Managing Access with IAM Policies
Set up advanced access policies using IAM.
Fusion Applications Environment Management environment management uses Identity and Access Management (IAM) for authentication and authorization. IAM is a policy-based identity service. The tenancy administrator for your organization needs to perform set up steps in this service to create users and groups and define the policies that control which users can access which resources and how.
Specifically for Fusion Applications Environment Management environment management, these IAM policies control who can manage environments and environment families and call the service's APIs. This section expands on the information in Adding Oracle Cloud Users with Specific Job Functions to give you more details on policy basics.
If you need to quickly set up specific job roles, see Adding Oracle Cloud Users with Specific Job Functions.
For more in-depth details on how policies work in the IAM , see Getting Started with Policies.
Policies are created with statements that specify resource-types, verbs (which describe the level of access to those resource types), and locations (which can be the tenancy or a specific compartment).
Resource types are the resources that a policy grants access to. The resource types can be an individual resource, such as environment, or a resource group or family that grants access to multiple, related resources. The following table shows the resource types for Fusion Applications Environment Management:
||Use this resource-type to grant access to environments.|
||Use this resource-type to grant access to environment families.|
||Use this resource-type to grant access to maintenance activity.|
||Use this resource-type to grant access to environment work requests. Possible actions are inspect and read|
You use verbs in policy definitions to set the permission levels that given
user groups have for given resource-types. For example, you would use the
read verb to allow read-only access. The following table lists
the verbs and the typical permission grants.
|inspect||Covers operations that list instances of a resource. This is the verb that provides the most limited access.|
|read||In user interface terms, this generally means read-only access. In API terms, it generally applies to GET operations.|
|use||Typically allows update operations on existing resources, but does not allow create or delete.|
|manage||Allows the user to perform the whole set of a resource type's operations, including create and delete.|