1. Concepts Guide
  2. Tagging Overview
  3. Categorization with Defined Tags

Categorization with Defined Tags

This section describes how defined tags work and which permissions are required.

Tag Namespaces and Keys

Defined tags provide more features and control than free-form tags. Before you create a defined tag key, you first set up a tag namespace for it. You can think of the tag namespace as a container for a set of tag keys. Within each namespace, the tag keys must be unique, but a tag key name can be repeated across namespaces. When you create the tag key definition, you must choose the type of value, which also determines how the user applying the tag adds the value:

  • You can leave it empty so that a user can fill in the value.

  • You can create a list of values so that the user must choose from those values.

To apply a defined tag to a resource, a user first selects the tag namespace, then the tag key within the namespace, and then they can assign the value. If the tag key contains a blank value, the user can type in a value or leave it blank. If the tag key contains a list, the user must select a value from the list.

Defined tags support policy to allow you to control who can apply your defined tags. The tag namespace is the entity to which you can apply policy. Administrators can control which groups of users are allowed to use each namespace.

Permissions for Working with Defined Tags

Setting up and managing tag namespaces and key definitions is an administrator responsibility. Full management permissions for tag namespaces are required.

To apply, update, or remove defined tags for a resource, users must be granted use access for the tag namespaces they need to work with. Users must also have the permission to update the resource to which they apply a tag. For many resources, the update permission is granted with the use verb. For example, users who can use instances in CompartmentA can also apply, update, or remove defined tags for those instances. For resources that do not include the update permission with the use verb, you can create a policy statement to grant only the update permission from the manage verb.

Here are a few examples of policy statements related to tagging:

  • Administrators must be allowed to define tag namespaces and keys.

    Allow group TagAdmins to manage tag-namespaces in tenancy

  • Users are granted permission to apply tags from all namespaces in the tenancy, or a subset.

    Allow group GroupA to use tag-namespaces in tenancy

    or

    Allow group GroupA to use tag-namespaces in tenancy where target.tag-namespace.name='Operations'

    or

    Allow group GroupA to use tag-namespaces in tenancy where any {target.tag-namespace.name='Operations', target.tag-namespace.name='Support'}

  • Users are granted permission to update resources in order to apply tags.

    Allow group GroupA to use instance-family in compartment CompartmentA

    or

    Allow group GroupA to use vcns in compartment CompartmentA
Allow group GroupA to manage vcns in compartment CompartmentA where request.permission='VCN_UDPATE'