Resource Scheduler Policies

This section describes the advanced details of writing policies for Resource Scheduler. Use policies to control access to Resource Scheduler.

Resource-Types

Resource Types and Permissions
resource-schedule

RESOURCE_SCHEDULE_INSPECT

RESOURCE_SCHEDULE_READ

RESOURCE_SCHEDULE_CREATE

RESOURCE_SCHEDULE_UPDATE

RESOURCE_SCHEDULE_MOVE

RESOURCE_SCHEDULE_DELETE

resource-schedule-workrequest

RESOURCE_SCHEDULE_WORKREQUEST_INSPECT

RESOURCE_SCHEDULE_WORKREQUEST_READ

Supported Variables

Resource Scheduler supports all the general variables (see General Variables for All Requests), plus the variables listed in the following table:

Naming Conventions

Variables are lowercase and hyphen-separated.

target.tag-namespace.name # "name"indicates a unique key
target.display-name # "display-name"indicates a non-unique description

Variable Types and Sources

Variable Types
Type Type Description
String Free-form text
List(Type) List of Entity or String
Entity OCID
Variable Sources
Source Source Description
Request Comes from the request input
Derived Comes from the request
Stored Comes from the service, retained input
Computed Computed from service data

Variables for Every Request

Operations for this resource-type Can Use These Variables... Variable Type Comments
Required Variables

Supplied by service for every request

target.compartment.id ENTITY The OCID of the primary resource for the request
request.operation STRING The operation ID, such as GetUserfor the request
target.resource.kind STRING The resource kind name of the primary resource for the request
Automatic Variables

Supplied by SDK for every request

For user initiated requests:

request.user.id

request.groups.id

ENTITY

LIST(ENTITY)

The OCID of the calling user

The OCIDs of the groups of request.user.id

request.principal.group.tag.<

<tagNS>.<tagKey

STRING The value of each tag on a group of which the principal is a member
request.principal.compartment.tag.

<tagNS>.<tagKey

STRING
Dynamic variables

Computed implicitly by IAM AuthZ

request.principal.group.tag.

<tagNS>.<tagKey

STRING

The value of each tag on a group of which the principal is a member.

request.principal.compartment.tag.

<tagNS>.<tagKey

STRING The value of each tag on the compartment that contains the principal.
target.resource.tag.<tagNS>.

<tagKey

STRING

The value of each tag on the target resource. (Computed based on tagSlug supplied by service on each request.)

target.resource.compartment.tag.

<tagNS>.<tagKey

STRING

The value of each tag on the compartment that contains the target resource.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

Permissions Required for Each API Operation

This topic lists the Resource Scheduler API operations in a logical order, grouped by resource type.

For information about permissions, see Permissions.
Note

Operation Specific Attributes. List the operation specific attributes that you will make available to the policy compiler, as shown here.

For a specific resource kind, you must have the same set of attributes across all operations (get, list, delete, and more). The one exception is for the Create operation, where you do not have the ID for that object yet, so you can't have a target.RESOURCE-KIND.id attribute for Create.

API Permissions Required to Use the Operation Operation
ListSchedules RESOURCE_SCHEDULE_INSPECT Return a list of resource schedules.
GetSchedule RESOURCE_SCHEDULE_READ Get a resource schedule.
CreateSchedule RESOURCE_SCHEDULE_CREATE Create a resource schedule.
UpdateSchedule RESOURCE_SCHEDULE_UPDATE Update a resource schedule.
DeleteSchedule RESOURCE_SCHEDULE_DELETE Delete a resource schedule.
ChangeScheduleCompartment RESOURCE_SCHEDULE_MOVE Change resource schedule compartment
ListWorkRequests RESOURCE_SCHEDULE_

WORKREQUEST_INSPECT

List work requests associated with a resource schedule.
GetWorkRequest RESOURCE_SCHEDULE_

WORKREQUEST_READ

Get a work request.

Metaverb Map

Resource type Inspect Read Use Manage
RESOURCE-SCHEDULE RESOURCE_

SCHEDULE

_INSPECT
RESOURCE_

SCHEDULE

_READ
N/A

RESOURCE_SCHEDULE_CREATE RESOURCE_SCHEDULE_UPDATE RESOURCE_SCHEDULE_UPDATE RESOURCE_SCHEDULE_MOVE RESOURCE_SCHEDULE_DELETE

RESOURCE-SCHEDULE-WORKREQUEST RESOURCE_

SCHEDULE_

WORKREQUEST_

INSPECT

RESOURCE_

SCHEDULE_

WORKREQUEST_

READ

N/A N/A

Example Policies

This page shows several exampleResource Scheduler policies that you can use as templates to create your own policies.

Note

Important! To use resource schedules, you must create a policy to give users permission to create a schedule (see Example 1) AND you must create a policy to allow a schedule to manage resources (see Example 2).

Example 1. This policy gives users permission to manage (create, delete, activate, and others) resource schedules in their tenancy.

General example
Allow group <groupname> to manage resource-schedule-family in tenancy

Specific example
Allow group ResourceScheduleAdmins to manage resource-schedule-family in tenancy

Example 2. This policy gives a resource schedule permission to perform an action on a resource.

When a resource schedule is created, by default, it doesn't have permission to perform the action on target resources, so you must give it permission.

This policy allows a schedule to manage predefined resources such as instances in a compartment.

General example
Allow any-user to manage <resource_type> 
in compartment id <compartment_ocid> where all
{request.principal.type='resourceschedule',
request.principal.id='<ocid_of_resourceschedule>'}

Specific example
Allow any-user to manage instance in
compartment id ocid.compartment.oc1...q7fa where all
{request.principal.type='resourceschedule',
request.principal.id='ocid.resourceschedule.oc1.iad.axgr...dt8zb'}