DevOps IAM Policies

Create IAM policies to control who has access to DevOps resources, and to control the type of access for each group of users.

Before you can control access to DevOps resources such as code repositories, build pipelines, and deployment pipelines, you must create users and place them in appropriate groups (see Managing Users and Managing Groups). You can then create policies and policy statements to control the access (see Managing Policies).

By default, users in the Administrators group have access to all the DevOps resources. If you're new to IAM policies, see Getting Started with Policies.

For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference and Common Policies.

Resource Types and Permissions

List of DevOps resource types and associated permissions.

To assign permissions to all DevOps resources, use the devops-family aggregate type. For more information, see Permissions.

A policy that uses <verb> devops-family is equal to writing a policy with a separate <verb> <resource-type> statement for each of the individual resource types.

Resource Type Permissions
devops-family The verbs, inspect, read, use, manage are applicable for all the DevOps resource types permissions.

Verbs inspect and read are applicable for DEVOPS_WORK_REQUEST permission.

devops-project
  • DEVOPS_PROJECT_INSPECT
  • DEVOPS_PROJECT_READ
  • DEVOPS_PROJECT_UPDATE
  • DEVOPS_PROJECT_CREATE
  • DEVOPS_PROJECT_DELETE
  • DEVOPS_PROJECT_MOVE
  • DEVOPS_PROJECT_CASCADE_DELETE
  • DEVOPS_PROJECT_SETTINGS_READ
  • DEVOPS_PROJECT_SETTINGS_UPDATE
  • DEVOPS_PROJECT_SETTINGS_DELETE
devops-deploy-family

The verbs, inspect, read, use, manage are applicable for the following permissions:

  • DEVOPS_DEPLOY_ARTIFACT
  • DEVOPS_DEPLOY_ENVIRONMENT
  • DEVOPS_DEPLOY_PIPELINE
  • DEVOPS_DEPLOY_STAGE
  • DEVOPS_DEPLOY_DEPLOYMENT
devops-deploy-artifact
  • DEVOPS_DEPLOY_ARTIFACT_INSPECT
  • DEVOPS_DEPLOY_ARTIFACT_READ
  • DEVOPS_DEPLOY_ARTIFACT_UPDATE
  • DEVOPS_DEPLOY_ARTIFACT_CREATE
  • DEVOPS_DEPLOY_ARTIFACT_DELETE
devops-deploy-environment
  • DEVOPS_DEPLOY_ENVIRONMENT_INSPECT
  • DEVOPS_DEPLOY_ENVIRONMENT_READ
  • DEVOPS_DEPLOY_ENVIRONMENT_UPDATE
  • DEVOPS_DEPLOY_ENVIRONMENT_CREATE
  • DEVOPS_DEPLOY_ENVIRONMENT_DELETE
devops-deploy-pipeline
  • DEVOPS_DEPLOY_PIPELINE_INSPECT
  • DEVOPS_DEPLOY_PIPELINE_READ
  • DEVOPS_DEPLOY_PIPELINE_UPDATE
  • DEVOPS_DEPLOY_PIPELINE_CREATE
  • DEVOPS_DEPLOY_PIPELINE_DELETE
devops-deploy-stage
  • DEVOPS_DEPLOY_STAGE_INSPECT
  • DEVOPS_DEPLOY_STAGE_READ
  • DEVOPS_DEPLOY_STAGE_UPDATE
  • DEVOPS_DEPLOY_STAGE_CREATE
  • DEVOPS_DEPLOY_STAGE_DELETE
devops-deployment
  • DEVOPS_DEPLOY_DEPLOYMENT_INSPECT
  • DEVOPS_DEPLOY_DEPLOYMENT_READ
  • DEVOPS_DEPLOY_DEPLOYMENT_UPDATE
  • DEVOPS_DEPLOY_DEPLOYMENT_CREATE
  • DEVOPS_DEPLOY_DEPLOYMENT_DELETE
  • DEVOPS_DEPLOY_DEPLOYMENT_CANCEL
  • DEVOPS_DEPLOY_DEPLOYMENT_APPROVE
devops-work-requests
  • DEVOPS_WORK_REQUEST_INSPECT
  • DEVOPS_WORK_REQUEST_READ
devops-repository-family

The verbs, inspect, read, use, manage are applicable for the following permissions:

  • DEVOPS_REPOSITORY
  • DEVOPS_PULL_REQUEST
  • DEVOPS_PULL_REQUEST_COMMENT
  • DEVOPS_PROTECTED_BRANCH

Verb manage is applicable for DEVOPS_REPOSITORY_SETTINGS permission.

devops-repository
  • DEVOPS_REPOSITORY_INSPECT
  • DEVOPS_REPOSITORY_READ
  • DEVOPS_REPOSITORY_UPDATE
  • DEVOPS_REPOSITORY_CREATE
  • DEVOPS_REPOSITORY_DELETE
  • DEVOPS_REPOSITORY_SETTINGS_READ
  • DEVOPS_REPOSITORY_SETTINGS_UPDATE
  • DEVOPS_REPOSITORY_SETTINGS_DELETE
devops-pull-request
  • DEVOPS_PULL_REQUEST_INSPECT
  • DEVOPS_PULL_REQUEST_READ
  • DEVOPS_PULL_REQUEST_UPDATE
  • DEVOPS_PULL_REQUEST_CREATE
  • DEVOPS_PULL_REQUEST_DELETE
  • DEVOPS_PULL_REQUEST_REVIEW
devops-pull-request-comment
  • DEVOPS_PULL_REQUEST_COMMENT_INSPECT
  • DEVOPS_PULL_REQUEST_COMMENT_READ
  • DEVOPS_PULL_REQUEST_COMMENT_UPDATE
  • DEVOPS_PULL_REQUEST_COMMENT_CREATE
  • DEVOPS_PULL_REQUEST_COMMENT_DELETE
devops-protected-branch
  • DEVOPS_PROTECTED_BRANCH_INSPECT
  • DEVOPS_PROTECTED_BRANCH_READ
  • DEVOPS_PROTECTED_BRANCH_PUSH
  • DEVOPS_PROTECTED_BRANCH_CREATE
  • DEVOPS_PROTECTED_BRANCH_UPDATE
  • DEVOPS_PROTECTED_BRANCH_DELETE
devops-build-family

Given verbs, inspect, read, use, manage are applicable for the following permissions:

  • DEVOPS_BUILD_PIPELINE
  • DEVOPS_BUILD_PIPELINE_STAGE
  • DEVOPS_BUILD_RUN
devops-build-pipeline
  • DEVOPS_BUILD_PIPELINE_INSPECT
  • DEVOPS_BUILD_PIPELINE_READ
  • DEVOPS_BUILD_PIPELINE_UPDATE
  • DEVOPS_BUILD_PIPELINE_CREATE
  • DEVOPS_BUILD_PIPELINE_DELETE
devops-build-pipeline-stage
  • DEVOPS_BUILD_PIPELINE_STAGE_INSPECT
  • DEVOPS_BUILD_PIPELINE_STAGE_READ
  • DEVOPS_BUILD_PIPELINE_STAGE_UPDATE
  • DEVOPS_BUILD_PIPELINE_STAGE_CREATE
  • DEVOPS_BUILD_PIPELINE_STAGE_DELETE
devops-build-run
  • DEVOPS_BUILD_RUN_INSPECT
  • DEVOPS_BUILD_RUN_READ
  • DEVOPS_BUILD_RUN_UPDATE
  • DEVOPS_BUILD_RUN_CREATE
  • DEVOPS_BUILD_RUN_DELETE
  • DEVOPS_BUILD_RUN_CANCEL
devops-connection
  • DEVOPS_CONNECTION_INSPECT
  • DEVOPS_CONNECTION_READ
  • DEVOPS_CONNECTION_UPDATE
  • DEVOPS_CONNECTION_CREATE
  • DEVOPS_CONNECTION_DELETE
devops-trigger
  • DEVOPS_TRIGGER_INSPECT
  • DEVOPS_TRIGGER_READ
  • DEVOPS_TRIGGER_UPDATE
  • DEVOPS_TRIGGER_CREATE
  • DEVOPS_TRIGGER_DELETE

Supported Variables

Variables are used when adding conditions to a policy.

DevOps supports the following variables:

  • Entity: Oracle Cloud Identifier (OCID)
  • String: Free-form text.
  • Number: Numeric value (arbitrary precision)
  • List: List of Entity, String, or Number
  • Boolean: True or False

See General Variables for All Requests.

Variables are lowercase and hyphen-separated. For example, target.tag-namespace.name, target.display-name. Here name must be unique, and display-name is the description.

Required variables are supplied by the DevOps service for every request. Automatic variables are supplied by the authorization engine (either service-local with the SDK for a thick client, or on the Identity data plane for a thin client).

Required Variables Type Description
target.compartment.id Entity (OCID) The OCID of the primary resource for the request.
request.operation String The operation ID (for example, GetUser) for the request.
target.resource.kind String The resource kind name of the primary resource for the request.
Automatic Variables Type Description
request.user.id Entity (OCID) The OCID of the requesting user.
request.groups.id List of entities (OCIDs) The OCIDs of the groups the requesting user is in.
target.compartment.name String The name of the compartment specified in target.compartment.id.
target.tenant.id Entity (OCID) The OCID of the target tenant ID.

Here's a list of available sources for the variables:

  • Request: Comes from the request input.
  • Derived: Comes from the request.
  • Stored: Comes from the service, retained input.
  • Computed: Computed from service data.

Mapping Variables with Resource Types

Resource Type Variable Type Source Description

devops-project

devops-deploy-artifact

devops-deploy-environment

devops-deploy-pipeline

devops-deploy-stage

devops-deployment

devops-repository

devops-pull-request

devops-connection

devops-trigger

devops-build-pipeline

devops-build-pipeline-stage

devops-build-run

devops-pull-request-comment

devops-protected-branch

target.project.id Entry Stored Available for Get, Update, Delete, and Move operations on the Project resource.

devops-project

devops-deploy-artifact

devops-deploy-environment

devops-deploy-pipeline

devops-deploy-stage

devops-deployment

devops-repository

devops-pull-request

devops-connection

devops-trigger

devops-build-pipeline

devops-build-pipeline-stage

devops-build-run

devops-pull-request-comment

devops-protected-branch

target.project.name String Stored Available for Get, Update, Delete, and Move operations on the Project resource.
devops-deploy-artifact target.artifact.id Entity Stored Available for Get, Update, and Delete operations on the Artifact resource.
devops-deploy-environment target.environment.id Entity Stored Available for Get, Update, and Delete operations on the Environment resource.

devops-deploy-pipeline

devops-deploy-stage

devops-deployment

target.pipeline.id Entity Stored Available for Get, Update, and Delete operations on the Pipeline resource.
devops-deploy-stage target.stage.id Entity Stored Available for Get, Update, and Delete operations on the Stage resource.
devops-deployment target.deployment.id Entity Stored Available for Get, Update, and Delete operations on Deployment resource types.
devops-repository

devops-pull-request

devops-pull-request-comment

devops-protected-branch

target.repository.id Entity Stored Available for Get, Update, Delete, and Move operations on the Repository resource.
devops-pull-request-comment target.pull-request.id Entity Stored Available for Get, Update, Delete operations on the Pull-Request resource.
devops-repository

devops-pull-request

devops-pull-request-comment

devops-protected-branch

target.repository.name Entity Stored Available for Get, Update, Delete, and Move operations on the Repository resource.
devops-pull-request-comment target.pull-request.display-name String Stored Available for Get, Update, Delete operations on the Pull-Request resource.
devops-repository target.branch.name Entity Stored Available for Git operations such as upload-pack, receive-pack on the Repository branch.
devops-protected-branch target.branch.name String Stored Available for Get, Update, Delete and Move operations on the Protected Branch resource.
devops-repository target.tag.name Entity Stored Available for Git operations like upload-pack, receive-pack on the Repository branch.
devops-pull-request target.pull-request.id Entity Stored Available for Get, Update, Delete operations on the Pull-Request resource.
devops-pull-request target.pull-request.display-name String Stored Available for Get, Update, Delete operations on the Pull-Request resource.
devops-connection target.connection.id Entity Stored Available for Get, Update, and Delete operations on the Connection resource.
devops-trigger target.trigger.id Entity Stored Available for Get, Update, and Delete operations on the Trigger resource.

devops-build-pipeline

devops-build-pipeline-stage

devops-build-run

target.build-pipeline.id Entity Stored Available for Get, Update, and Delete operations on the Build Pipeline resource.
devops-build-pipeline-stage target.build-pipeline-stage.id Entity Stored Available for Get, Update, and Delete operations on the Build Pipeline Stage resource.
devops-build-run target.build-run.id Entity Stored Available for Get, Update, Delete, and Cancel operations on the Build Run resource.

Details for Verb + Resource Type Combinations

Identify the permissions and API operations covered by each verb for DevOps resources.

The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell. All permissions (inspect, read, use, and manage) are applicable for the devops-family resource type, which includes all the DevOps resources.

For information about granting access, see Permissions.

devops-project

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-project resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_PROJECT_INSPECT ListProjects List all the project resources in a compartment.
read

inspect+

DEVOPS_PROJECT_READ

inspect+

GetProject

Get a specific project by ID.
use

read+

DEVOPS_PROJECT_UPDATE

read+

UpdateProject

Update a specific project.
manage

use+

DEVOPS_PROJECT_CREATE

use+

CreateProject

Create a project resource.
manage

use+

DEVOPS_PROJECT_DELETE

use+

DeleteProject

Delete a specific project.
manage

use+

DEVOPS_PROJECT_MOVE

use+

ChangeProjectCompartment

Move a project to a different compartment.
devops-deploy-family

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-deploy-family resource.

Verbs Permissions APIs Covered Description
inspect
  • DEVOPS_DEPLOY_ARTIFACT_INSPECT
  • DEVOPS_DEPLOY_ENVIRONMENT_INSPECT
  • DEVOPS_DEPLOY_PIPELINE_INSPECT
  • DEVOPS_DEPLOY_STAGE_INSPECT
  • DEVOPS_DEPLOYMENT_INSPECT
  • ListDeployArtifacts
  • ListDeployEnvironments
  • ListDeployPipelines
  • ListDeployStages
  • ListDeployments
  • List all the artifacts in a project or compartment.
  • List all the environments in an project or compartment.
  • List all the pipeline resources in a compartment.
  • List all the stages in a pipeline or compartment.
  • List all the deployments in a compartment.
read

inspect+

  • DEVOPS_DEPLOY_ARTIFACT_READ
  • DEVOPS_DEPLOY_ENVIRONMENT_READ
  • DEVOPS_DEPLOY_PIPELINE_READ
  • DEVOPS_DEPLOY_STAGE_READ
  • DEVOPS_DEPLOYMENT_READ

inspect+

  • GetDeployArtifact
  • GetDeployEnvironment
  • GetDeployPipeline
  • GetDeployStage
  • GetDeployment
  • Get a specific artifact by ID.
  • Get a specific environment by ID.
  • Get a specific pipeline by ID.
  • Get a specific stage by ID.
  • Get a specific deployment by ID.
use

read+

  • DEVOPS_DEPLOY_ARTIFACT_UPDATE
  • DEVOPS_DEPLOY_ENVIRONMENT_UPDATE
  • DEVOPS_DEPLOY_PIPELINE_UPDATE
  • DEVOPS_DEPLOY_STAGE_UPDATE
  • DEVOPS_DEPLOYMENT_UPDATE
  • DEVOPS_DEPLOYMENT_APPROVE
  • DEVOPS_DEPLOYMENT_CANCEL

read+

  • UpdateDeployArtifact
  • UpdateDeployEnvironment
  • UpdateDeployPipeline
  • UpdateDeployStage
  • UpdateDeployment
  • ApproveDeployment
  • CancelDeployment
  • Update a specific artifact by ID.
  • Update a specific environment by ID.
  • Update a specific pipeline by ID.
  • Update a specific stage by ID.
  • Update a specific deployment by ID.
  • Approve a specific deployment that's waiting for manual approval.
  • Cancel a running deployment.
manage

use+

  • DEVOPS_DEPLOY_ARTIFACT_CREATE
  • DEVOPS_DEPLOY_ARTIFACT_DELETE
  • DEVOPS_DEPLOY_ENVIRONMENT_CREATE
  • DEVOPS_DEPLOY_ENVIRONMENT_DELETE
  • DEVOPS_DEPLOY_PIPELINE_CREATE
  • DEVOPS_DEPLOY_PIPELINE_DELETE
  • DEVOPS_DEPLOY_STAGE_CREATE
  • DEVOPS_DEPLOY_STAGE_DELETE
  • DEVOPS_DEPLOYMENT_CREATE
  • DEVOPS_DEPLOYMENT_DELETE

use+

  • CreateDeployArtifact
  • DeleteDeployArtifact
  • CreateDeployEnvironment
  • DeleteDeployEnvironment
  • CreateDeployPipeline
  • DeleteDeployPipeline
  • CreateDeployStage
  • DeleteDeployStage
  • CreateDeployment
  • DeleteDeployment
  • Create an artifact resource within a project.
  • Delete a specific artifact by ID.
  • Create an environment within a project.
  • Delete a specific environment by ID.
  • Create a pipeline resource.
  • Delete a specific pipeline by ID.
  • Create a stage within a pipeline.
  • Delete a specific stage by ID.
  • Create a deployment for a specific pipeline.
  • Delete a specific deployment by ID.
devops-deploy-artifact

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-deploy-artifact resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_DEPLOY_ARTIFACT_INSPECT ListDeployArtifacts List all the artifacts in a project or compartment.
read

inspect+

DEVOPS_DEPLOY_ARTIFACT_READ

inspect+

GetDeployArtifact

Get a specific artifact by ID.
use

read+

DEVOPS_DEPLOY_ARTIFACT_UPDATE

read+

UpdateDeployArtifact

Update a specific artifact by ID.
manage

use+

DEVOPS_DEPLOY_ARTIFACT_CREATE

use+

CreateDeployArtifact

Create an artifact resource within a project.

manage

use+

DEVOPS_DEPLOY_ARTIFACT_DELETE

use+

DeleteDeployArtifact

Delete a specific artifact by ID.

devops-deploy-environment

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-deploy-environment resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_DEPLOY_ENVIRONMENT_INSPECT ListDeployEnvironments List all the environments in an application or compartment.
read

inspect+

DEVOPS_DEPLOY_ENVIRONMENT_READ

inspect+

GetDeployEnvironment

Get a specific environment by ID.
use

read+

DEVOPS_DEPLOY_ENVIRONMENT_UPDATE

read+

UpdateDeployEnvironment

Update a specific environment by ID.
manage

use+

DEVOPS_DEPLOY_ENVIRONMENT_CREATE

use+

CreateDeployEnvironment

Create an environment for a deployment target within an application.

manage

use+

DEVOPS_DEPLOY_ENVIRONMENT_DELETE

use+

DeleteDeployEnvironment

Delete a specific environment by ID.

devops-deploy-pipeline

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-deploy-pipeline resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_DEPLOY_PIPELINE_INSPECT ListDeployPipelines List all the pipeline resources in a compartment.
read

inspect+

DEVOPS_DEPLOY_PIPELINE_READ

inspect+

GetDeployPipeline

Get a specific pipeline by ID.
use

read+

DEVOPS_DEPLOY_PIPELINE_UPDATE

read+

UpdateDeployPipeline

Update a specific pipeline by ID.
manage

use+

DEVOPS_DEPLOY_PIPELINE_CREATE

use+

CreateDeployPipeline

Create a pipeline resource.

manage

use+

DEVOPS_DEPLOY_PIPELINE_DELETE

use+

DeleteDeployPipeline

Delete a specific pipeline.

devops-deploy-stage

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-deploy-stage resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_DEPLOY_STAGE_INSPECT ListDeployStages List all the stages in a pipeline or compartment.
read

inspect+

DEVOPS_DEPLOY_STAGE_READ

inspect+

GetDeployStage

Get a specific stage by ID.
use

read+

DEVOPS_DEPLOY_STAGE_UPDATE

read+

UpdateDeployStage

Update a specific stage by ID.
manage

use+

DEVOPS_DEPLOY_STAGE_CREATE

use+

CreateDeployStage

Create a stage within a pipeline.

manage

use+

DEVOPS_DEPLOY_STAGE_DELETE

use+

DeleteDeployStage

Delete a specific stage by ID.

devops-deployment

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-deployment resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_DEPLOYMENT_INSPECT ListDeployments List all the deployments in a compartment.
read

inspect+

DEVOPS_DEPLOYMENT_READ

inspect+

GetDeployment

Get a specific deployment by ID.
use

read+

DEVOPS_DEPLOYMENT_UPDATE

read+

UpdateDeployStage

Update a specific stage by ID.

use

read+

DEVOPS_DEPLOYMENT_APPROVE

read+

ApproveDeployment

Approve a specific deployment that's waiting for manual approval.
use

read+

DEVOPS_DEPLOYMENT_CANCEL

read+

CancelDeployment

Cancel a running deployment.

manage

use+

DEVOPS_DEPLOYMENT_CREATE

use+

CreateDeployment

Create a deployment for a specific pipeline.

manage

use+

DEVOPS_DEPLOYMENT_DELETE

use+

DeleteDeployment

Delete a specific deployment.

devops-work-requests

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-work-requests resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_WORK_REQUEST_INSPECT ListWorkRequests List all the work requests in a compartment.
read

inspect+

DEVOPS_WORK_REQUEST_READ

inspect+

GetWorkRequest

Get a specific work request by ID.
devops-repository-family

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-repository-family resource.

Verbs Permissions APIs Covered Description
inspect
  • DEVOPS_REPOSITORY_INSPECT
  • DEVOPS_PULL_REQUEST_INSPECT
  • DEVOPS_PULL_REQUEST_COMMENT_INSPECT
  • DEVOPS_PROTECTED_BRANCH_INSPECT
  • ListRepositories
  • ListPullRequests
  • ListPullRequestAttachments
  • ListPullRequestComments
  • ListProtectedBranches
  • List all the repository resources by compartment ID, project ID, or repository ID.
  • List pull requests in a repository.
  • List pull request attachments by identifier.
  • List pull request reviewer comments.
  • List protected branches in a repository.
read
inspect+
  • DEVOPS_REPOSITORY_READ
  • DEVOPS_PULL_REQUEST_READ
  • DEVOPS_PULL_REQUEST_COMMENT_READ
  • DEVOPS_PROTECTED_BRANCH_READ
  • DEVOPS_PULL_REQUEST_REVIEW
  • DEVOPS_PULL_REQUEST_COMMENT_CREATE
  • DEVOPS_PULL_REQUEST_COMMENT_UPDATE
  • DEVOPS_PULL_REQUEST_COMMENT_DELETE

inspect+

  • GetRepository
  • GetPullRequest
  • GetPullRequestComment
  • GetPullRequestAttachmentContent
  • GetProtectedBranch
  • ReviewPullRequest
  • UpdatePullRequestComment
  • LikePullRequestComment
  • UnlikePullRequestComment
  • DeletePullRequestComment
  • Get a specific repository by ID.
  • Get a pull request by ID.
  • Get a comment by a comment ID.
  • Get contents of a pull request attachment.
  • Get protection information for a specific branch.
  • Update a pull request's reviewer list.
  • Update a pull request comment by ID.
  • Like a pull request comment.
  • Unlike a pull request comment.
  • Delete a pull request comment.
use

read+

  • DEVOPS_REPOSITORY_UPDATE
  • DEVOPS_PULL_REQUEST_UPDATE
  • DEVOPS_PULL_REQUEST_CREATE
  • DEVOPS_PULL_REQUEST_DELETE

read+

  • UpdateRepository
  • UpdatePullRequest
  • DeclinePullRequest
  • ReopenPullRequest
  • MergePullRequest
  • DeletePullRequest
  • Update a specific repository by ID.
  • Update a pull request by ID.
  • Close a pull request by setting the lifecycle of the pull request to declined.
  • Reopen a closed pull request.
  • Merge an approved pull request from the source branch to the target.
  • Delete a pull request by ID.
manage

use+

  • DEVOPS_REPOSITORY_CREATE
  • DEVOPS_REPOSITORY_DELETE
  • DEVOPS_PROTECTED_BRANCH_CREATE
  • DEVOPS_PROTECTED_BRANCH_UPDATE
  • DEVOPS_PROTECTED_BRANCH_DELETE
  • DEVOPS_REPOSITORY_SETTINGS_READ
  • DEVOPS_REPOSITORY_SETTINGS_UPDATE
  • DEVOPS_REPOSITORY_SETTINGS_DELETE
  • DEVOPS_PROTECTED_BRANCH_PUSH

use+

  • CreateRepository
  • DeleteRepository
  • CreateProtectedBranch
  • UpdateProtectedBranch
  • DeleteProtectedBranch
  • GetRepositorySettings
  • UpdateRepositorySettings
  • DeleteRepositorySettings
  • ProtectedBranchReceivePack
  • Create a repository.
  • Delete a specific repository by ID.
  • Create a protected branch in a repository.
  • Update the protection level on a protected branch. The current protection level options are, PULL_REQUEST_MERGE_ONLY and READ_ONLY.
  • Delete a protected branch. This removes the restrictions added to a branch when it was protected.
  • Get the custom settings configured for a repository.
  • Update the custom settings configured for a repository.
  • Remove the custom settings configured for a repository.
  • Gives allowed users the ability to directly push to at protected branch.
devops-repository

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-repository resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_REPOSITORY_INSPECT ListRepositories List all the repository resources by compartment ID, project ID, or repository ID.
read

inspect+

DEVOPS_REPOSITORY_READ

inspect+

GetRepository

Get a specific repository by ID.
use

read+

DEVOPS_REPOSITORY_UPDATE

read+

UpdateRepository

Update a specific repository by ID.
manage

use+

DEVOPS_REPOSITORY_CREATE

use+

CreateRepository

Create a repository.

manage

use+

DEVOPS_REPOSITORY_DELETE

use+

DeleteRepository

Delete a specific repository by ID.

devops-connection

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-connection resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_CONNECTION_INSPECT ListConnections List all the connections in a project or compartment.
read

inspect+

DEVOPS_CONNECTION_READ

inspect+

GetConnection

Get a specific connection by ID.
use

read+

DEVOPS_CONNECTION_UPDATE

read+

UpdateConnection

Update a specific connection by ID.
use

read+

DEVOPS_CONNECTION_VALIDATE

read+

ValidateConnection

Validate the connection's PAT.
manage

use+

DEVOPS_CONNECTION_CREATE

use+

CreateConnection

Create a connection resource in a project.

manage

use+

DEVOPS_CONNECTION_DELETE

use+

DeleteConnection

Delete a specific connection by ID.

devops-trigger

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-trigger resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_TRIGGER_INSPECT ListTriggers List all the triggers in a project or compartment.
read

inspect+

DEVOPS_TRIGGER_READ

inspect+

GetTrigger

Get a specific trigger by ID.
use

read+

DEVOPS_TRIGGER_UPDATE

read+

UpdateTrigger

Update a specific trigger by ID.
manage

use+

DEVOPS_TRIGGER_CREATE

use+

CreateTrigger

Create a trigger resource in a project.

manage

use+

DEVOPS_TRIGGER_DELETE

use+

DeleteTrigger

Delete a specific trigger by ID.

devops-build-family

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-build-family resource.

Verbs Permissions APIs Covered Description
inspect
  • DEVOPS_BUILD_PIPELINE_INSPECT
  • DEVOPS_BUILD_PIPELINE_STAGE_INSPECT
  • DEVOPS_BUILD_RUN_INSPECT
  • ListBuildPipelines
  • ListBuildPipelineStages
  • ListBuildRuns
  • List all the build pipeline resources in a compartment.
  • List stages within a build pipeline or compartment.
  • List build runs in a project or compartment.
read

inspect+

  • DEVOPS_BUILD_PIPELINE_READ
  • DEVOPS_BUILD_PIPELINE_STAGE_READ
  • DEVOPS_BUILD_RUN_READ

inspect+

  • GetBuildPipeline
  • GetBuildPipelineStage
  • GetBuildRun
  • Get a specific build pipeline by ID.
  • Get a specific build pipeline stage by ID.
  • Gets a specific build run by ID.
use

read+

  • DEVOPS_BUILD_PIPELINE_UPDATE
  • DEVOPS_BUILD_PIPELINE_STAGE_UPDATE
  • DEVOPS_BUILD_RUN_UPDATE
  • DEVOPS_BUILD_RUN_CANCEL

read+

  • UpdateBuildPipeline
  • UpdateBuildPipelineStage
  • UpdateBuildRun
  • CancelBuildRun
  • Update a specific build pipeline by ID.
  • Update a specific build pipeline stage by ID.
  • Update an existing build run.
  • Cancels a build run that's running.
manage

use+

  • DEVOPS_BUILD_PIPELINE_CREATE
  • DEVOPS_BUILD_PIPELINE_DELETE
  • DEVOPS_BUILD_PIPELINE_STAGE_CREATE
  • DEVOPS_BUILD_PIPELINE_STAGE_DELETE
  • DEVOPS_BUILD_RUN_CREATE
  • DEVOPS_BUILD_RUN_DELETE

use+

  • CreateBuildPipeline
  • DeleteBuildPipeline
  • CreateBuildPipelineStage
  • DeleteBuildPipelineStage
  • CreateBuildRun
  • DeleteBuildRun
  • Create a build pipeline resource.
  • Delete a build pipeline.
  • Create a stage within a build pipeline.
  • Delete a specific build pipeline stage by ID.
  • Start a build run for a build pipeline.
  • Delete an existing build run.
devops-build-pipeline

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-build-pipeline resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_BUILD_PIPELINE_INSPECT ListBuildPipelines List all the build pipeline resources in a compartment.
read

inspect+

DEVOPS_BUILD_PIPELINE_READ

inspect+

GetBuildPipeline

Get a specific build pipeline by ID.
use

read+

DEVOPS_BUILD_PIPELINE_UPDATE

read+

UpdateBuildPipeline

Update a specific build pipeline by ID.
manage

use+

DEVOPS_BUILD_PIPELINE_CREATE

use+

CreateBuildPipeline

Create a build pipeline resource.

manage

use+

DEVOPS_BUILD_PIPELINE_DELETE

use+

DeleteBuildPipeline

Delete a specific build pipeline.

devops-build-pipeline-stage

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-build-pipeline-stage resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_BUILD_PIPELINE_STAGE_INSPECT ListBuildPipelineStages List all the stages in a build pipeline or compartment.
read

inspect+

DEVOPS_BUILD_PIPELINE_STAGE_READ

inspect+

GetBuildPipelineStage

Get a specific build pipeline stage by ID.
use

read+

DEVOPS_BUILD_PIPELINE_STAGE_UPDATE

read+

UpdateBuildPipelineStage

Update a specific build pipeline stage by ID.
manage

use+

DEVOPS_BUILD_PIPELINE_STAGE_CREATE

use+

CreateBuildPipelineStage

Create a stage in a build pipeline.

manage

use+

DEVOPS_BUILD_PIPELINE_STAGE_DELETE

use+

DeleteBuildPipelineStage

Delete specific build pipeline stage by ID.

devops-build-run

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-build-run resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_BUILD_RUN_INSPECT ListBuildRuns List the build runs in a project or compartment.
read

inspect+

DEVOPS_BUILD_RUN_READ

inspect+

GetBuildRun

Gets a specific build run by ID.
use

read+

DEVOPS_BUILD_RUN_UPDATE

read+

UpdateBuildRun

Update an existing build run.
use

read+

DEVOPS_BUILD_RUN_CANCEL

read+

CancelBuildRun

Cancel a running build run.
manage

use+

DEVOPS_BUILD_RUN_CREATE

use+

CreateBuildRun

Start a build run for a given build pipeline.

manage

use+

DEVOPS_BUILD_RUN_DELETE

use+

DeleteBuildRun

Delete an existing build run.

Creating a Policy and Dynamic Group

To grant users permission to access the various DevOps resources such as build pipelines, deployment pipelines, artifacts, and code repositories you have to create groups, dynamic groups and IAM policies.

A policy allows a group  to work in certain ways with specific types of resources  in a particular compartment .

Policy

Here's how you create a policy in the Oracle Cloud Console:

  1. Open the navigation menu and click Identity & Security. Under Identity, click Policies.
  2. Click Create Policy.
  3. Enter a name and description for the policy.
  4. Under Policy Builder, click the Show manual editor switch to enable the editor.

    Enter a policy rule in the following format:

    Allow <group> to <verb> <resource_type> in <compartment or tenancy details>
  5. Click Create.

For more information about creating policies, see How Policies Work and Policy Reference.

To create a group and add users to the group, see Managing Groups.

Dynamic Group

Dynamic group is a special type of group that contains resources (such as compute instances) that match rules that you define.

Matching rules define the resources that belong to the dynamic group. In the Console, you can either enter the rule manually in the provided text box, or you can use the rule builder. For more details, see Writing Matching Rules to Define Dynamic Groups. Use the match-any rule to match multiple conditions.

Create a dynamic group for your DevOps resources. You can name the dynamic group as, for example, DevOpsDynamicGroup and replace compartmentOCID with the OCID of your compartment:
ALL {resource.type = 'devopsdeploypipeline', resource.compartment.id = 'compartmentOCID'}
ALL {resource.type = 'devopsrepository', resource.compartment.id = 'compartmentOCID'}
ALL {resource.type = 'devopsbuildpipeline',resource.compartment.id = 'compartmentOCID'}
ALL {resource.type = 'devopsconnection',resource.compartment.id = 'compartmentOCID'}

For more information about dynamic groups, including the permissions required to create them, see Managing Dynamic Groups and Writing Policies for Dynamic Groups.

Required policy statement for DevOpsDynamicGroup:
Allow dynamic-group DevOpsDynamicGroup to manage devops-family in compartment <compartment_name>
Note

For tenancies that have identity domains, the domain name must precede the dynamic group name in the policy. For example, domain-name/{DevOpsDynamicGroup}

Policy Examples

DevOps policies required for using various DevOps resources such as code repositories, build pipelines and deployment pipelines.

Following policy examples are provided:

Environment Policies

Policy example for creating target environment that is used for deployment.

See the instructions for creating policies using the Console.

Create policy to allow users in a group to create, update or delete a private OKE environment:
Allow group <group-name> to manage virtual-network-family in compartment <compartment_name> where any {request.operation='CreatePrivateEndpoint', request.operation='UpdatePrivateEndpoint', request.operation='DeletePrivateEndpoint', request.operation='EnableReverseConnection', request.operation='ModifyReverseConnection', request.operation='DisableReverseConnection'}

Code Repository Policies

Policy examples for creating a code repository and connecting to external code repositories such as GitHub and GitLab.

See the instructions for creating policies, groups, and dynamic groups using the Console.

To create a code repository, create following IAM policies:
  • Allow users in a group to have access to the DevOps project:
    Allow group <group-name> to read devops-project in compartment <compartment_name>
  • Allow users in a group to read, create, update, or delete a repository:
    Allow group <group-name> to manage devops-repository in compartment <compartment_name>
To clone a repository, create following IAM policies:
  • Allow users in a group to have access to the DevOps project:
    Allow group <group-name> to read devops-project in compartment <compartment_name>
  • Allow users in a group to read or update a repository:
    Allow group <group-name> to use devops-repository in compartment <compartment_name>
To integrate with external code repositories, create a policy in the root compartment. For example, to allow the dynamic group to read secrets:
Allow dynamic-group DevOpsDynamicGroup to read secret-family in compartment <compartment_name>
To validate an external connection, create the following IAM policy along with the policy to read secrets:
Allow group <group-name> to use devops-connection in compartment <compartment_name>

To create a pull request, you must define policies based on the actions that a user is allowed to perform. For more information and examples, see Managing Pull Requests.

Build Pipeline Policies

Policy examples for creating build pipelines and adding stages to the pipeline.

See the instructions for creating policies using the Console.

  • Create IAM policies to allow the dynamic group to access OCI resources in the compartment:
    • To deliver artifacts, provide access to the Container Registry (OCIR):
      Allow dynamic-group DevOpsDynamicGroup to manage repos in compartment <compartment_name>
    • To access vault for personal access token (PAT), provide access to secret-family. This policy is required in the Managed Build stage for accessing PAT to download the source code:
      Allow dynamic-group DevOpsDynamicGroup to read secret-family in compartment <compartment_name>
    • Provide access to read deployment artifacts in the Deliver Artifacts stage, read DevOps code repository in the Managed Build stage, and trigger deployment pipeline in the Trigger Deploy stage:
      Allow dynamic-group DevOpsDynamicGroup to manage devops-family in compartment <compartment_name>
    • To deliver artifacts, provide access to the Artifact Registry:
      Allow dynamic-group DevOpsDynamicGroup to manage generic-artifacts in compartment <compartment_name>
    • To send notifications, provide access to the build pipeline:
      Allow dynamic-group DevOpsDynamicGroup to use ons-topics in compartment <compartment_name>
  • Create policies to allow private access setup in the Managed Build stage:
    Allow dynamic-group DevOpsDynamicGroup to use subnets in compartment <customer subnet compartment>
    Allow dynamic-group DevOpsDynamicGroup to use vnics in compartment <customer subnet compartment>
    If any network security groups (NSGs) are specified in the private access configuration, then the policy must allow access to the NSGs:
    Allow dynamic-group DevOpsDynamicGroup to use network-security-groups in compartment <customer subnet compartment>
  • Create a policy to allow the build pipeline to access the Certificate Authority (CA) bundle resource for Transport Layer Security (TLS) verification:
    Allow dynamic-group DevOpsDynamicGroup to use cabundles in compartment <compartment_name>

Policies for Accessing ADM Resources

Policy examples for accessing Application Dependency Management (ADM) service's resources from the build pipeline.

See the instructions for creating policies using the Console.

Create IAM policies to allow the dynamic group to access ADM resources in the tenancy:
Allow dynamic-group DevOpsDynamicGroup to use adm-knowledge-bases in tenancy
Allow dynamic-group DevOpsDynamicGroup to manage adm-vulnerability-audits in tenancy

Deployment Pipeline Policies

Policy examples for creating deployment pipelines and adding stages to the pipeline.

See the instructions for creating policies using the Console.

Create IAM policies to allow the deployment pipeline dynamic group to access your compartment resources:
  • OKE cluster deployments:
    Allow dynamic-group DevOpsDynamicGroup to read all-artifacts in compartment <compartment_name>
    Allow dynamic-group DevOpsDynamicGroup to manage cluster in compartment <compartment_name>
  • Functions:
    Allow dynamic-group DevOpsDynamicGroup to manage fn-function in compartment <compartment_name>
    Allow dynamic-group DevOpsDynamicGroup to read fn-app in compartment <compartment_name>
    Allow dynamic-group DevOpsDynamicGroup to use fn-invocation in compartment <compartment_name>
  • Instance Group deployments:
    Allow dynamic-group DevOpsDynamicGroup to read all-artifacts in compartment <compartment_name>
    Allow dynamic-group DevOpsDynamicGroup to read instance-family in compartment <compartment_name>
    Allow dynamic-group DevOpsDynamicGroup to use instance-agent-command-family in compartment <compartment_name>
    Allow dynamic-group DevOpsDynamicGroup to use load-balancers in compartment <compartment_name>
    Allow dynamic-group DevOpsDynamicGroup to use vnics in compartment <compartment_name>
    For an instance group deployment, you also need to create a dynamic group for the following instances and give the dynamic group certain permissions:
    • Create a dynamic group for the instances. For example, you can name the dynamic group as, DeployComputeDynamicGroup and replace compartmentOCID with the OCID of your compartment:
      All {instance.compartment.id = 'compartmentOCID'}
    • Create IAM policies to give required access to the deployment instances:
      Allow dynamic-group DeployComputeDynamicGroup to use instance-agent-command-execution-family in compartment <compartment_name>
      Allow dynamic-group DeployComputeDynamicGroup to read generic-artifacts in compartment <compartment_name>
      Allow dynamic-group DeployComputeDynamicGroup to read secret-family in compartment <compartment_name>
  • Helm stage deployments:
    Allow dynamic-group DevOpsDynamicGroup to read all-artifacts in compartment <compartment_name>
    Allow dynamic-group DevOpsDynamicGroup to manage cluster in compartment <compartment_name>
    Allow dynamic-group DevOpsDynamicGroup to read repos in compartment <compartment_name>
  • Approval stage:
    Allow group pipeline1_approvers to use devops-family in compartment <compartment_name>  where all {request.principal.id = 'ocid1.pipeline1'}
    Allow group pipeline2_approvers to use devops-family in compartment <compartment_name>  where all {request.principal.id = 'ocid1.pipeline2'}
  • Shell stage:
    Allow dynamic-group DevOpsDynamicGroup to manage compute-container-instances in compartment <compartment_name>
    Allow dynamic-group DevOpsDynamicGroup to manage compute-containers in compartment <compartment_name>
    Allow dynamic-group DevOpsDynamicGroup to use vnics in compartment <compartment_name>
    Allow dynamic-group DevOpsDynamicGroup to use subnets in compartment <compartment_name>
    Allow dynamic-group DevOpsDynamicGroup to use dhcp-options in compartment <compartment_name>
    If you're using Network security group while creating Shell stage, then add the following policy:
    Allow dynamic-group DevOpsDynamicGroup to use network-security-groups in compartment <compartment_name>

Artifact Policies

Policy examples for adding the Deliver Artifacts stage to the build pipeline.

The Deliver Artifacts stage maps the build outputs from the Managed Build stage with the version to deliver to a DevOps artifact resource, and then to the Oracle Cloud Infrastructure (OCI) code repository. DevOps supports artifacts stored in OCI Container Registry and Artifact Registry repositories. See Adding a Deliver Artifacts Stage.

See the instructions for creating policies using the Console.

Create following IAM policies:

  • To see a list of all repositories in Container Registry belonging to the tenancy or to a particular compartment:
    Allow dynamic-group DevOpsDynamicGroup to inspect repos in tenancy
    Allow dynamic-group DevOpsDynamicGroup to inspect repos in compartment <compartment_name>
  • Allow artifacts to be pushed to the Container Registry (OCIR) that belongs to the tenancy or to a particular compartment:
    Allow dynamic-group DevOpsDynamicGroup to use repos in tenancy
    Allow dynamic-group DevOpsDynamicGroup to use repos in compartment <compartment_name>

    See Policies to Control Repository Access.

  • Ability to see a list of generic artifacts in Artifact Registry belonging to the tenancy or to a particular compartment:
    Allow dynamic-group DevOpsDynamicGroup to inspect generic-artifacts in tenancy
    Allow dynamic-group DevOpsDynamicGroup to inspect generic-artifacts in compartment <compartment_name>
  • Allow generic artifacts to be pushed to the Artifact Registry that belongs to the tenancy or to a particular compartment:
    Allow dynamic-group DevOpsDynamicGroup to use generic-artifacts in tenancy
    Allow dynamic-group DevOpsDynamicGroup to use generic-artifacts in compartment <compartment_name>

    See Artifact Registry Policies.

  • Allow users to pull generic artifacts that belongs to the tenancy or to a particular compartment:
    Allow dynamic-group DevOpsDynamicGroup to read generic-artifacts in tenancy
    Allow dynamic-group DevOpsDynamicGroup to read generic-artifacts in compartment <compartment_name>

Accessing Artifact Registry

Oracle Cloud Infrastructure Artifact Registry is a repository service for storing, sharing, and managing software development packages.

You can access the artifacts that you store in Artifact Registry from the DevOps service. You can create a reference to three types of artifacts in Artifact Registry: instance group deployment configurations, general artifacts, and Kubernetes manifests. Your administrator must grant the read all-artifacts permission to the pipeline resources.

See the instructions for creating policies using the console.

Create IAM policy to allow the dynamic group to access the artifacts from a specific compartment:
Allow dynamic-group DevOpsDynamicGroup to read all-artifacts in compartment <compartment_name>

For more information, see Artifact Registry Policies.