Policy Statement Syntax
The overall syntax of a policy statement is as follows:
Allow <subject> to <verb> <resource-type> in <location> where <conditions>
Additional spaces or line breaks in the statement have no effect.
Subject
Specify a group by name or OCID. You can specify multiple groups separated by commas. To cover all users in the tenancy, specify any-user
.
These examples show how you can specify the subject in a policy statement.
-
To specify a single group by name:
Allow group A-admins to manage all-resources in compartment Project-A
-
To specify multiple groups by name (a space after the comma is optional):
Allow group A-admins, B-admins to manage all-resources in compartment Projects
-
To specify a single group by OCID (the OCID is shortened for brevity):
Allow group id ocid1.group...........<group1_unique_id> to manage all-resources in compartment Project-A
-
To specify multiple groups by OCID (the OCIDs are shortened for brevity):
Allow group id ocid1.group...........<group1_unique_id>, group id ocid1.group...........<group2_unique_id> to manage all-resources in compartment Projects
-
To specify any user in the tenancy:
Allow any-user to inspect users in tenancy
Verb
Specify a single verb.
Allow group A-admins to manage all resources in compartment Project-A
The policy syntax supports the following verbs, ordered by increasing permissions:
Verb |
Type of Access |
Target User |
---|---|---|
|
Ability to list resources, without access to any confidential information or user-specified metadata that might be part of that resource. Notes:
|
Third-party auditors |
|
Includes |
Internal auditors |
|
Includes Includes the ability to update the resource, except for resource types where the "update" operation has the same effective impact as the "create" operation; for example |
Day-to-day end users of resources |
|
Includes all permissions for the resource. |
Administrators |
The verb gives a certain general type of access. For example, inspect
lets you list and get resources. You then join that type of access with a particular resource type in a policy. For example, allow group XYZ to inspect compartments
in the tenancy. As a result, that group gains access to a specific set of permissions and API operations; for example ListCompartments
, GetCompartment
.
Resource Type
Specify a single resource-type, which can be:
-
An individual resource type; for example:
vcns
,subnets
,instances
,volumes
, etc. -
A family resource type; for example:
virtual-network-family
,instance-family
,volume-family
, etc.A family resource type covers a variety of individual resource types that are typically used together.
-
all-resources
: Covers all resources in the compartment or tenancy.
These examples show how you can specify the resource type in a policy statement.
-
To specify a single resource type:
Allow group HelpDesk to manage users in tenancy
-
To specify multiple resource types, use separate statements:
Allow group A-users to manage instance-family in compartment Project-A Allow group A-users to manage volume-family in compartment Project-A
-
To specify all resources in the compartment or tenancy:
Allow group A-admins to manage all-resources in compartment Project-A
Here is an overview of the family resource types can be used in policy statements:
Family Resource Type |
Description |
---|---|
|
This aggregate resource covers the following individual resource types: |
|
This aggregate resource covers the following individual resource types: |
|
This aggregate resource covers all individual resource types related to block volumes: |
|
This aggregate resource covers all individual resource types related to the networking service. For example: VCNs, subnets, route tables, gateways, VNICs, network security groups, and so on. |
|
This aggregate resource covers all individual resource types related to the file storage service: |
|
This aggregate resource covers all individual resource types related to the object storage service: |
|
This aggregate resource covers all individual resource types related to the container instances service: |
Location
Specify a single compartment by name or OCID. Or simply specify tenancy
to cover the entire tenancy. Remember that users, groups, and compartments reside in the tenancy. Policies can be attached to either the tenancy or a child compartment.
The location is required in the statement. To attach a policy to a compartment, you must be in that compartment when you create the policy.
These examples show how you can specify the location in a policy statement.
-
To specify a compartment by name:
Allow group A-admins to manage all-resources in compartment Project-A
-
To specify a compartment by OCID:
Allow group A-admins to manage all-resources in compartment id ocid1.compartment.oc1..aaaaaaaaexampleocid
-
To specify multiple compartments, use separate statements:
Allow group InstanceAdmins to manage instance-family in compartment Project-A Allow group InstanceAdmins to manage instance-family in compartment Project-B
Allow group InstanceAdmins to manage instance-family in compartment id ocid1.compartment.oc1..aaaaaaaayzexampleocid Allow group InstanceAdmins to manage instance-family in compartment id ocid1.compartment.oc1..abcabcabcexampledocid
Conditions
Specify one or more conditions. With multiple conditions, use any
or all
for a logical OR or AND, respectively.
These are the types of values you can use in conditions:
Value Type |
Examples |
---|---|
String |
Single quotation marks are required around the value.
|
Pattern |
|
These examples show how you can specify conditions in a policy statement.
In the example statements, the condition to match group names makes it impossible for GroupAdmins to list all users and groups. The list operation does not involve specifying a group, which means there is no value to match the condition variable target.group.name
. To resolve this, a statement including the inspect
verb is added.
-
The following policy enables the GroupAdmins group to create, update, or delete any groups with names that start with "A-Users-":
Allow group GroupAdmins to manage groups in tenancy where target.group.name = /A-Users-*/ Allow group GroupAdmins to inspect groups in tenancy
-
The following policy enables the NetworkAdmins group to manage cloud networks in any compartment except the one specified:
Allow group NetworkAdmins to manage virtual-network-family in tenancy where target.compartment.id != 'ocid1.compartment.oc1..aaaaaaaaexampleocid'
-
The following policy uses multiple conditions and lets GroupAdmins create, update, or delete any groups whose names start with "A-", except for the A-Admins group itself:
Allow group GroupAdmins to manage groups in tenancy where all {target.group.name=/A-*/,target.group.name!='A-Admins'} Allow group GroupAdmins to inspect groups in tenancy