Service Policies
You use authorization policies to control access to resources in your tenancy. For example, you can create a policy that authorizes users to create and manage Oracle Content Management instances.
You create policies using the Oracle Cloud Console. See Managing Policies.
The following information pertains to service policies for Oracle Content Management:
Resource Types for Oracle Content Management
This table lists the resource types for Oracle Content Management.
Resource Type | Description |
---|---|
oce-instance | A single Oracle Content Management instance. |
oce-instances | One or more Oracle Content Management instances. |
oce-workrequest | A single work request for Oracle Content Management.
Each operation you perform on an Oracle Content Management instance, creates a work request. For example, operations such as create, update, terminate, and so on. |
oce-workrequests | One or more work requests for Oracle Content Management. |
Supported Variables
The values of these variables are supplied by Oracle Content Management. In addition, other general variables are supported. See General Variables for All Requests.
This table lists the supported variables for Oracle Content Management.
Variable | Type | Description | Sample Value |
---|---|---|---|
target.compartment.id | entity | The OCID of the primary resource for the request. | target.compartment.id = 'ocid1.compartment.oc1..<unique_ID>' |
request.operation | string | The operation id (for example, 'GetUser') for the request. | request.operation = 'ocid1.compartment.oc1..<unique_ID>' |
target.resource.kind | string | The resource kind name of the primary resource for the request. | target.resource.kind = 'ocid1.contentexperiencecloudservice.oc1..<unique_ID>' |
Details for Verb and Resource-Type Combinations
Oracle Cloud Infrastructure offers a standard set of verbs to define permissions across Oracle Cloud Infrastructure resources (Inspect, Read, Use, Manage). These tables list the Oracle Content Management permissions associated with each verb. The level of access is cumulative as you go from Inspect to Read to Use to Manage.
INSPECT
Resource Type | INSPECT Permissions |
---|---|
|
|
|
|
|
|
READ
Resource Type | READ Permissions |
---|---|
|
|
|
|
|
|
USE
Resource Type | USE Permissions |
---|---|
|
|
|
|
|
|
MANAGE
Resource Type | MANAGE Permissions |
---|---|
|
|
|
|
|
|
Permissions Required for Each API Operation
This table shows the API operations available for Oracle Content Management, grouped by resource type.
REST API Operation | CLI Command Operation | Permission Required to Use the Operation |
---|---|---|
ListOceInstances | oce-instance list | OCE_INSTANCE_INSPECT |
GetOceInstance | oce-instance get | OCE_INSTANCE_READ |
CreateOceInstance | oce-instance create | OCE_INSTANCE_CREATE |
DeleteOceInstance | oce-instance delete | OCE_INSTANCE_DELETE |
UpdateOceInstance | oce-instance update | OCE_INSTANCE_UPDATE |
ChangeOceInstanceCompartment | oce-instance change-compartment | OCE_INSTANCE_UPDATE |
ListWorkRequests | work-request list | OCE_INSTANCE_WORKREQUEST_INSPECT |
GetWorkRequest | work-request get | OCE_INSTANCE_WORKREQUEST_READ |
ListWorkRequestErrors | work-request-error list | OCE_INSTANCE_WORKREQUEST_INSPECT |
ListWorkRequestLogs | work-request-log list | OCE_INSTANCE_WORKREQUEST_INSPECT |
Example Policy Statements to Manage Oracle Content Management Instances
Here are typical policy statements that you might use to authorize access to Oracle Content Management instances.
When you create a policy for your tenancy, you grant users access to all compartments by way of policy inheritance. Alternatively, you can restrict access to individual Oracle Content Management instances or compartments.
Let users in the Administrators group fully manage any Oracle Content Management instance
# Full admin permissions (CRUD)
allow group Administrators to manage oce-instances in tenancy
allow group Administrators to manage oce-workrequests in tenancy
# Full admin permissions (CRUD) using family
allow group Administrators to manage oce-instance-family in tenancy
Let users in the group1 group inspect any Oracle Content Management instance and their associated work requests
# Inspect permissions (list oce instances and work requests) using metaverbs:
allow group group1 to inspect oce-instances in tenancy
allow group group1 to inspect oce-workrequests in tenancy
# Inspect permissions (list oce instances and work requests) using permission names:
allow group group1 to {OCE_INSTANCE_INSPECT} in tenancy
allow group group1 to {OCE_INSTANCE_WORKREQUEST_INSPECT} in tenancy
Let users in the group2 group read details about any Oracle Content Management instance and their associated work requests
# Read permissions (read complete oce instance and work request metadata) using metaverbs:
allow group group2 to read oce-instances in tenancy
allow group group2 to read oce-workrequests in tenancy
# Read permissions (read complete oce instance and work request metadata) using permission names:
allow group group2 to {OCE_INSTANCE_INSPECT, OCE_INSTANCE_READ} in tenancy
allow group group2 to {OCE_INSTANCE_WORKREQUEST_INSPECT, OCE_INSTANCE_WORKREQUEST_READ} in tenancy
Let users in the group3 group read all Oracle Content Management instances and read their associated work requests
# Use permissions (read on oce instance, read on work request) using metaverbs:
allow group group3 to use oce-instances in tenancy
allow group group3 to read oce-workrequests in tenancy
# Use permissions (read on oce instance, read on work request) using permission names:
allow group group3 to {OCE_INSTANCE_INSPECT, OCE_INSTANCE_READ, OCE_INSTANCE_UPDATE} in tenancy
allow group group3 to {OCE_INSTANCE_WORKREQUEST_INSPECT, OCE_INSTANCE_WORKREQUEST_READ} in tenancy
Let users in the group4 group manage any Oracle Content Management instance and their associated work requests
# Manage permissions (use/delete on oce instance, read/cancel on work request) using metaverbs:
allow group group4 to manage oce-instances in tenancy
allow group group4 to manage oce-workrequests in tenancy
# Manage permissions (use/delete on oce instance, read/cancel on work request) using permission names:
allow group group4 to {OCE_INSTANCE_INSPECT, OCE_INSTANCE_READ, OCE_INSTANCE_UPDATE,OCE_INSTANCE_CREATE, OCE_INSTANCE_DELETE} in tenancy
allow group group4 to {OCE_INSTANCE_WORKREQUEST_INSPECT, OCE_INSTANCE_WORKREQUEST_READ} in tenancy