1. Platform Preparation and Installation Guide
  2. Public Cloud Platforms
  3. Create and Deploy on OCI using Resource Manager
  4. IAM Policies

IAM Policies

To use Resource Manager from OCI console you need to have the following IAM policies.

Allow group <group-name> to manageorm-family in compartment <compartment-name>

IAM permissions to run VCN stack

You need to have the following permissions to run VCN Stack.

At a broader level, you need these permissions.

Allow group <group-name> to manageobjects-family in compartment <compartment-name>
Allow group <group-name> to managevirtual-network-family in compartment <compartment-name>

At a granular level, you need these permissions.

Allow group <group-name> to manage objectstorage-namespaces in compartment<compartment-name>
Allow group <group-name> to manage buckets in compartment<compartment-name>
Allow group <group-name> to manage vcns in compartment<compartment-name>
Allow group <group-name> to manage subnets in compartment<compartment-name>
Allow group <group-name> to manage route-tables in compartment<compartment-name>
Allow group <group-name> to manage network-security-groups in compartment<compartment-name>
Allow group <group-name> to manage security-lists in compartment<compartment-name>
Allow group <group-name> to manage dhcp-options in compartment<compartment-name>
Allow group <group-name> to manage internet-gateways in compartment<compartment-name>
Allow group <group-name> to manage nat-gateways in compartment<compartment-name>
Allow group <group-name> to manage service-gateways in compartment<compartment-name>
Allow group <group-name> to manage local-peering-gateways in compartment<compartment-name>
Allow group <group-name> to manage drgs in compartment<compartment-name>
Allow group <group-name> to manage private-ips in compartment<compartment-name>
Allow group <group-name> to manage volume-attachments in compartment<compartment-name>
Allow group <group-name> to manage instance-console-connection in compartment<compartment-name>

IAM permissions to run SBC stack

At a broader level, you need these permissions.

Allow group <group-name> to manage objects-family in compartment<compartment-name>
Allow group <group-name> to manage instance-family in compartment<compartment-name>

At a granular level, you need these permissions.

Allow group <group-name> to manage objectstorage-namespaces in compartment<compartment-name>
Allow group <group-name> to manage buckets in compartment<compartment-name>
Allow group <group-name> to manage objects in compartment<compartment-name>
Allow group <group-name> to use private-ips in compartment<compartment-name>
Allow group <group-name> to use public-ips in compartment<compartment-name>
Allow group <group-name> to use vnics in compartment<compartment-name>
Allow group <group-name> to use vnic-attachments in compartment<compartment-name>
Allow group <group-name> to use subnets in compartment<compartment-name>
Allow group <group-name> to read vcn in compartment<compartment-name>
Allow group <group-name> to read instance-images in compartment<compartment-name>
Allow group <group-name> to use network-security-groups in compartment<compartment-name>
Allow group <group-name> to read app-catalog-listing in compartment<compartment-name>