Application Dependency Management IAM Policies
Create IAM policies to control who has access to Application Dependency Management resources, and to control the type of access for each group of users.
Before you can control access to Application Dependency Management resources such as knowledge bases and vulnerability audits, you must create users and place them in appropriate groups (see Managing Users and Managing Groups). You can then create policies and policy statements to control the access (see Managing Policies).
By default, users in the Administrators
group have access to all the
Application Dependency Management resources. If you are new to IAM policies, see Getting Started with Policies.
For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference and Common Policies.
This section explains the following topics:
- Resource Types and Permissions
- Supported Variables
- Details for Verb + Resource Type Combination
- Creating a Policy
- Policy Examples
Resource Types and Permissions
List of Application Dependency Management resource types and associated permissions.
To assign permissions to all Application Dependency Management resources, use the
adm-family
aggregate type. For more information, see Permissions.
A policy that uses <verb> adm-family
is equivalent to writing a policy
with a separate <verb> <resource-type>
statement for each of the
individual resource types.
Resource Type | Permissions |
---|---|
adm-vulnerability-audits |
|
adm-knowledge-bases |
|
adm-work-requests |
|
Supported Variables
Variables are used when adding conditions to a policy.
Application Dependency Management supports the following variables:
- Entity: Oracle Cloud Identifier (OCID)
- String: Free-form text.
- Number: Numeric value (arbitrary precision)
- List: List of Entity, String, or Number
- Boolean: True or False
See General Variables for All Requests.
Variables are lowercase and hyphen-separated. For example,
target.tag-namespace.name
, target.display-name
. Here
name
must be unique, and display-name
is the
description.
Required variables are supplied by the DevOps service for every request. Automatic variables are supplied by the authorization engine (either service-local with the SDK for a thick client, or on the Identity data plane for a thin client).
Required Variables | Type | Description |
---|---|---|
target.compartment.id |
Entity (OCID) | The OCID of the primary resource for the request. |
request.operation |
String | The operation ID (for example, GetUser ) for the
request. |
target.resource.kind |
String | The resource kind name of the primary resource for the request. |
Automatic Variables | Type | Description |
---|---|---|
request.user.id |
Entity (OCID) | The OCID of the requesting user. |
request.groups.id |
List of entities (OCIDs) | The OCIDs of the groups the requesting user is in. |
target.compartment.name |
String | The name of the compartment specified in
target.compartment.id . |
target.tenant.id |
Entity (OCID) | The OCID of the target tenant ID. |
Here's a list of available sources for the variables:
- Request: Comes from the request input.
- Derived: Comes from the request.
- Stored: Comes from the service, retained input.
- Computed: Computed from service data.
Resource Type | Variable | Type | Source | Description |
---|---|---|---|---|
adm-knowledge-bases |
target.adm-knowledge-bases.id |
Entity | Stored | Available for Get, Update, Delete, and Move operations on the Vulnerability Audit resource. |
adm-knowledge-bases |
target.adm-knowledge-base.display-name |
String | Stored | Display Name of the Knowledge Base. |
adm-vulnerability-audits |
target.adm-vulnerability-audits.id |
Entity | Stored | Available for Get, Update, Delete, and Move operations on the Vulnerability Audit resource. |
adm-vulnerability-audits |
target.adm-vulnerability-audits.display-name |
String | Stored | Display Name of the Vulnerability Audit. |
adm-vulnerability-audits |
target.adm-vulnerability-audits.knowledge-base-id |
Entity | Stored | Knowledge Base associated with the Vulnerability Audit. |
adm-work-requests |
target.adm-work-requests.id |
Entity | Stored | Available for Get, Update, Delete, and Move operations on the Vulnerability Audit resource. |
adm-work-requests |
target.adm-work-requests.operation-type |
String | Stored | Allowed values: CREATE_KNOWLEDGE_BASE ,
DELETE_KNOWLEDGE_BASE , MOVE_KNOWLEDGE_BASE ,
UPDATE_KNOWLEDGE_BASE |
Details for Verb + Resource Type Combinations
Identify the permissions and API operations covered by each verb for Application Dependency Management resources.
The level of access is cumulative as you go from inspect
to
read
to use
to manage
. A plus sign
(+)
in a table cell indicates incremental access when compared to the
preceding cell.
For information about granting access, see Permissions.
adm-knowledge-bases
This table lists the permissions and the APIs that are fully covered by the permissions,
for the adm-knowledge-bases
resource.
Verbs | Permissions | APIs covered | Description |
---|---|---|---|
inspect | ADM_KNOWLEDGE_BASE_INSPECT |
ListKnowledgeBases |
List all the knowledge base resources in a compartment. |
use |
|
|
Update a specific knowledge base. |
read |
|
|
Get a specific knowledge base by ID. |
manage |
|
|
Create a knowledge base resource. |
manage |
|
|
Delete a specific knowledge base. |
manage |
|
|
Move a knowledge base to a different compartment. |
adm-vulnerability-audits
This table lists the permissions and the APIs that are fully covered by the permissions,
for the adm-vulnerability-audits
resource.
Verbs | Permissions | APIs covered | Description |
---|---|---|---|
inspect | ADM_VULNERABILITY_AUDIT_INSPECT |
ListVulnerabilityAudits |
List all the vulnerability audit resources in a compartment. |
read |
|
|
Get a specific vulnerability audit by ID. |
use |
|
|
Update a specific vulnerability audit |
manage |
|
|
Create a vulnerability audit resource. |
manage |
|
|
Delete a specific vulnerability audit. |
manage |
|
|
Move a vulnerability audit to a different compartment. |
adm-work-requests
This table lists the permissions and the APIs that are fully covered by the permissions,
for the adm-work-requests
resource.
Verbs | Permissions | APIs covered | Description |
---|---|---|---|
inspect | ADM_WORK_REQUEST_INSPECT |
ListWorkRequests |
List all the work requests resources in a compartment. |
read |
|
|
Get a specific work request by ID. |
use |
|
|
Cancel a specific work request. |
Creating a Policy
Here's how you create a policy in the Oracle Cloud Console:
- Open the navigation menu and click Identity & Security. Under Identity, click Policies.
- Click Create Policy.
- Enter a name and description for the policy.
- Under Policy Builder, click the Show manual editor switch to enable the
editor.
Enter a policy rule in the following format:
allow <resource_type> to <verb> in <compartment or tenancy details>
- Click Create.
For more information about creating policies, see How Policies Work and Policy Reference.
Policy Examples
Application Dependency Management policies required for using various Application Dependency Management resources such as knowledge bases and vulnerability audits.
Knowledge Base Policies
Policy examples for creating your own knowledge base and creating vulnerability audits associated with it.
Allow group <group-name> to manage adm-knowledge-bases in compartment <compartment_name>
Allow group <group-name> to use adm-knowledge-bases in compartment <compartment_name>
Allow group <group-name> to manage adm-vulnerability-audit in compartment <compartment_name>