Locations
Compartments are created by tenancy administrators in IAM. You can specify compartments by name or OCID.
The policy statement's compartment element specifies the scope of access to a compartment or tenancy. For example, use tenancy
as a location to grant access to the specified resources across an entire tenancy.
To create a policy that gives access to a specific region or availability domain, use the request.region
or request.ad
attribute with a condition. For more information, see Conditions.
The location is required in policy statements.
Syntax:
[ tenancy | compartment <compartment_name> | compartment id <compartment_ocid>
]
By default, the policy statement's compartment is assumed to be a direct child of the compartment where you create the policy. To specify a different parent compartment, use the compartment path, with a colon between the two compartments.
Example
Allow group InstanceAdmins to manage instance-family in compartment Project-A:Project-A2
-
Single compartment by name
Allow group A-Admins to manage all-resources in compartment Project-A
-
Single compartment by OCID
Allow group id ocid1.group.oc1..exampleuniqueID to manage all-resources in compartment id ocid1.group.oc1..exampleuniqueID
-
Many compartments by name
Allow group InstanceAdmins to manage instance-family in compartment Project-A Allow group InstanceAdmins to manage instance-family in compartment Project-B
-
Many compartments by OCID
Allow group id ocid1.group.oc1..exampleuniqueID to manage all-resources in compartment id ocid1.compartment.oc1..exampleuniqueID Allow group id ocid1.compartment.oc1..exampleuniqueID to manage all-resources in compartment id ocid1.compartment.oc1..exampleuniqueID