IAM Policies

In Oracle Cloud Infrastructure Identity and Access Management (IAM), a tenancy administrator can create policies to grant permissions to groups on resources in compartments in a tenancy. To use Oracle Data Safe, a user doesn't require any special permissions; therefore, no policy is required. However, to manage Oracle Data Safe, a user needs to be part of the Oracle Data Safe administrator group, which does require permissions.

This article has the following topics:

Basic Syntax for Policies

A policy is a document that consists of one or more statements. A policy statement follows this basic syntax:

Allow group <group_name> to <verb><resource-type> in compartment <compartment_name>

Policy language uses simple verbs like inspect, read, use, and manage.

Example of IAM Policies



The diagram above shows three Oracle Cloud Infrastructure Identity and Access Management (IAM) groups and policies that provide the groups access to compartments.

The IT-Compliance group, which ensures legal compliance related to data protection, is granted permission to manage all resources in the Project A compartment. The Project A compartment consists of a Finance database and block volumes.

The IT-Security group, which provides test data to developers and testers, is granted permission to manage all resources in the Project B compartment. The Project B compartment consists of a Sales database and block volumes.

The Data-Safe-Admins group is responsible for enabling Oracle Data Safe and managing privileges in Oracle Data Safe. This group is granted permission to manage Oracle Data Safe and inspect groups in the tenancy.

Related Content

The following Oracle Cloud Infrastructure documentation discusses how to create policies in IAM: