Understanding Big Data Service resources and permissions in IAM policies

Oracle Identity and Access Management (IAM) provides a flexible framework for writing policy statements that control how resources can interact with one another. IAM defines a number of standard resources, along with the permissions needed to interact with them. Big Data Service adds its own service-specific resources and permissions.

This topic describes the resources and permissions an administrator can use to create IAM policy statements for Big Data Service.

Resource kinds and permissions

Resource Family Resource Kind Permissions
bds-family bds-instances
  • BDS_INSPECT
  • BDS_READ
  • BDS_CREATE
  • BDS_UPDATE
  • BDS_DELETE
  • BDS_MOVE
bds-family bds-limits
  • BDS_CONSUMPTION_INSPECT

Operations to permissions map

The following table lists the IAM operations that are specific to Big Data Service. You can write an IAM policy that includes these operations, or you can write a policy that uses a defined verb that encapsulates these operations.

Operation API Operation Permission Required to Use the Operation
List all clusters in the specified compartment ListBdsInstances BDS_INSPECT
Create a cluster CreateBdsInstance BDS_CREATE
Show details about the specified cluster GetBdsInstance BDS_READ
Change the size of a cluster ChangeShape BDS_UPDATE
Update details for a cluster UpdateBdsInstance BDS_UPDATE
Delete the specified instance DeleteBdsInstance BDS_DELETE
Add block storage to the specified cluster AddBlockStorage BDS_UPDATE
Add worker nodes to the specified cluster AddWorkerNodes BDS_UPDATE
Restart a specified node of a cluster RestartNode BDS_UPDATE
Add Cloud SQL to the specified cluster AddCloudSql BDS_UPDATE
Remove Cloud SQL from the specified cluster RemoveCloudSql BDS_UPDATE
Move the cluster from one compartment to another ChangeBdsInstanceCompartment BDS_MOVE
List all autoscale configurations for the specified cluster ListAutoScalingConfigurations BDS_INSPECT
Add an autoscale configuration to the specified cluster AddAutoScalingConfiguration BDS_UPDATE
Show details about the specified autoscale configuration GetAutoScalingConfiguration BDS_READ
Update fields of an autoscale configuration UpdateAutoScalingConfiguration BDS_UPDATE
Delete an autoscale configuration RemoveAutoScalingConfiguration BDS_UPDATE
List all Big Data work requests in the specified compartment ListWorkRequests BDS_INSPECT
Show details about the specified work requests GetWorkRequest BDS_READ
Show logs for the specified work request ListWorkRequestLogs BDS_INSPECT
Show errors for the specified work request ListWorkRequestErrors BDS_INSPECT
Show resources used ListConsumptions BDS_CONSUMPTION_INSPECT
List API keys on the specified cluster ListBdsApiKeys BDS_READ
Create an API key on the specified cluster CreateBdsApiKey BDS_UPDATE
Get an API key on the specified cluster GetBdsApiKey BDS_READ
Delete an API key on the specified cluster DeleteBdsApiKey BDS_UPDATE
Test access to Object Store bucket using the specified API key TestBdsObjectStorageConnection BDS_READ

Operation-specific attributes

Note

For a given resource kind, you should have the same set of attributes across all operations (get, list, delete, and so on). The one exception is for a "create" operation, where you won't have the ID for that object yet, so you can't have a target.RESOURCE-KIND.id attribute for "create."

Resource Kind Name Type Source
bds-instances target.bds-instances.source-compartment.id Entity Request
bds-instances target.bds-instances.destination-compartment.id Entity Request

IAM verbs for use with Big Data Service

Resource Kind inspect read use manage
bds-instances BDS_INSPECT inspect +

BDS_READ

read +

BDS_UPDATE

use +

BDS_CREATE

BDS_DELETE

BDS_MOVE

bds-limits BDS_CONSUMPTION_INSPECT . . .

Example 1 - Administrators with all permission on clusters

The following policy statement says that members of a group named bds-admins can inspect, read, update, create, delete, and move all clusters in a compartment named bds-learn.

allow bds-admins to manage bds-instances in compartment bds-dev

In the above statement:

  • bds-admins is a group created by an administrator.

  • manage specifies the operations that members of the bds-admins group can use. Manage is one of the verbs described in the "IAM Verbs for Use with Big Data Service". It gives a user/group permission to use all of the operations provided by the inspect, read, and use verbs, plus a few operations specific to the manage verb:

    • The inspect verb includes the BDS_INSPECT operation.
    • The read verb includes the BDS_INSPECT and BDS_READ operations.
    • The use verb includes the BDS_INSPECT, BDS_READ, and BDS_UPDATE operations.
    • The manage verb includes the BDS_INSPECT, BDS_READ, BDS_UPDATE, BDS_CREATE, BDS_DELETE, and BDS_MOVE operations.
  • bds-dev is a compartment created by an administrator.

The following policy statement says that members of the bds-admins group can manage the Virtual Cloud Network (VCN) resources in the entire tenancy.

allow group bds-admins to manage virtual-network-family in tenancy

Example 2 - Users

The following policy statement says that members of a group named bds-users can inspect and read all clusters in the bds-learn compartment. (The verb read includes both inspect and read permissions.)

allow bds-users to read bds-instances in compartment bds-learn

More Information

For more information about IAM policies, see Overview of Oracle Cloud Infrastructure Identity and Access Management in the Oracle Cloud Infrastructure documentation. For details about writing policies, see Policy Syntax and Policy Reference.