This image shows the syntax of a policy statement, the supported policy verbs, and a few examples of the resource types.

You write policy statements in the following syntax:

Allow <subject> to <verb> <resource-type> in <location> where <conditions>

• subject is a group of users or instances.
• verb specifies the type of access (inspect, read, user, or manage) that the policy grants permission for.
• resource-type is a resource or group of resources (such as databases, compute instances, block volumes) that the subject can access.
• location is the compartment that the permission applies to.
• conditions enable you to constrain the permission at a more granular level.

The supported verbs are:

• inspect: Ability to list resources
• read: Includes inspect, plus the ability to get user-specified metadata or the actual resource
• use: Includes read, plus the ability to work with existing resources (the actions vary by resource type)
• manage: Includes all permissions

The following are a few examples of resource types:

• all-resources: Any resource
• database-family: Includes db-systems, db-homes, and databases
• instance-family: Includes instances, instance-images, volume-attachments, and console-histories
• object-family: Includes buckets and objects
• virtual-network-family: Includes vcn, subnet, route-tables, security-lists, and dhcp-options
• volume-family: Includes volumes, volume-attachments, and volume-backups