Oracle Cloud Infrastructure Documentation

About Vision Policies

Learn about Vision's resource policies including API permissions.

To control who has access to Vision and the type of access for each group of users, you must create policies. By default, only the users in the Administrators group have access to all Vision resources. For everyone else who's using the service, you must create policies that assign them proper rights to Vision resources. For a complete list of Oracle Cloud Infrastructure policies, see policy reference in the IAM with Identity Domains or the IAM with Identity Domains documentation.

Important

Create all the policies at the root compartment level, that is, at the tenancy level. In your tenancy Console, click Identity & Security. Click Policies, and select the root compartment.

Policy to Grant Users Access to Vision APIs

The policies at the root compartment level needed for Vision users.

If your tenancy only uses Vision pretrained models, then a policy to grant USE permission to Vision APIs is sufficient:
allow group <group_in_tenancy> to use ai-service-vision-family in tenancy
If your need to create a project or model in the tenancy, then you must have a policy to grant MANAGE permission to the Vision APIs:
allow group <group_in_tenancy> to manage ai-service-vision-family in tenancy

Policy to Access Input Image Files in Object Storage

The policies required to access image files in Object Storage from Vision in the same tenancy or cross-tenancy.

Same-tenancy Object Storage access
If your input image is located in your tenancy's Object Storage, then create a group in the tenancy to authorize the users who can access the Object Storage there. Add the following policy in your tenancy at the root compartment level to grant object storage USE permissions to the group:
allow group <group_in_tenancy> to use object-family in tenancy
Cross-tenancy Object Storage access
If your input image is located in tenancy_B object storage, and your user group in tenancy_A, then you must define an ENDORSE READ policy on the user group in tenancy A:
define tenancy <tenancy_B> as <tenancy_B_ocid>
endorse group <group_in_tenancy_A> to read object in tenancy <tenancy_B>
You must also define an ADMIT READ policy in tenancy_B for the user group in tenancy_A:
define tenancy <tenancy_A> as <tenancy_A_ocid>
define group <group_in_tenancy_A> as <group_in_tenancy_A_ocid>
admit group <group_in_tenancy_A> of tenancy <tenancy_A> to read object in tenancy

Policy to Access Training Datasets in Object Storage

The policies required to access training datasets in Object Storage from Vision in the same tenancy or cross-tenancy.

Same tenancy training dataset access
If your customized training dataset is located in your tenancy's Object Storage, then create a group in the tenancy to authorize the users who can access the Object Storage there. Add the following policy in your tenancy at the root compartment level to grant object storage USE permission to the group:
allow group <group_in_tenancy> to use object-family in compartment <training-dataset-located-object-storage-compartment>
Cross-tenancy training dataset access
If your customized training dataset is located in tenancy_B object store, and your user group in tenancy_A, then you must define an ENDORSE READ policy on the user group in tenancy A:
define tenancy <tenancy_B> as <tenancy_B_ocid>
endorse group <group_in_tenancy_A> to read object in tenancy <tenancy_B>
You must also define an ADMIT READ policy in tenancy_B for the user group in tenancy_A:
define tenancy <tenancy_A> as <tenancy_A_ocid>
define group <group_in_tenancy_A> as <group_in_tenancy_A_ocid>
admit group <group_in_tenancy_A> of tenancy <tenancy_A> to read object in compartment <training-dataset-located-object-storage-compartment>

Policy to Store Batch Processing Results in Object Storage

The policy required to store batch processing results in Object Storage from Vision.

Add the following policy in your tenancy at the root compartment level to grant object storage access permission to the group that is batch processing images or documents:
allow group <group_in_tenancy> to manage object-family in compartment <batch_processing_results_located_object_storage_compartment>

POST /actions/analyzeImage

The permission use ai-service-vision-analyze-image is required when the request contains features with no modelId specified. That is, you are referencing the pre-trained model.

If the request contains features with a modelId specified, that is you are referencing a custom model, then the use ai-service-vision-model must be granted to the user. The use ai-service-vision-analyze-image resource is part of the ai-service-vision-family resource family.

The same call may mix pretrained and custom models in different features. For example, the following /actions/analyzeImage request references a pre-trained model for object detection, and references a custom model for image classification:
{
  "features" : [
    { "featureType" : "OBJECT_DETECTION", "modelId" : "ocid1.aivisionmodel.etc..." },
    { "featureType": "IMAGE_CLASSIFICATION" }
  ],
  "image" : { ... }
}
This request requires the use ai-service-vision-model and use ai-service-vision-analyze-image permissions.

Policy Examples

The following policy only allows the users in the group to use pretrained models:
allow group <group_name> to use ai-service-vision-analyze-image in tenancy
To use custom models, the following permission must be granted to the users' group:
allow group <group_name> to use ai-service-vision-model in tenancy
You can restict a policy to a specific compartment, for example:
allow group <group_name> to use ai-service-vision-model in compartment <my_compartment>
Instead of the individual resource ID, you can set the permission on the family resource. For example:
allow group <group_name> to use ai-service-vision-family in tenancy

POST /imageJobs

To schedule any image-related job, by calling /actions/ImageJobs, you must have the use ai-service-vision-image-job permission.

If the job contains features referencing a custom modelId, then use ai-service-vision-model must also be granted to the user. The ai-service-vision-image-job resource is part of the ai-service-vision-family resource family.

Policy Examples

To run an image-related job with pretrained models, you need the following policy:
allow group <group_name> to use ai-service-vision-analyze-image in tenancy
To run an image job on custom models, you need the following policy too:
allow group <group_name> to use ai-service-vision-model in tenancy
You can limit permissions to a compartment. For example:
allow group <group_name> to use ai-service-vision-model in compartment <compartment_name>
Instead of the individual resource ID, you can set the permission on the family resource. For example:
allow group <group_name> to use ai-service-vision-family in compartment <compartment_name>