Oracle Cloud Infrastructure Documentation

Create IAM Policies of Oracle API Access Control

Learn to develop your policies that use Actions to control access to Oracle API Access Control resources.

About Resource-Types and Delegate Access Control Policies

Learn about resource-types you can use in your policies.

An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing a single policy to allow a group to have access to the privileged-api-family is equivalent to writing separate policies granting access to the api-metadatas, privileged-api-requests, privileged-api-controls, and privileged-api-work-requests resource types. For more information, see Resource-Types.

Example policies:
  • Allow the Admin group, Approver group, or Managers to use database-family resource type in the tenancy.
    allow group <admin_group/approver_group/managers> to use database-family in tenancy
  • Allow the Admin group, Approver group, or Managers to manage privileged-api-family resource type in the tenancy.
    allow group <admin_group/approver_group/managers> to manage privileged-api-family in tenancy
  • Allow the Access Request Approvers group to approve, reject, and revoke Privileged Access Requests in the tenancy.
    allow AccessRequestApprovers to manage privileged-api-requests in tenancy
  • Allow Access Request group to use privileged-api-family resource type in the tenancy.
    allow group <access_request_group> to use privileged-api-family in tenancy
  • Allow the Admin group or Approver group to read domains in the tenancy.
    allow group <admin_group/approver_group/access_request_group> to read domains in tenancy
  • Allow the API Access Control service to use database-family resource type in the tenancy.
    allow any-user TO use database-family IN tenancy where ALL { request.principal.type in ('pactlprivilegedapirequest', 'pactlprivilegedapicontrol') }
  • Allow the API Access Control service to use notification topics in the tenancy.
    allow any-user TO use ons-topics IN tenancy where ALL { request.principal.type in ('pactlprivilegedapirequest', 'pactlprivilegedapicontrol') }

Resource-Types for API Access Control

Review the list of resource-types specific to API Access Control.

Aggregate Resource-Type

privileged-api-family

Individual Resource-Types

  • api-metadatas
  • privileged-api-requests
  • privileged-api-controls
  • privileged-api-work-requests

Supported Variables for API Access Control

Use variables when adding conditions to a policy.

API Access Control supports only the general variables. For more information, see General Variables for All Requests.

Details for Verb + Resource-Type Combinations

Review the list of permissions and API operations covered by each verb for API Access Control.

For more information, see Permissions, Verbs, and Resource-Types.

Parent topic: Create IAM Policies of Oracle API Access Control

privileged-api-family Resource Types

Each API Access Control resource-type verb grants different levels of access.

The level of access is cumulative as you go from inspect to read, to use, and to manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the privileged-api-controls resource-type covers no extra permissions or API operations compared to the inspect verb. However, the use verb includes one more permission, fully covers one more operation, and partially covers another additional operation.

api-metadatas

Review the list of permissions and API operations for api-metadatas resource-type.

Table 5-1 List of permissions and API operations for api-metadatas resource-type

Verbs Permissions APIs Fully Covered APIs Partially Covered
INSPECT API_METADATA_INSPECT ListApiMetadata none
READ INSPECT + API_METADATA_READ GetApiMetadata none
USE READ + no extra none none
MANAGE USE + no extra none none

privileged-api-controls

Review the list of permissions and API operations for privileged-api-controls resource-type.

Table 5-2 List of permissions and API operations for privileged-api-controls resource-type

Verbs Permissions APIs Fully Covered APIs Partially Covered
INSPECT PRIVILEGED_API_CONTROL_INSPECT ListPrivilegedApiControls none
READ INSPECT + PRIVILEGED_API_CONTROL_READ GetPrivilegedApiControl none
USE READ + no extra none none
MANAGE USE +

PRIVILEGED_API_CONTROL_CREATE

PRIVILEGED_API_CONTROL_UPDATE

PRIVILEGED_API_CONTROL_MOVE

PRIVILEGED_API_CONTROL_DELETE

CreatePrivilegedApiControl

UpdatePrivilegedApiControl

ChangePrivilegedApiControlCompartment

DeletePrivilegedApiControl

 none

privileged-api-requests

Review the list of permissions and API operations for privileged-api-requests resource-type.

Table 5-3 List of permissions and API operations for privileged-api-requests resource-type

Verbs Permissions APIs Fully Covered APIs Partially Covered
INSPECT PRIVILEGED_API_REQUEST_INSPECT ListPrivilegedApiRequests none
READ INSPECT + PRIVILEGED_API_REQUEST_READ GetPrivilegedApiRequest none
USE READ +

PRIVILEGED_API_REQUEST_CREATE

PRIVILEGED_API_REQUEST_CLOSE

CreatePrivilegedApiRequest

ClosePrivilegedApiRequest

 none
MANAGE USE + PRIVILEGED_API_REQUEST_AUTHORIZE none

ApprovePrivilegedApiRequest

RejectPrivilegedApiRequest

RevokePrivilegedApiRequest

privileged-api-work-requests

Review the list of permissions and API operations for privileged-api-work-requests resource-type.

Table 5-4 List of permissions and API operations for privileged-api-work-requests resource-type

Verbs Permissions APIs Fully Covered APIs Partially Covered
INSPECT PRIVILEGED_API_WORK_REQUEST_INSPECT ListWorkRequests none
READ INSPECT + PRIVILEGED_API_WORK_REQUEST_READ none

GetWorkRequest

ListWorkRequestErrors

ListWorkRequestLogs
USE READ + no extra none none
MANAGE USE + PRIVILEGED_API_WORK_REQUEST_DELETE CancelWorkRequest none

Permissions Required for Each API Operation

Review the list of API operations for API Access Control resources in a logical order, grouped by resource type.

For information about permissions, see Permissions.

Table 5-5 List of permissions for each API operation

Resource Kind Permissions
api-metadatas
  • API_METADATA_INSPECT
  • API_METADATA_READ
privileged-api-requests
  • PRIVILEGED_API_REQUEST_INSPECT
  • PRIVILEGED_API_REQUEST_CREATE
  • PRIVILEGED_API_REQUEST_READ
  • PRIVILEGED_API_REQUEST_AUTHORIZE
  • PRIVILEGED_API_REQUEST_CLOSE
privileged-api-controls
  • PRIVILEGED_API_CONTROL_INSPECT
  • PRIVILEGED_API_CONTROL_READ
  • PRIVILEGED_API_CONTROL_CREATE
  • PRIVILEGED_API_CONTROL_UPDATE
  • PRIVILEGED_API_CONTROL_DELETE
  • PRIVILEGED_API_CONTROL_MOVE
privileged-api-work-requests
  • PRIVILEGED_API_WORK_REQUEST_INSPECT
  • PRIVILEGED_API_WORK_REQUEST_READ
  • PRIVILEGED_API_WORK_REQUEST_DELETE

Table 5-6 Permissions required to use each API operation

API Operation Permissions required to use the operation
API Metadata
ListApiMetadata API_METADATA_INSPECT
GetApiMetadata API_METADATA_READ
Privileged API Controls
ListPrivilegedApiControls PRIVILEGED_API_CONTROL_INSPECT
CreatePrivilegedApiControl PRIVILEGED_API_CONTROL_CREATE
GetPrivilegedApiControl PRIVILEGED_API_CONTROL_READ
UpdatePrivilegedApiControl PRIVILEGED_API_CONTROL_UPDATE
DeletePrivilegedApiControl PRIVILEGED_API_CONTROL_DELETE
ChangePrivilegedApiControlCompartment PRIVILEGED_API_CONTROL_MOVE
Privileged API Requests
CreatePrivilegedApiRequest PRIVILEGED_API_REQUEST_CREATE
ListPrivilegedApiRequests PRIVILEGED_API_REQUEST_INSPECT
GetPrivilegedApiRequest PRIVILEGED_API_REQUEST_READ
ApprovePrivilegedApiRequest PRIVILEGED_API_REQUEST_AUTHORIZE
RejectPrivilegedApiRequest PRIVILEGED_API_REQUEST_AUTHORIZE
RevokePrivilegedApiRequest PRIVILEGED_API_REQUEST_AUTHORIZE
ClosePrivilegedApiRequest PRIVILEGED_API_REQUEST_CLOSE
Privileged API Work Requests
ListWorkRequests PRIVILEGED_API_WORK_REQUEST_INSPECT
GetWorkRequest PRIVILEGED_API_WORK_REQUEST_READ
CancelWorkRequest PRIVILEGED_API_WORK_REQUEST_DELETE
ListWorkRequestErrors PRIVILEGED_API_WORK_REQUEST_READ
ListWorkRequestLogs PRIVILEGED_API_WORK_REQUEST_READ