Service Catalog Policies

Describes Service Catalog policies.

Summary of changes to achieve the Service Catalog access control:

An extra API call has been added to Service Catalog to check whether there is any active catalog under a tenancy. If there is any, the tenancy is classified as operating in the service catalog mode. In this mode, users of the tenancy are able to view and launch only selected marketplace listings in authorized service catalogs.
When service catalog mode is detected, Marketplace service calls Service Catalog API for extra checks on the access control settings.
We have introduced a new constraint on Service Catalog where there can be only one active catalog per compartment.

Summary of Service Catalog policies
Role	Permission	Function	Existing or New	Description
Administrator	SERVICE_CATALOG_INSPECT SERVICE_CATALOG_READ SERVICE_CATALOG_CREATE SERVICE_CATALOG_UPDATE SERVICE_CATALOG_MOVE SERVICE_CATALOG_DELETE	Creates, updates, and deletes Service Catalogs.	Existing	Allows group administrator to manage Service Catalogs in the tenancy. Allows group administrator to manage Marketplace listings in the tenancy. Allow group administrators to manage app-catalog-listings in the tenancy.
	MARKETPLACE_LISTINGS_INSPECT	Lists the Marketplace listings while creating Service Catalogs	Existing
	APP_CATALOG_LISTING_SUBSCRIBE	Creates accepted agreements	Existing
	All permissions granted to the user	Administrator should have all user permissions
Consumer	SERVICE_CATALOG_CONTENTS_INSPECT	List all the applications under a curated list of Service Catalogs	Existing	Allows group users to use Marketplace listings in the tenancy. Allows group users to read Service Catalogs in tenancy where `service-catalog.id = id` Allow group users to read application catalog listings in the tenancy.
	MARKETPLACE_LISTINGS_LAUNCH	Launch a listing	Existing
	MARKETPLACE_LISTINGS_READ	Read the application's details	Existing
	MARKETPLACE_LISTINGS_INSPECT	List agreements of the application	Existing