1. Administering Visual Builder Studio
  2. Manage the VB Studio Instance
  3. Write IAM Policies that Control Access to VB Studio

Write IAM Policies that Control Access to VB Studio

Identity and Access Management (IAM) is an Oracle service that helps you manage the permissions that control which OCI resources your users can access. You use IAM to control who is authenticated (signed in) and who is authorized (has permissions) to use resources. In essence, IAM ensures that the right users have the appropriate access to resources. For VB Studio, that means the vbstudio-instance resource. This topic provides information you can use to write policies that control this access.

Supported Variables

You use variables when you add conditions to a policy. These conditions are evaluated by the OCI authorization service when API requests are authorized.

For the complete list of general variables that are applicable to all requests, including those that can be used in policy statements authorizing VB Studio API requests, see General Variables for All Requests.

Details for Meta-Verb + Resource-Type Combinations

The following table shows the visualbuilder-instance resource type permissions and API operations that are covered by each meta-verb. The level of access is cumulative as you go from inspect to read to use to manage.

Verb Permissions APIs Fully Covered APIs Partially Covered
INSPECT
  • VBS_INSTANCE_INSPECT
  • ListVbsInstances
  • ListWorkRequests
 None
READ
  • Inherits from INSPECT:
    • VBS_INSTANCE_INSPECT
  • VBS_INSTANCE_READ
  • GetVbsInstance
  • GetWorkRequest
  • ListWorkRequestErrors
  • ListWorkRequestLogs
 None
USE
  • Inherits from READ:
    • VBS_INSTANCE_INSPECT
    • VBS_INSTANCE_READ
  • VBS_INSTANCE_UPDATE
  • UpdateVbsInstance
 None
MANAGE
  • Inherits from USE:
    • VBS_INSTANCE_INSPECT
    • VBS_INSTANCE_READ
    • VBS_INSTANCE_UPDATE
  • VBS_INSTANCE_CREATE
  • VBS_INSTANCE_DELETE
  • CreateVbsInstance
  • DeleteVbsInstance
 None

Permissions Required for Each API Operation

These are the permissions that are required for each API operation for instances and work requests.

API Operation Permissions Required to Use the Operation Description

ListVbsInstances

 VBS_INSTANCE_INSPECT List the VB Studio instances

GetVbsInstance

 VBS_INSTANCE_READ Get the VB Studio instance

CreateVbsInstance

 VBS_INSTANCE_CREATE Create a VB Studio instance

DeleteVbsInstance

 VBS_INSTANCE_DELETE Delete a VB Studio instance

UpdateVbsInstance

 VBS_INSTANCE_UPDATE Update a VB Studio instance

ListWorkRequests

 VBS_INSTANCE_INSPECT List a Visual Builder instance's work requests

GetWorkRequest

 VBS_INSTANCE_READ Get a Visual Builder instance's work request

ListWorkRequestErrors

 VBS_INSTANCE_READ List a Visual Builder instance's work request errors

ListWorkRequestLogs

 VBS_INSTANCE_READ List a Visual Builder instance's work request logs

Sample OCI IAM Policy Statements that Grant These Permissions

This example grants fine-grained permissions to a group called devteam1:

Allow devteam1 to {VBS_INSTANCE_INSPECT,VBS_INSTANCE_READ,VBS_INSTANCE_CREATE,VBS_INSTANCE_UPDATE,VBS_INSTANCE_DELETE,VBS_INSTANCE_MOVE} in tenancy

Here's another example that uses the friendlier meta-verbs to grant the same permissions to group devteam1 and a lesser set to another group, devteam2:

Allow devteam1 to manage vbstudio-instances in tenancy

Allow devteam2 to use vbstudio-instances in tenancy