Resource Scheduler Policies
This section describes the advanced details of writing policies for Resource Scheduler. Use policies to control access to Resource Scheduler.
Resource-Types
resource-schedule |
RESOURCE_SCHEDULE_INSPECT RESOURCE_SCHEDULE_READ RESOURCE_SCHEDULE_CREATE RESOURCE_SCHEDULE_UPDATE RESOURCE_SCHEDULE_MOVE RESOURCE_SCHEDULE_DELETE |
resource-schedule-workrequest |
RESOURCE_SCHEDULE_WORKREQUEST_INSPECT RESOURCE_SCHEDULE_WORKREQUEST_READ |
Supported Variables
Resource Scheduler supports all the general variables (see General Variables for All Requests), plus the variables listed in the following table:
Naming Conventions
Variables are lowercase and hyphen-separated.
target.tag-namespace.name #
"name"
indicates a unique key
target.display-name #
"display-name"
indicates a non-unique description
Variable Types and Sources
Type | Type Description |
---|---|
String | Free-form text |
List(Type) | List of Entity or String |
Entity | OCID |
Source | Source Description |
---|---|
Request | Comes from the request input |
Derived | Comes from the request |
Stored | Comes from the service, retained input |
Computed | Computed from service data |
Variables for Every Request
Operations for this resource-type | Can Use These Variables... | Variable Type | Comments |
---|---|---|---|
Required Variables Supplied by service for every request |
|||
target.compartment.id |
ENTITY |
The OCID of the primary resource for the request | |
request.operation |
STRING |
The operation ID, such as GetUserfor the request | |
target.resource.kind |
STRING |
The resource kind name of the primary resource for the request | |
Automatic Variables Supplied by SDK for every request |
For user initiated requests: request.user.id
|
ENTITY
|
The OCID of the calling user The OCIDs of the groups of |
request.principal.group.tag.<
|
STRING |
The value of each tag on a group of which the principal is a member | |
request.principal.compartment.tag.
|
STRING |
||
Dynamic variables Computed implicitly by IAM AuthZ |
|||
request.principal.group.tag.
|
STRING |
The value of each tag on a group of which the principal is a member. |
|
request.principal.compartment.tag.
|
STRING |
The value of each tag on the compartment that contains the principal. | |
target.resource.tag.<tagNS>.
|
STRING |
The value of each tag on the target resource. (Computed based on tagSlug supplied by service on each request.) |
|
target.resource.compartment.tag.
|
STRING |
The value of each tag on the compartment that contains the target resource. |
Details for Verb + Resource-Type Combinations
The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect
> read
> use
> manage
. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
Permissions Required for Each API Operation
This topic lists the Resource Scheduler API operations in a logical order, grouped by resource type.
Operation Specific Attributes. List the operation specific attributes that you will make available to the policy compiler, as shown here.
For a specific resource kind, you must have the same set of attributes across all operations (get, list, delete, and more). The one exception is for the Create
operation, where you do not have the ID for that object yet, so you can't have a target.RESOURCE-KIND.id attribute for Create
.
API | Permissions Required to Use the Operation | Operation |
---|---|---|
ListSchedules | RESOURCE_SCHEDULE_INSPECT | Return a list of resource schedules. |
GetSchedule | RESOURCE_SCHEDULE_READ | Get a resource schedule. |
CreateSchedule | RESOURCE_SCHEDULE_CREATE | Create a resource schedule. |
UpdateSchedule | RESOURCE_SCHEDULE_UPDATE | Update a resource schedule. |
DeleteSchedule | RESOURCE_SCHEDULE_DELETE | Delete a resource schedule. |
ChangeScheduleCompartment | RESOURCE_SCHEDULE_MOVE | Change resource schedule compartment |
ListWorkRequests | RESOURCE_SCHEDULE_ WORKREQUEST_INSPECT |
List work requests associated with a resource schedule. |
GetWorkRequest | RESOURCE_SCHEDULE_ WORKREQUEST_READ |
Get a work request. |
Metaverb Map
Resource type | Inspect | Read | Use | Manage |
---|---|---|---|---|
RESOURCE-SCHEDULE | RESOURCE_ SCHEDULE _INSPECT |
RESOURCE_ SCHEDULE _READ |
N/A |
RESOURCE_SCHEDULE_CREATE RESOURCE_SCHEDULE_UPDATE RESOURCE_SCHEDULE_UPDATE RESOURCE_SCHEDULE_MOVE RESOURCE_SCHEDULE_DELETE |
RESOURCE-SCHEDULE-WORKREQUEST | RESOURCE_ SCHEDULE_ WORKREQUEST_INSPECT |
RESOURCE_ SCHEDULE_ WORKREQUEST_READ |
N/A | N/A |
Example Policies
This page shows several exampleResource Scheduler policies that you can use as templates to create your own policies.
Important! To use resource schedules, you must create a policy to give users permission to create a schedule (see Example 1) AND you must create a policy to allow a schedule to manage resources (see Example 2).
Example 1. This policy gives users permission to manage (create, delete, activate, and others) resource schedules in their tenancy.
General example
Allow group <groupname> to manage resource-schedule-family in tenancy
Specific example
Allow group ResourceScheduleAdmins to manage resource-schedule-family in tenancy
Example 2. This policy gives a resource schedule permission to perform an action on a resource.
When a resource schedule is created, by default, it doesn't have permission to perform the action on target resources, so you must give it permission.
This policy allows a schedule to manage predefined resources such as instances in a compartment.
General example
Allow any-user to manage <resource_type>
in compartment id <compartment_ocid> where all
{request.principal.type='resourceschedule',
request.principal.id='<ocid_of_resourceschedule>'}
Specific example
Allow any-user to manage instance in
compartment id ocid.compartment.oc1...q7fa where all
{request.principal.type='resourceschedule',
request.principal.id='ocid.resourceschedule.oc1.iad.axgr...dt8zb'}