Details for Functions
This topic covers details for writing policies to control access to OCI Functions.
Resource-Types
Aggregate Resource-Type
functions-family
Individual Resource-Types
fn-appfn-functionfn-invocation
Comments
A policy that uses <verb> functions-family is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.
See the table in Details for Verb + Resource-Type Combinations for details of the API operations covered by each verb, for each individual resource-type included in functions-family.
Supported Variables
OCI Functions supports all the general variables (see General Variables for All Requests).
Details for Verb + Resource-Type Combinations
The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. For example, a group that can use a resource can also inspect and read that resource. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
For example, the read verb for the fn-app resource-type includes the same permissions and API operations as the inspect verb, plus the FN_APP_READ permission and the GetApp API operation. In the case of the fn-app resource-type, the use verb covers no additional permissions or API operations compared to read. Lastly, manage covers more permissions and operations compared to use.
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect | FN_APP_LIST |
ListApp
|
none |
| read | INSPECT + FN_APP_READ |
INSPECT +
|
none |
| use | no extra |
no extra |
none |
| manage | USE + FN_APP_CREATE FN_APP_DELETE FN_APP_UPDATE |
USE +
|
none |
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect | FN_FUNCTION_LIST |
ListFunctions
|
none |
| read | INSPECT + FN_FUNCTION_READ |
INSPECT +
|
none |
| use | no extra |
no extra |
none |
| manage | USE + FN_FUNCTION_CREATE FN_FUNCTION_DELETE FN_FUNCTION_UPDATE |
USE +
|
none |
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect | none |
none |
none |
| read | none |
none |
none |
| use | FN_INVOCATION |
InvokeFunction
|
none |
| manage | no extra |
no extra |
none |
Permissions Required for Each API Operation
The following table lists the API operations in a logical order, grouped by resource type. For information about permissions, see Permissions.
| API Operation | Permissions Required to Use the Operation |
|---|---|
CreateApp
|
FN_APP_CREATE |
DeleteApp
|
FN_APP_DELETE |
ListApp
|
FN_APP_LIST |
GetApp
|
FN_APP_READ |
UpdateApp
|
FN_APP_UPDATE |
CreateFunction
|
FN_FUNCTION_CREATE |
DeleteFunction
|
FN_FUNCTION_DELETE |
ListFunctions
|
FN_FUNCTION_LIST |
GetFunction
|
FN_FUNCTION_READ |
UpdateFunction
|
FN_FUNCTION_UPDATE |
InvokeFunction
|
FN_INVOCATION |