IAM Policies Overview

A user, group, or other principal to be granted access. The subject includes the principal type and identifier (name or OCID), and is prefixed by the name of the identity domain unless the default identity domain is used.

An administrator in your organization defines the groups and compartments in your tenancy.

Allow group <identity_domain_name>/<group_name> to <verb> <resource-type> in tenancy

Resources to which the policy grants access. Oracle defines the possible resource-types you can use in policies, see Resources. Some API operations require access to several resource-types. For example, LaunchInstance requires the ability to create instances and work with a cloud network. The CreateVolumeBackup operation requires access to both the volume and the volume backup. That requires separate policy statements to give access to each resource type. These individual statements don't have to be in the same policy. A user can gain the required access from being in different groups.

(Optional) A compartment or tenancy to which the policy applies. For a compartment, the value includes an identifier (name or OCID).

Sometimes the policy needs to apply to the entire tenancy, and not a compartment inside the tenancy. The following is an example of a compartment-specific policy statement, in which the <location> is a specific compartment:

Allow group <identifier> to <verb> <resource> in compartment <identifier>

Following is an example of a tenancy-wide policy statement, in which the <location> is tenancy:

Allow group <identifier> to <verb> <resource> in tenancy