Understand Big Data Service Resources and Permissions in IAM Policies

Oracle Identity and Access Management (IAM) provides a flexible framework for writing policy statements that control how resources can interact with one another. IAM defines a number of standard resources, along with the permissions needed to interact with them. Oracle Big Data Service adds its own service-specific resources and permissions.

This topic describes the resources and permissions an administrator can use to create IAM policy statements for Big Data Service.

Resource Kinds and Permissions

Resource Family Resource Kind Permissions
bds-family bds-instances
  • BDS_INSPECT
  • BDS_READ
  • BDS_CREATE
  • BDS_UPDATE
  • BDS_DELETE
  • BDS_MOVE
bds-family bds-limits
  • BDS_CONSUMPTION_INSPECT

Operations to Permissions Map

The following table lists the IAM operations that are specific to Oracle Big Data Service. You can write an IAM policy that includes these operations, or you can write a policy that uses a defined verb that encapsulates these operations.

Operation API Operation Permissions Required to Use the Operation
List all clusters in the specified compartment ListBdsInstances BDS_INSPECT
Create a cluster CreateBdsInstance BDS_CREATE
Show details about the specified cluster GetBdsInstance BDS_READ
Update details for a cluster UpdateBdsInstance BDS_UPDATE
Delete the specified instance DeleteBdsInstance BDS_DELETE
Add block storage to the specified cluster AddBlockStorage BDS_UPDATE
Add worker nodes to the specified cluster AddWorkerNodes BDS_UPDATE
Add Oracle Cloud SQL support to the specified cluster AddCloudSql BDS_UPDATE
Remove Oracle Cloud SQL support from the specified cluster RemoveCloudSql BDS_UPDATE
Move a cluster from one compartment to another ChangeBdsInstanceCompartment BDS_MOVE
List all work requests in the specified compartment ListWorkRequests BDS_INSPECT
Show details about the specified work requests GetWorkRequest BDS_READ
Show logs for the specified work request ListWorkRequestLogs BDS_INSPECT
Show errors for the specified work request ListWorkRequestErrors BDS_INSPECT
Show resources used ListConsumptions BDS_CONSUMPTION_INSPECT

Operation-Specific Attributes

Note

For a given resource kind, you should have the same set of attributes across all operations (get, list, delete, and so on). The one exception is for a "create" operation, where you won't have the ID for that object yet, so you can't have a target.RESOURCE-KIND.id attribute for "create."

Resource Kind Name Type Source
bds-instances target.bds-instances.source-compartment.id Entity Request
bds-instances target.bds-instances.destination-compartment.id Entity Request

IAM Verbs for Use with Big Data Service

Resource Kind inspect read use manage
bds-instances BDS_INSPECT inspect +

BDS_READ

read +

BDS_UPDATE

use +

BDS_CREATE

BDS_DELETE

BDS_MOVE

bds-limits BDS_CONSUMPTION_INSPECT . . .

Example 1 - Administrators with All Permission on Clusters

The following policy statement says that members of a group named bds-admins can inspect, read, update, create, delete, and move all clusters in a compartment named bds-learn.

Allow bds-admins to manage bds-instances in compartment bds-learn

In the above statement:

  • bds-admins is a group created by an administrator.

  • manage specifies the operations that members of the bds-admins group can use. Manage is one of the verbs described in the "IAM Verbs for Use with Big Data Service" section above. It gives a user/group permission to use all of the operations provided by the inspect, read, and use verbs, plus a few operations specific to the manage verb:

    • The inspect verb includes the BDS_INSPECT operation.
    • The read verb includes the BDS_INSPECT and BDS_READ operations.
    • The use verb includes the BDS_INSPECT, BDS_READ, and BDS_UPDATE operations.
    • The manage verb includes the BDS_INSPECT, BDS_READ, BDS_UPDATE, BDS_CREATE, BDS_DELETE, and BDS_MOVE operations.
  • bds-dev is a compartment created by an administrator.

The following policy statement says that members of the bds-admins group can manage the Virtual Cloud Network (VCN) resources in the entire tenancy.

allow group bds-admins to manage virtual-network-family in tenancy

Example 2 - Users

The following policy statement says that members of a group named bds-users can inspect and read all clusters in the bds-learn compartment. (The verb read includes both inspect and read permissions.)

Allow bds-users to read bds-instances in compartment bds-learn

More Information

For more information about IAM policies, see Overview of Oracle Cloud Infrastructure Identity and Access Management in the Oracle Cloud Infrastructure documentation. For details about writing policies, see Policy Syntax and Policy Reference.