Categorization with Defined Tags
This section describes how defined tags work and which permissions are required.
Tag Namespaces and Keys
Defined tags provide more features and control than free-form tags. Before you create a defined tag key, you first set up a tag namespace for it. You can think of the tag namespace as a container for a set of tag keys. Within each namespace, the tag keys must be unique, but a tag key name can be repeated across namespaces. When you create the tag key definition, you must choose the type of value, which also determines how the user applying the tag adds the value:
-
You can leave it empty so that a user can fill in the value.
-
You can create a list of values so that the user must choose from those values.
To apply a defined tag to a resource, a user first selects the tag namespace, then the tag key within the namespace, and then they can assign the value. If the tag key contains a blank value, the user can type in a value or leave it blank. If the tag key contains a list, the user must select a value from the list.
Defined tags support policy to allow you to control who can apply your defined tags. The tag namespace is the entity to which you can apply policy. Administrators can control which groups of users are allowed to use each namespace.
Permissions for Working with Defined Tags
Setting up and managing tag namespaces and key definitions is an administrator responsibility. Full management permissions for tag namespaces are required.
To apply, update, or remove defined tags for a resource, users must be granted
use
access for the tag namespaces they need to work with. Users
must also have the permission to update the resource to which they apply a tag. For many
resources, the update permission is granted with the use
verb. For
example, users who can use
instances in CompartmentA can also apply,
update, or remove defined tags for those instances. For resources that do not include
the update permission with the use
verb, you can create a policy
statement to grant only the update permission from the manage
verb.
Here are a few examples of policy statements related to tagging:
-
Administrators must be allowed to define tag namespaces and keys.
Allow group TagAdmins to manage tag-namespaces in tenancy
-
Users are granted permission to apply tags from all namespaces in the tenancy, or a subset.
Allow group GroupA to use tag-namespaces in tenancy
or
Allow group GroupA to use tag-namespaces in tenancy where target.tag-namespace.name='Operations'
or
Allow group GroupA to use tag-namespaces in tenancy where any {target.tag-namespace.name='Operations', target.tag-namespace.name='Support'}
-
Users are granted permission to update resources in order to apply tags.
Allow group GroupA to use instance-family in compartment CompartmentA
or
Allow group GroupA to use vcns in compartment CompartmentA Allow group GroupA to manage vcns in compartment CompartmentA where request.permission='VCN_UDPATE'