This image shows the syntax of a policy statement, the supported policy verbs, and a few examples of the resource types.
You write policy statements in the following syntax:
Allow <subject> to <verb> <resource-type> in <location> where <conditions>
subject
is a group of users or instances.verb
specifies the type of access (inspect, read, user, or manage) that the policy grants permission for.resource-type
is a resource or group of resources (such as databases, compute instances, block volumes) that the subject can access.location
is the compartment that the permission applies to.conditions
enable you to constrain the permission at a more granular level.
The supported verbs are:
inspect
: Ability to list resourcesread
: Includesinspect
, plus the ability to get user-specified metadata or the actual resourceuse
: Includesread
, plus the ability to work with existing resources (the actions vary by resource type)manage
: Includes all permissions
The following are a few examples of resource types:
all-resources
: Any resourcedatabase-family
: Includesdb-systems
,db-homes
, anddatabases
instance-family
: Includesinstances
,instance-images
,volume-attachments
, andconsole-histories
object-family
: Includesbuckets
andobjects
virtual-network-family
: Includesvcn
,subnet
,route-tables
,security-lists
, anddhcp-options
volume-family
: Includesvolumes
,volume-attachments
, andvolume-backups