Oracle Cloud Infrastructure Documentation

Overview of Policy Syntax

The overall syntax of a policy statement is explained in this section.

Before you can control access to Application Dependency Management resources, you must create users and place them in appropriate groups (see Managing Users and Managing Groups). You can then create policies and policy statements to control the access (see Managing Policies). Dynamic group is a special type of group that contains resources that match rules that you define. For more information, see Managing Dynamic Groups.

A policy allows a group  to work in certain ways with specific types of resources  in a particular compartment . 

Allow <subject> to <verb> <resource-type> in <location> where <condition>

For example, you can specify:

  • A group or dynamic group by name or OCID as the <subject>. Or, you can use any-user to cover all users in the tenancy.

  • inspect, read, use, and manage as the <verb> to give a <subject> access to one or more permissions.

    As you go from inspect > read > use > manage, the level of access increases, and the permissions granted are cumulative. For example, use includes read plus the ability to update.

  • A family of resources such as adm-family for the <resource-type>. Or, you can specify an individual resource in a family such as adm-knowledge-bases and adm-vulnerability-audits.

  • A compartment by name or OCID as the <location>. Or, you can use tenancy to cover the entire tenancy.

  • One or more conditions in <condition>, which must be met for access to be granted. For several conditions, you can use any or all.

    A condition consists of one or more variables. A variable can be relevant to the request itself (for example, request.operation) or to the resource being acted upon in the request (for example, target.compartment.id). To illustrate, to allow a group to manage a specific knowledge base and not any other knowledge base:

    Allow group <group-name> to manage adm-knowledge-bases in compartment <compartment-name> where target.compartment.id = '<compartment-ocid>'

    Or, to allow a group to manage all Application Dependency Management resources, except for deleting knowledge bases:

    Allow group <group-name> to manage adm-family in compartment <compartment-name> where request.permission != 'ADM_KNOWLEDGE_BASE_DELETE'

For complete details, see Policy Syntax. For more information about creating policies, see How Policies Work and Policy Reference.