Using Defined Tags in Conditions
On Private Cloud Appliance, certain conditions evaluate the value of a defined tag that has been applied to a user, compartment, or resource. In these conditions, the predefined variable can be called a tag variable.
Using conditions with tag variables enables you to do the following:
-
Write a single policy statement that applies to multiple user groups, compartments, or resources.
-
Change the permissions that are granted without changing the policy statement. Instead, to allow or revoke access, apply tags to different resources or remove tags from resources.
See Tagging Resources (IAM on the Appliance) for information about how to create and apply defined tags.
The general syntax of a condition that uses tag variables is the same as the syntax of a condition that uses other condition variables:
variable op 'value'
The value of each of these three parts is specialized for tags.
-
variable -
Tag condition variables include the name of the tag namespace and the name of the key in the variable name:
base_variable_name.tag_namespace_name.tag_key_name -
op -
One of
=,!=,in, ornot in.The
inandnot inoperations refer to members of the set of possible values for the tag. -
value -
The
valueis a value of the defined tag. The value can be a single value or a list of values.
The following tag variables are supported:
request.principal.group.tag
This variable potentially grants access to multiple groups in one statement. The following statement allows any user that is a member of a group that has been tagged with tag Operations>Project>ABC to manage instance resources in compartment ProdX:
allow any-user to manage instance-family in compartment ProdX
where request.principal.group.tag.Operations.Project='ABC'If you replace 'ABC' in the preceding statement with '*' or /*/, a user that is a member of a group that has been tagged with any value of Operations>Project could manage instance resources in compartment ProdX.
target.resource.compartment.tag
This variable potentially grants access to multiple compartments in one statement. The following statement allows users in group NetAdmins to use network resources in any compartment that has been tagged with either tag Operations>Project>ABC or tag Operations>Personnel>Test:
allow group NetAdmins to use virtual-network-family in tenancy where
any { target.resource.compartment.tag.Operations.Project='ABC',
target.resource.compartment.tag.Operations.Personnel='Test' }If you replace any with all in the preceding statement, the statement allows users in group NetAdmins to use network resources in any compartment that has been tagged with both tag Operations>Project>ABC and tag Operations>Personnel>Test.
The following statement allows users in group NetAdmins to use network resources in any compartment that has been tagged with either tag Operations>Personnel>Development or tag Operations>Personnel>Test:
allow group NetAdmins to use virtual-network-family in tenancy where
target.resource.compartment.tag.Operations.Personnel in ('Development', 'Test')
target.resource.tag
This variable grants access to one or more resources of the specified type. The following statement allows group Xadmins to use any instance in compartment ProdX that is tagged with tag Operations>Project>XYZ.
allow group Xadmins to use instances in compartment ProdX
where target.resource.tag.Operations.Project = 'XYZ'