Oracle Cloud Infrastructure Documentation

Policy Reference

This topic covers details for writing policies to control access to the Oracle NoSQL Database Cloud Service.

A policy is a document that specifies who can access which Oracle Cloud Infrastructure resources that your company has, and how. See Overview of Policies to learn basics of policies.

The overall syntax of a policy statement is as follows:
Allow <subject> 
to <verb> <resource-type> 
in <location> 
where <conditions>
For detailed explanation of this syntax, see Policy Syntax in Oracle Cloud Infrastructure Documentation.

Resource-Types

Learn about the resource types supported by Oracle NoSQL Database Cloud Service.

Resources are the cloud objects that your company's employees create and use when interacting with the Oracle Cloud Infrastructure (OCI).

Individual Resource-Types

An Individual Resource-Type represents a specific type of resource. As a user, you can create NoSQL tables, build indexes and populate rows in those tables in Oracle NoSQL Database Cloud Service. Accordingly, three individual resource-types are identified for Oracle NoSQL Database Cloud Service, as:

  • nosql-tables
  • nosql-rows
  • nosql-indexes

Aggregate Resource-Type

Multiple individual resource-types that are often managed together are collectively identified as Aggregate Resource-Types. There is only one aggregate resource-type in Oracle NoSQL Database Cloud Service, as:
  • nosql-family
Note

A policy that uses <verb> nosql-family is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.

See the table in Details for Verb + Resource-Type Combinations for a detailed breakout of the API operations covered by each verb, for each individual resource-type included in nosql-family.

Supported Variables

Learn about the variables supported by Oracle NoSQL Database Cloud Service.

Oracle NoSQL Database Cloud Service supports all the general variables. See General Variables for All Requests. All three NoSQL resource types can use the following variables, except for ListTables and CreateTable.

Table 8-1 Supported Variables

Variable Variable Type Comments
target.nosql-table.id OCID Use this variable to control access to specific NoSQL table by OCID.
target.nosql-table.name String Use this variable to control access to specific NoSQL table by name.

Details for Verb + Resource-Type Combinations

Learn about the permissions and API operations covered by each verb.

The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas no extra indicates no incremental access.

For example, the read verb for the nosql-tables resource-type includes the same permissions and API operations as the inspect verb, plus the NOSQL_TABLE_READ permission and the GetTable API operation. In the case of the nosql-tables resource-type, the use verb covers UpdateTable API operations compared to read. Lastly, manage covers more permissions and operations compared to use.

nosql-tables

Table 8-2 nosql-tables

Verb Permissions REST APIs Fully Covered NoSQL Cloud Driver Request Covered
INSPECT NOSQL_TABLE_INSPECT ListTables ListTableRequest
READ INSPECT + NOSQL_TABLE_READ GetTable GetTableRequest
READ INSPECT + NOSQL_TABLE_READ

ListWorkRequests

GetWorkRequest

ListWorkRequestErrors

ListWorkRequestLogs

 None
READ INSPECT + NOSQL_TABLE_READ ListTableUsage TableUsageRequest
USE READ + NOSQL_TABLE_ALTER

UpdateTable

DeleteWorkRequest

 TableRequest
  • change TableLimits
  • ALTER TABLE
MANAGE USE + NOSQL_TABLE_CREATE CreateTable TableRequest (CREATE TABLE)
MANAGE NOSQL_TABLE_DROP CreateTable TableRequest (DROP TABLE)
MANAGE NOSQL_TABLE_MOVE ChangeTableCompartment Not supported

nosql-rows

Table 8-3 nosql-rows

Verb Permissions REST APIs Fully Covered NoSQL Cloud Driver Request Covered
INSPECT None None None
READ NOSQL_ROWS_READ

GetRow

Query (SELECT)

PrepareStatement

SummarizeStatement
  • GetRequest
  • PrepareRequest
  • QueryRequest (SELECT)
USE READ + NOSQL_ROWS_INSERT

UpdateRow

Query (INSERT/UPSERT, UPDATE)
  • PutRequest
  • WriteMultipleRequest(Put)
  • QueryRequest(INSERT/UPSERT, UPDATE)
MANAGE USE + NOSQL_ROWS_DELETE

DeleteRow

Query (DELETE)
  • DeleteRequest
  • MultiDeleteRequest
  • WriteMultipleRequest(Delete)
  • QueryRequest(DELETE)

nosql-indexes

Table 8-4 nosql-indexes

Verb Permissions REST APIs Fully Covered NoSQL Cloud Driver Request Covered
INSPECT None None None
READ NOSQL_INDEX_READ

  • ListIndexes

  • GetIndex

  • GetIndexesRequest + indexName

  • GetIndexesRequest
USE READ + NONE

  • ListIndexes

  • GetIndex

  • GetIndexesRequest + indexName

  • GetIndexesRequest

MANAGE READ + NOSQL_INDEX_CREATE CreateIndex TableRequest(CREATE INDEX)
MANAGE NOSQL_INDEX_DROP DeleteIndex TableRequest(DROP INDEX)

Permission Required for Each NoSQL Cloud Driver Request

Learn about the required permissions for each NoSQL Cloud Driver Request.

The table below lists the API operations in a logical order, grouped by resource type. For information about permissions, see Permissions in Oracle Cloud Infrastructure Documentation.

Table 8-5 Permissions

Request Permissions Operation Id (request.operation)
DeleteRequest NOSQL_ROWS_DELETE DeleteRow
GetIndexesRequest NOSQL_INDEX_READ GetIndex
GetRequest NOSQL_ROWS_READ GetRow
GetTableRequest NOSQL_TABLE_READ GetTable
ListTablesRequest NOSQL_TABLE_INSPECT ListTables
MultiDeleteRequest NOSQL_ROWS_DELETE DeleteRow
PrepareRequest NOSQL_ROWS_READ GetRow
PutRequest NOSQL_ROWS_INSERT UpdateRow
QueryRequest (SELECT) NOSQL_ROWS_READ GetRow
QueryRequest (INSERT, UPSERT, UPDATE) NOSQL_ROWS_INSERT UpdateRow
QueryRequest (DELETE) NOSQL_ROWS_DELETE DeleteRow
TableRequest (CREATE TABLE) NOSQL_TABLE_CREATE CreateTable
TableRequest (ALTER TABLE) NOSQL_TABLE_ALTER UpdateTable
TableRequest (DROP TABLE) NOSQL_TABLE_DROP DeleteTable
TableUsageRequest NOSQL_TABLE_READ GetTable
WriteMultipleRequest

has PutRequest: NOSQL_ROWS_INSERT

has DeleteRequest: NOSQL_ROWS_DELETE

UpdateRow

DeleteTable

Permission Required for Each REST API Operation

Learn about the required permissions for each REST API operation request.

The table below lists the REST API operations in a logical order, grouped by resource type. For information about permissions, see Permissions in Oracle Cloud Infrastructure Documentation.

Table 8-6 Permissions

Request Permissions
ListTables NOSQL_TABLE_INSPECT
CreateTable NOSQL_TABLE_CREATE
GetTable NOSQL_TABLE_READ
UpdateTable NOSQL_TABLE_ALTER
DeleteTable NOSQL_TABLE_DROP
ListIndexes NOSQL_INDEX_READ
CreateIndex NOSQL_INDEX_CREATE
GetIndex NOSQL_INDEX_READ
DeleteIndex NOSQL_INDEX_DROP
GetRow NOSQL_ROWS_READ
UpdateRow NOSQL_ROWS_INSERT
DeleteRow NOSQL_ROWS_DELETE
ListTableUsage NOSQL_TABLE_READ
ChangeTableCompartment NOSQL_TABLE_ALTER
Query (SELECT) NOSQL_ROWS_READ
Query (INSERT, UPSERT, UPDATE) NOSQL_ROWS_INSERT
Query (DELETE) NOSQL_ROWS_DELETE
PrepareStatement NOSQL_TABLE_READ
SummarizeStatement NOSQL_TABLE_READ
ListWorkRequests NOSQL_TABLE_READ
GetWorkRequest NOSQL_TABLE_READ
DeleteWorkRequest NOSQL_TABLE_ALTER
ListWorkRequestErrors NOSQL_TABLE_READ
ListWorkRequestLogs NOSQL_TABLE_READ
When you write a policy with request.operation, use the name of API operations. For Query operations, use the mapping operation of statement in the query. For example: 
SELECT => GetRow INSERT, UPSERT or UPDATE => UpdateRow DELETE=> DeleteRow