Policy Reference
This topic covers details for writing policies to control access to the Oracle NoSQL Database Cloud Service.
A policy is a document that specifies who can access which Oracle Cloud Infrastructure resources that your company has, and how. See Overview of Policies to learn basics of policies.
Allow <subject>
to <verb> <resource-type>
in <location>
where <conditions>
For detailed explanation of this syntax, see Policy Syntax in Oracle Cloud Infrastructure Documentation.
Resource-Types
Learn about the resource types supported by Oracle NoSQL Database Cloud Service.
Resources are the cloud objects that your company's employees create and use when interacting with the Oracle Cloud Infrastructure (OCI).
Individual Resource-Types
An Individual Resource-Type represents a specific type of resource. As a user, you can create NoSQL tables, build indexes and populate rows in those tables in Oracle NoSQL Database Cloud Service. Accordingly, three individual resource-types are identified for Oracle NoSQL Database Cloud Service, as:
- nosql-tables
- nosql-rows
- nosql-indexes
Aggregate Resource-Type
Multiple individual resource-types that are often managed together are collectively identified as Aggregate Resource-Types. There is only one aggregate resource-type in Oracle NoSQL Database Cloud Service, as:- nosql-family
A policy that uses
<verb> nosql-family
is equivalent to writing
one with a separate <verb> <individual resource-type>
statement
for each of the individual resource-types.
See the table in Details for Verb + Resource-Type Combinations for a detailed breakout of the API operations
covered by each verb, for each individual
resource-type included in
nosql-family
.
Supported Variables
Learn about the variables supported by Oracle NoSQL Database Cloud Service.
ListTables
and
CreateTable
.
Table 8-1 Supported Variables
Variable | Variable Type | Comments |
---|---|---|
target.nosql-table.id |
OCID | Use this variable to control access to specific NoSQL table by OCID. |
target.nosql-table.name |
String | Use this variable to control access to specific NoSQL table by name. |
Details for Verb + Resource-Type Combinations
Learn about the permissions and API operations covered by each verb.
The level of access is cumulative as you go from
inspect > read > use > manage
. A
plus sign (+) in a table cell indicates incremental access
compared to the cell directly above it, whereas no extra
indicates no incremental access.
For example, the read verb for the nosql-tables
resource-type includes the same permissions and API operations
as the inspect verb, plus the NOSQL_TABLE_READ permission and
the GetTable
API operation. In the case of the
nosql-tables
resource-type, the use
verb covers UpdateTable
API operations compared
to read. Lastly, manage covers more permissions and operations
compared to use.
nosql-tables
Table 8-2 nosql-tables
Verb | Permissions | REST APIs Fully Covered | NoSQL Cloud Driver Request Covered |
---|---|---|---|
INSPECT | NOSQL_TABLE_INSPECT | ListTables | ListTableRequest |
READ | INSPECT + NOSQL_TABLE_READ | GetTable | GetTableRequest |
ListWorkRequests GetWorkRequest ListWorkRequestErrors ListWorkRequestLogs |
None | ||
ListTableUsage | TableUsageRequest | ||
USE | READ + NOSQL_TABLE_ALTER |
UpdateTable DeleteWorkRequest |
TableRequest
|
MANAGE | USE + NOSQL_TABLE_CREATE | CreateTable | TableRequest (CREATE TABLE) |
NOSQL_TABLE_DROP | DeleteTable | TableRequest (DROP TABLE) | |
NOSQL_TABLE_MOVE | ChangeTableCompartment | Not supported |
nosql-rows
Table 8-3 nosql-rows
Verb | Permissions | REST APIs Fully Covered | NoSQL Cloud Driver Request Covered |
---|---|---|---|
INSPECT | None | None | None |
READ | NOSQL_ROWS_READ |
GetRow Query (SELECT) PrepareStatement SummarizeStatement |
|
USE | READ + NOSQL_ROWS_INSERT |
UpdateRow Query (INSERT/UPSERT, UPDATE) |
|
MANAGE | USE + NOSQL_ROWS_DELETE |
DeleteRow Query (DELETE) |
|
nosql-indexes
Table 8-4 nosql-indexes
Verb | Permissions | REST APIs Fully Covered | NoSQL Cloud Driver Request Covered |
---|---|---|---|
INSPECT | None | None | None |
READ | NOSQL_INDEX_READ |
ListIndexes GetIndex |
GetIndexesRequest + indexName |
GetIndexesRequest | |||
USE | READ + NONE |
ListIndexes GetIndex |
GetIndexesRequest + indexName |
GetIndexesRequest | |||
MANAGE | READ + NOSQL_INDEX_CREATE | CreateIndex | TableRequest(CREATE INDEX) |
NOSQL_INDEX_DROP | DeleteIndex | TableRequest(DROP INDEX) |
Permission Required for Each NoSQL Cloud Driver Request
Learn about the required permissions for each NoSQL Cloud Driver Request.
Table 8-5 Permissions
Request | Permissions | Operation Id (request.operation) |
---|---|---|
DeleteRequest | NOSQL_ROWS_DELETE | DeleteRow |
GetIndexesRequest | NOSQL_INDEX_READ | GetIndex |
GetRequest | NOSQL_ROWS_READ | GetRow |
GetTableRequest | NOSQL_TABLE_READ | GetTable |
ListTablesRequest | NOSQL_TABLE_INSPECT | ListTables |
MultiDeleteRequest | NOSQL_ROWS_DELETE | DeleteRow |
PrepareRequest | NOSQL_ROWS_READ | GetRow |
PutRequest | NOSQL_ROWS_INSERT | UpdateRow |
QueryRequest (SELECT) | NOSQL_ROWS_READ | GetRow |
QueryRequest (INSERT, UPSERT, UPDATE) | NOSQL_ROWS_INSERT | UpdateRow |
QueryRequest (DELETE) | NOSQL_ROWS_DELETE | DeleteRow |
TableRequest (CREATE TABLE) | NOSQL_TABLE_CREATE | CreateTable |
TableRequest (ALTER TABLE) | NOSQL_TABLE_ALTER | UpdateTable |
TableRequest (DROP TABLE) | NOSQL_TABLE_DROP | DeleteTable |
TableUsageRequest | NOSQL_TABLE_READ | GetTable |
WriteMultipleRequest |
has PutRequest: NOSQL_ROWS_INSERT has DeleteRequest: NOSQL_ROWS_DELETE |
UpdateRow DeleteTable |
Permission Required for Each REST API Operation
Learn about the required permissions for each REST API operation request.
Table 8-6 Permissions
Request | Permissions |
---|---|
ListTables | NOSQL_TABLE_INSPECT |
CreateTable | NOSQL_TABLE_CREATE |
GetTable | NOSQL_TABLE_READ |
UpdateTable | NOSQL_TABLE_ALTER |
DeleteTable | NOSQL_TABLE_DROP |
ListIndexes | NOSQL_INDEX_READ |
CreateIndex | NOSQL_INDEX_CREATE |
GetIndex | NOSQL_INDEX_READ |
DeleteIndex | NOSQL_INDEX_DROP |
GetRow | NOSQL_ROWS_READ |
UpdateRow | NOSQL_ROWS_INSERT |
DeleteRow | NOSQL_ROWS_DELETE |
ListTableUsage | NOSQL_TABLE_READ |
ChangeTableCompartment | NOSQL_TABLE_ALTER |
Query (SELECT) | NOSQL_ROWS_READ |
Query (INSERT, UPSERT, UPDATE) | NOSQL_ROWS_INSERT |
Query (DELETE) | NOSQL_ROWS_DELETE |
PrepareStatement | NOSQL_TABLE_READ |
SummarizeStatement | NOSQL_TABLE_READ |
ListWorkRequests | NOSQL_TABLE_READ |
GetWorkRequest | NOSQL_TABLE_READ |
DeleteWorkRequest | NOSQL_TABLE_ALTER |
ListWorkRequestErrors | NOSQL_TABLE_READ |
ListWorkRequestLogs | NOSQL_TABLE_READ |
SELECT => GetRow INSERT, UPSERT or UPDATE => UpdateRow DELETE=> DeleteRow