Creating Policies to Control Operator Access with Operator Access Control

5 Creating Policies to Control Operator Access with Operator Access Control

Learn to develop your own policies that use Actions to control access to Operator Access Control resources.

Note:

For an example policy, see Let database admins manage Exadata Cloud@Customer instances.

About Resource-Types and Operator Access Control Policies
Learn about resource-types that you can use in your policies.
Resource-Types for Operator Access Control
Review the list of resource-types specific to Operator Access Control.
Supported Variables for Operator Access Control
Use variables when adding conditions to a policy.
Details for Verb + Resource-Type Combinations
Review the list of permissions and API operations covered by each verb for Operator Access Control.
Permissions Required for Each API Operation
Review the list of API operations for Operator Control Access resources in a logical order, grouped by resource type.

Related Topics

How Policies Work

About Resource-Types and Operator Access Control Policies

Learn about resource-types that you can use in your policies.

An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the operator-control-family is equivalent to writing three separate policies for the group that would grant access to the operator-control, operator-control-assignment, operator-control-accessrequest, and the rest of the individual resource-types. For more information, see Resource-Types.

Parent topic: Creating Policies to Control Operator Access with Operator Access Control

Resource-Types for Operator Access Control

Review the list of resource-types specific to Operator Access Control.

Aggregate Resource-Type

operator-control-family

Individual Resource-Types

operator-control
operator-control-assignment
operator-control-accessrequest

Parent topic: Creating Policies to Control Operator Access with Operator Access Control

Supported Variables for Operator Access Control

Use variables when adding conditions to a policy.

Operator Access Control supports only the general variables. For more information, see General Variables for All Requests.

Parent topic: Creating Policies to Control Operator Access with Operator Access Control

Details for Verb + Resource-Type Combinations

Review the list of permissions and API operations covered by each verb for Operator Access Control.

For more information, see Permissions, Verbs, and Resource-Types.

Operator-Control-Family Resource Types
Each Operator Access Control resource-type verb grants different levels of access.
operator-control-family
Review the list of permissions and API operations for operator-control-family resource-type.
operator-control
Review the list of permissions and API operations for operator-control resource-type.
operator-control-assignment
Review the list of permissions and API operations for operator-control-assignment resource-type.
operator-control-accessrequest
Review the list of permissions and API operations for operator-control-accessrequest resource-type.

Parent topic: Creating Policies to Control Operator Access with Operator Access Control

Operator-Control-Family Resource Types

Each Operator Access Control resource-type verb grants different levels of access.

The level of access is cumulative as you go from inspect to read, to use, and to manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the operator-control resource-type covers no extra permissions or API operations compared to the inspect verb. However, the use verb includes one more permission, fully covers one more operation, and partially covers another additional operation.

Parent topic: Details for Verb + Resource-Type Combinations

operator-control-family

Review the list of permissions and API operations for operator-control-family resource-type.

Table 5-1 operator-control-family

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
INSPECT	`OPERATOR_CONTROL_INSPECT` `OPERATOR_CONTROL_ASSIGNMENT_INSPECT` `OPERATOR_CONTROL_ACCESSREQUEST_INSPECT`	`ListOperatorControls` `ListOperatorControlAssignments` `ListAccessRequests`	none
READ	INSPECT + `OPERATOR_CONTROL_READ` `OPERATOR_CONTROL_ASSIGNMENT_READ` `OPERATOR_CONTROL_ACCESSREQUEST_READ`	`GetOperatorControl` `GetOperatorControlAssignment` `GetAccessRequest`	none
USE	READ + `OPERATOR_CONTROL_UPDATE` `OPERATOR_CONTROL_ASSIGNMENT_UPDATE` `OPERATOR_CONTROL_ACCESSREQUEST_UPDATE`	`UpdateOperatorControl` `UpdateOperatorControlAssignment` `RevokeAccessRequest`	none
MANAGE	USE + `OPERATOR_CONTROL_CREATE` `OPERATOR_CONTROL_DELETE` `OPERATOR_CONTROL_MOVE` `OPERATOR_CONTROL_ASSIGNMENT_CREATE` `OPERATOR_CONTROL_ASSIGNMENT_DELETE` `OPERATOR_CONTROL_ASSIGNMENT_MOVE`	`CreateOperatorControl` `DeleteOperatorControl` `ChangeOperatorControlCompartment` `CreateOperatorControlAssignment` `DeleteOperatorControlAssignment` `ChangeOperatorControlAssignmentCompartment`	none

Parent topic: Details for Verb + Resource-Type Combinations

operator-control

Review the list of permissions and API operations for operator-control resource-type.

Table 5-2 operator-control

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
INSPECT	`OPERATOR_CONTROL_INSPECT`	`ListOperatorControls`	none
READ	INSPECT + `OPERATOR_CONTROL_READ`	`GetOperatorControl`	none
USE	READ + `OPERATOR_CONTROL_UPDATE`	`UpdateOperatorControl`	none
MANAGE	USE + `OPERATOR_CONTROL_CREATE` `OPERATOR_CONTROL_DELETE` `OPERATOR_CONTROL_MOVE`	`CreateOperatorControl` `DeleteOperatorControl` `ChangeOperatorControlCompartment`	none

Parent topic: Details for Verb + Resource-Type Combinations

operator-control-assignment

Review the list of permissions and API operations for operator-control-assignment resource-type.

Table 5-3 operator-control-assignment

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
INSPECT	`OPERATOR_CONTROL_ASSIGNMENT_INSPECT`	`ListOperatorControlAssignments`	none
READ	INSPECT + `OPERATOR_CONTROL_ASSIGNMENT_READ`	`GetOperatorControlAssignment`	none
USE	READ + `OPERATOR_CONTROL_ASSIGNMENT_UPDATE`	`UpdateOperatorControlAssignment`	none
MANAGE	USE + `OPERATOR_CONTROL_ASSIGNMENT_CREATE` `OPERATOR_CONTROL_ASSIGNMENT_DELETE` `OPERATOR_CONTROL_ASSIGNMENT_MOVE`	`CreateOperatorControlAssignment` `DeleteOperatorControlAssignment` `ChangeOperatorControlAssignmentCompartment`	none

Parent topic: Details for Verb + Resource-Type Combinations

operator-control-accessrequest

Review the list of permissions and API operations for operator-control-accessrequest resource-type.

Table 5-4 operator-control-accessrequest

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
INSPECT	`OPERATOR_CONTROL_ACCESSREQUEST_INSPECT`	none	none
READ	INSPECT + `OPERATOR_CONTROL_ACCESSREQUEST_READ`	`GetAccessRequest`	none
USE	READ +	none	none
MANAGE	USE + `OPERATOR_CONTROL_ACCESSREQUEST_UPDATE`	`ApproveAccessRequest` `RejectAccessRequest` `RevokeAccessRequest`	none

Parent topic: Details for Verb + Resource-Type Combinations

Permissions Required for Each API Operation

Review the list of API operations for Operator Control Access resources in a logical order, grouped by resource type.

For information about permissions, see Permissions.

Note:

operator-control-accessrequest is special kind of resource. You cannot create it. Oracle operators create it and you will have ability to approve or reject the requests.

Table 5-5 Resource-Type and Permissions

Resource Type	Permissions
`operator-control-family`	`OPERATOR_CONTROL_INSPECT` `OPERATOR_CONTROL_READ` `OPERATOR_CONTROL_CREATE` `OPERATOR_CONTROL_UPDATE` `OPERATOR_CONTROL_DELETE` `OPERATOR_CONTROL_ASSIGNMENT_INSPECT` `OPERATOR_CONTROL_ASSIGNMENT_READ` `OPERATOR_CONTROL_ASSIGNMENT_CREATE` `OPERATOR_CONTROL_ASSIGNMENT_UPDATE` `OPERATOR_CONTROL_ASSIGNMENT_DELETE` `OPERATOR_CONTROL_ACCESSREQUEST_INSPECT` `OPERATOR_CONTROL_ACCESSREQUEST_READ` `OPERATOR_CONTROL_ACCESSREQUEST_UPDATE`
`operator-control`	`OPERATOR_CONTROL_INSPECT` `OPERATOR_CONTROL_READ` `OPERATOR_CONTROL_CREATE` `OPERATOR_CONTROL_UPDATE` `OPERATOR_CONTROL_DELETE` `OPERATOR_CONTROL_MOVE`
`operator-control-assignment`	`OPERATOR_CONTROL_ASSIGNMENT_INSPECT` `OPERATOR_CONTROL_ASSIGNMENT_READ` `OPERATOR_CONTROL_ASSIGNMENT_CREATE` `OPERATOR_CONTROL_ASSIGNMENT_UPDATE` `OPERATOR_CONTROL_ASSIGNMENT_DELETE` `OPERATOR_CONTROL_ASSIGNMENT_MOVE`
`operator-control-accessrequest`	`OPERATOR_CONTROL_ACCESSREQUEST_INSPECT` `OPERATOR_CONTROL_ACCESSREQUEST_READ` `OPERATOR_CONTROL_ACCESSREQUEST_UPDATE`

Table 5-6 Operator Access Control API Operations

API Operation	Permissions Required to Use the Operation
`CreateOperatorControl`	`OPERATOR_CONTROL_CREATE`
`DeleteOperatorControl`	`OPERATOR_CONTROL_DELETE`
`GetOperatorControl`	`OPERATOR_CONTROL_READ`
`ListOperatorControls`	`OPERATOR_CONTROL_INSPECT`
`UpdateOperatorControl`	`OPERATOR_CONTROL_UPDATE`
`CreateOperatorControlAssignment`	`OPERATOR_CONTROL_ASSIGNMENT_CREATE`
`GetOperatorControlAssignment`	`OPERATOR_CONTROL_ASSIGNMENT_READ`
`UpdateOperatorControlAssignment`	`OPERATOR_CONTROL_ASSIGNMENT_UPDATE`
`DeleteOperatorControlAssignment`	`OPERATOR_CONTROL_ASSIGNMENT_DELETE`
`ListOperatorControlAssignments`	`OPERATOR_CONTROL_ASSIGNMENT_INSPECT`
`GetAccessRequest`	`OPERATOR_CONTROL_ACCESSREQUEST_READ`
`ListAccessRequestHistories`	`OPERATOR_CONTROL_ACCESSREQUEST_LIST`
`ListAccessRequests`	`OPERATOR_CONTROL_ACCESSREQUEST_LIST`
`ApproveAccessRequest`	`OPERATOR_CONTROL_ACCESSREQUEST_UPDATE`
`RevokeAccessRequest`	`OPERATOR_CONTROL_ACCESSREQUEST_UPDATE`
`GetOperatorAction`	`OPERATOR_CONTROL_READ`
`ListOperatorActions`	`OPERATOR_CONTROL_INSPECT`
`ChangeOperatorControlCompartment`	`OPERATOR_CONTROL_MOVE`
`ChangeOperatorControlAssignmentCompartment`	`OPERATOR_CONTROL_ASSIGNMENT_MOVE`

Parent topic: Creating Policies to Control Operator Access with Operator Access Control