Managed Access Policies
Create Oracle Cloud Infrastructure Identity and Access Management (IAM) policies to control who has access to Oracle Managed Access resources, and the type of access for each group of users.
By default, only users in the Administrators group have access to all Managed Access resources. If you're new to IAM policies, see Getting Started with Policies. The supported Oracle Managed Access policies use the term
lockbox to see an Oracle Managed Access
resource.
For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference.
Oracle Managed Access is only supported for Fusion Applications customers who subscribe to Break Glass.
Details for Oracle Managed Access
This topic covers details for writing policies to control access to the Managed Access service.
Resource-Types
The following resource types are related to Oracle Managed Access.
This topic covers details for writing policies to control access to Managed Access resources.
| Resource Type | Permissions |
|---|---|
lockboxes |
|
approval-templates |
|
access-requests |
|
access-approvals |
|
A policy that uses <verb> lockbox-family is equal
to writing a policy with a separate <verb>
<resource-type> statement for each of the individual
resource types.
Individual Resource-Types
lockbox
lockboxes
approval-template
approval-templates
access-request
access-requests
access-approval
access-approvals
Aggregate Resource-Types
lockbox-family
Supported Variables
Managed Access IAM policies support all the general policy variables.
For more information about general variables supported by Oracle Cloud Infrastructure services, see General Variables for All Requests.
Details for Verb + Resource-Type Combinations
View the permissions covered by each verb for Oracle Managed Access resources.
The level of access is cumulative as you go from inspect to
read to use to manage.
A plus sign (+) in a table cell indicates incremental access when
compared to the preceding cell, whereas no extra indicates no
incremental access.
| Verbs | Permissions |
|---|---|
| inspect |
|
| read |
+ inspect
|
| use |
+ read
|
| manage |
+ use
|
| Verbs | Permissions |
|---|---|
| inspect |
|
| read |
+ inspect
|
| use |
+ read |
| manage |
+use
|
| Verbs | Permissions |
|---|---|
| inspect |
|
| read |
+ inspect
|
| use |
+ read
|
| manage |
+ use
|
| Verbs | Permissions |
|---|---|
| inspect |
|
| read |
+ inspect
|
| use |
+ read
|
| manage |
+ use
|
Permissions Required for Each API Operation
The following table lists the Managed Access API operations in a logical order, grouped by resource type.
For more information about permissions, see Managed Access policies.
| Operations | Permissions |
|---|---|
ListLockboxes |
|
CreateLockbox |
|
GetLockbox |
|
UpdateLockbox |
|
| DeleteLockbox |
|
| ChangeLockboxCompartment |
|
| ListApprovalTemplates |
|
| CreateApprovalTemplate |
|
| GetApprovalTemplate |
|
| UpdateApprovalTemplate |
|
| DeleteApprovalTemplate |
|
| ChangeApprovalTemplateCompartment |
|
| ListAccessRequests |
|
| CreateAccessRequest |
|
| GetAccessRequest |
|
| HandleAccessRequest |
|
| GetAccessMaterials |
|
| ListAccessApproval |
|
| GetAccessApproval |
|
| CreateAccessApproval |
|
| GetAccessMaterials |
|
| RevokeAccessApproval |
|
Policy Examples
Learn about Oracle Managed Access IAM policies using examples.
-
Allow users in the group
SecurityAdminsto create, update, and delete all Managed Access resources in the entire tenancy:Allow group SecurityAdmins to manage lockbox-family in tenancy Allow group operators to inspect access-request in compartment tenancy
For all policies, see Managed Access Policies.