Application Dependency Management IAM Policies

Create IAM policies to control who has access to Application Dependency Management resources, and to control the type of access for each group of users.

Before you can control access to Application Dependency Management resources such as knowledge bases and vulnerability audits, you must create users and place them in appropriate groups (see Managing Users and Managing Groups). You can then create policies and policy statements to control the access (see Managing Policies).

By default, users in the Administrators group have access to all the Application Dependency Management resources. If you are new to IAM policies, see Getting Started with Policies.

For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference and Common Policies.

This section explains the following topics:

  • Resource Types and Permissions
  • Supported Variables
  • Details for Verb + Resource Type Combination
  • Creating a Policy
  • Policy Examples

Resource Types and Permissions

List of Application Dependency Management resource types and associated permissions.

To assign permissions to all Application Dependency Management resources, use the adm-family aggregate type. For more information, see Permissions.

A policy that uses <verb> adm-family is equivalent to writing a policy with a separate <verb> <resource-type> statement for each of the individual resource types.

Resource Type Permissions
adm-vulnerability-audits
  • ADM_VULNERABILITY_AUDIT_INSPECT
  • ADM_VULNERABILITY_AUDIT_CREATE
  • ADM_VULNERABILITY_AUDIT_READ
  • ADM_VULNERABILITY_AUDIT_DELETE
  • ADM_VULNERABILITY_AUDIT_UPDATE
  • ADM_VULNERABILITY_AUDIT_MOVE
adm-knowledge-bases
  • ADM_KNOWLEDGE_BASE_INSPECT
  • ADM_KNOWLEDGE_BASE_CREATE
  • ADM_KNOWLEDGE_BASE_DELETE
  • ADM_KNOWLEDGE_BASE_READ
  • ADM_KNOWLEDGE_BASE_UPDATE
  • ADM_KNOWLEDGE_BASE_MOVE
adm-work-requests
  • ADM_WORK_REQUEST_INSPECT
  • ADM_WORK_REQUEST_READ
  • ADM_WORK_REQUEST_CANCEL

Supported Variables

Variables are used when adding conditions to a policy.

Application Dependency Management supports the following variables:

  • Entity: Oracle Cloud Identifier (OCID)
  • String: Free-form text.
  • Number: Numeric value (arbitrary precision)
  • List: List of Entity, String, or Number
  • Boolean: True or False

See General Variables for All Requests.

Variables are lowercase and hyphen-separated. For example, target.tag-namespace.name, target.display-name. Here name must be unique, and display-name is the description.

Required variables are supplied by the DevOps service for every request. Automatic variables are supplied by the authorization engine (either service-local with the SDK for a thick client, or on the Identity data plane for a thin client).

Required Variables Type Description
target.compartment.id Entity (OCID) The OCID of the primary resource for the request.
request.operation String The operation ID (for example, GetUser) for the request.
target.resource.kind String The resource kind name of the primary resource for the request.
Automatic Variables Type Description
request.user.id Entity (OCID) The OCID of the requesting user.
request.groups.id List of entities (OCIDs) The OCIDs of the groups the requesting user is in.
target.compartment.name String The name of the compartment specified in target.compartment.id.
target.tenant.id Entity (OCID) The OCID of the target tenant ID.

Here's a list of available sources for the variables:

  • Request: Comes from the request input.
  • Derived: Comes from the request.
  • Stored: Comes from the service, retained input.
  • Computed: Computed from service data.
Mapping Variables with Resource Types
Resource Type Variable Type Source Description
adm-knowledge-bases target.adm-knowledge-bases.id Entity Stored Available for Get, Update, Delete, and Move operations on the Vulnerability Audit resource.
adm-knowledge-bases target.adm-knowledge-base.display-name String Stored Display Name of the Knowledge Base.
adm-vulnerability-audits target.adm-vulnerability-audits.id Entity Stored Available for Get, Update, Delete, and Move operations on the Vulnerability Audit resource.
adm-vulnerability-audits target.adm-vulnerability-audits.display-name String Stored Display Name of the Vulnerability Audit.
adm-vulnerability-audits target.adm-vulnerability-audits.knowledge-base-id Entity Stored Knowledge Base associated with the Vulnerability Audit.
adm-work-requests target.adm-work-requests.id Entity Stored Available for Get, Update, Delete, and Move operations on the Vulnerability Audit resource.
adm-work-requests target.adm-work-requests.operation-type String Stored Allowed values: CREATE_KNOWLEDGE_BASE, DELETE_KNOWLEDGE_BASE, MOVE_KNOWLEDGE_BASE, UPDATE_KNOWLEDGE_BASE

Details for Verb + Resource Type Combinations

Identify the permissions and API operations covered by each verb for Application Dependency Management resources.

The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell.

For information about granting access, see Permissions.

adm-knowledge-bases

This table lists the permissions and the APIs that are fully covered by the permissions, for the adm-knowledge-bases resource.

Verbs Permissions APIs covered Description
inspect ADM_KNOWLEDGE_BASE_INSPECT ListKnowledgeBases List all the knowledge base resources in a compartment.
use

read+

ADM_KNOWLEDGE_BASE_UPDATE

read+

UpdateKnowledgeBase

Update a specific knowledge base.
read

inspect+

ADM_KNOWLEDGE_BASE_READ

inspect+

GetKnowledgeBase

Get a specific knowledge base by ID.
manage

use+

ADM_KNOWLEDGE_BASE_CREATE

use+

CreateKnowledgeBase

Create a knowledge base resource.
manage

use+

ADM_KNOWLEDGE_BASE_CREATE

use+

DeleteKnowledgeBase

Delete a specific knowledge base.
manage

use+

ADM_KNOWLEDGE_BASE_MOVE

use+

ChangeKnowledgeBaseCompartment

Move a knowledge base to a different compartment.

adm-vulnerability-audits

This table lists the permissions and the APIs that are fully covered by the permissions, for the adm-vulnerability-audits resource.

Verbs Permissions APIs covered Description
inspect ADM_VULNERABILITY_AUDIT_INSPECT ListVulnerabilityAudits List all the vulnerability audit resources in a compartment.
read

inspect+

ADM_VULNERABILITY_AUDIT_READ

inspect+

GetVulnerabilityAudit

Get a specific vulnerability audit by ID.
use

read+

ADM_VULNERABILITY_AUDIT_UPDATE

read+

UpdateVulnerabilityAudit

Update a specific vulnerability audit
manage

use+

ADM_VULNERABILITY_AUDIT_CREATE

use+

CreateVulnerabilityAudit

Create a vulnerability audit resource.
manage

use+

ADM_VULNERABILITY_AUDIT_CREATE

use+

DeleteVulnerabilityAudit

Delete a specific vulnerability audit.
manage

use+

ADM_VULNERABILITY_AUDIT_MOVE

use+

ChangeVulnerabilityAuditCompartment

Move a vulnerability audit to a different compartment.

adm-work-requests

This table lists the permissions and the APIs that are fully covered by the permissions, for the adm-work-requests resource.

Verbs Permissions APIs covered Description
inspect ADM_WORK_REQUEST_INSPECT ListWorkRequests List all the work requests resources in a compartment.
read

inspect+

ADM_WORK_REQUEST_READ

inspect+

GetWorkRequest

Get a specific work request by ID.
use

read+

ADM_WORK_REQUEST_CANCEL

read+

CancelWorkRequest

Cancel a specific work request.

Creating a Policy

Here's how you create a policy in the Oracle Cloud Console:

  1. Open the navigation menu and click Identity & Security. Under Identity, click Policies.
  2. Click Create Policy.
  3. Enter a name and description for the policy.
  4. Under Policy Builder, click the Show manual editor switch to enable the editor.

    Enter a policy rule in the following format: allow <resource_type> to <verb> in <compartment or tenancy details>

  5. Click Create.

For more information about creating policies, see How Policies Work and Policy Reference.

Policy Examples

Application Dependency Management policies required for using various Application Dependency Management resources such as knowledge bases and vulnerability audits.

Knowledge Base Policies

Policy examples for creating your own knowledge base and creating vulnerability audits associated with it.

Create policy to allow users in a group to create, update or delete a knowledge base:
Allow group <group-name> to manage adm-knowledge-bases in compartment <compartment_name>
Create a policy to allow users to use a knowledge base in a specific compartment and create, update, or delete vulnerability audits in that compartment:
Allow group <group-name> to use adm-knowledge-bases in compartment <compartment_name>
Allow group <group-name> to manage adm-vulnerability-audit in compartment <compartment_name>