Locations

Compartments are created by tenancy administrators in IAM. You can specify compartments by name or OCID.

The policy statement's compartment element specifies the scope of access to a compartment or tenancy. For example, use tenancy as a location to grant access to the specified resources across an entire tenancy.

Note

To create a policy that gives access to a specific region or availability domain, use the request.region or request.ad attribute with a condition. For more information, see Conditions.

The location is required in policy statements.

Syntax: [ tenancy | compartment <compartment_name> | compartment id <compartment_ocid> ]

Note

By default, the policy statement's compartment is assumed to be a direct child of the compartment where you create the policy. To specify a different parent compartment, use the compartment path, with a colon between the two compartments.

Example

Allow group InstanceAdmins to manage instance-family in compartment Project-A:Project-A2
Examples:
  • Single compartment by name

    Allow group A-Admins to manage all-resources in compartment Project-A
  • Single compartment by OCID

    Allow group id ocid1.group.oc1..exampleuniqueID to manage all-resources in compartment id ocid1.group.oc1..exampleuniqueID
  • Many compartments by name

    Allow group InstanceAdmins to manage instance-family in compartment Project-A    
    Allow group InstanceAdmins to manage instance-family in compartment Project-B
    
  • Many compartments by OCID

    Allow group id ocid1.group.oc1..exampleuniqueID to manage all-resources in compartment id ocid1.compartment.oc1..exampleuniqueID
    
    Allow group id ocid1.compartment.oc1..exampleuniqueID to manage all-resources in compartment id ocid1.compartment.oc1..exampleuniqueID