vinhedo)
  • YNY - use for South Korea North (Chuncheon)
  • YUL - use for Canada Southeast (Montreal)
  • YYZ - use for Canada Southeast (Toronto)
  • ZRH - use for Switzerland North (Zurich)
request.ad String The name of the availability domain the request is made in. To get a list of availability domain names, use the ListAvailabilityDomains operation.
request.principal.compartment.tag String The tags applied to the compartment that the requesting resource belongs to are evaluated for a match. For usage instructions, see Using Tags to Manage Access.
request.principal.group.tag String The tags applied to the groups that the user belongs to are evaluated for a match. For usage instructions, see Using Tags to Manage Access.
target.compartment.name String The name of the compartment specified in target.compartment.id.
target.compartment.id Entity (OCID)

The OCID of the compartment containing the primary resource.

Note: target.compartment.id and target.compartment.name cannot be used with a "List" API operation to filter the list based on the requesting user's access to the compartment.

target.resource.compartment.tag String  The tag applied to the target compartment of the request is evaluated. For usage instructions, see Using Tags to Manage Access.
target.resource.tag String  The tag applied to the target resource of the request is evaluated. For usage instructions, see Using Tags to Manage Access.
target.workrequest.type String The work request type, for example:
  • CREATE_ENVIRONMENT
  • UPDATE_ENVIRONMENT
  • DELETE_ENVIRONMENT
  • MOVE_ENVIRONMENT
  • CREATE_OCB_AGENT
  • UPDATE_OCB_AGENT
  • DELETE_OCB_AGENT
  • MOVE_OCB_AGENT
  • CREATE_AGENT_DEPENDENCY
  • UPDATE_AGENT_DEPENDENCY
  • DELETE_AGENT_DEPENDENCY
  • MOVE_AGENT_DEPENDENCY
  • CREATE_INVENTORY DELETE_INVENTORY
  • IMPORT_INVENTORY
  • DELETE_ASSET_SOURCE
  • REFRESH_ASSET_SOURCE
  • CREATE_ASSET_SOURCE
  • UPDATE_ASSET_SOURCE