Zero Trust Packet Routing IAM Policies

Use the Oracle Cloud Infrastructure Identity and Access Management (IAM) service to create policies to control access to the Zero Trust Packet Routing (ZPR) service.

See Details for the Core Services for information on IAM policies for Networking and Compute.

Individual Resource Types

zpr-policy

zpr-security-attribute

Aggregate Resource Types

zpr-family

security-attribute-family

A policy that uses an aggregate resource type, for example, <verb> zpr-family, is equal to writing a policy with a separate <verb> <individual resource-type> statement for each of the individual resource-types.

See the table in Details for Verbs + Resource-Type Combinations for detailed information about the API operations covered by each verb, for each individual resource-type included in zpr-family and security-attribute-family.

Supported Variables

Zero Trust Packet Routing supports all the general variables, plus the ones listed here. For more information about general variables supported by Oracle Cloud Infrastructure services, see Details for Verbs + Resource-Type Combinations.


Variable	Variable Type	Comments
`target.security-attribute-namespace.name`	String	Use this variable to control whether to allow operations against a specific security attribute namespace in response to a request to read, update, delete, or move a security attribute namespace, or to view information related to work requests for a security attribute namespace.
`target.security-attribute-namespace.id`	Entity	This variable is supported only in statements granting permissions for the security-attribute-namespaces resource-type.

Details for Verbs + Resource-Type Combinations

The level of access is cumulative as you go from inspect to read to use to manage.

A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell, whereas no extra indicates no incremental access.

For example, the read verb for the zpr-policy resource-type includes the same permissions and API operations as the inspect verb, but also adds the GetZprPolicy API operation. Likewise, the manage verb for the zpr-policy resource-type allows even more permissions when compared to the use permission. For the zpr-policy resource-type, the manage verb includes the same permissions and API operations as the use verb, plus the ZPR_POLICY_CREATE and the ZPR_POLICY_DELETE permissions, and the applicable API operations (CreateZprPolicy and DeleteZprPolicy).

zpr-policy


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	ZPR_POLICY_INSPECT	`ListZprPolicies` `ListZprPolicyWorkRequests`	none
read	INSPECT + ZPR_POLICY_READ	INSPECT + `GetZprPolicy` `GetZprPolicyWorkRequest` `ListZprPolicyWorkRequestErrors` `ListZprPolicyWorkRequestLogs`	none
use	READ + ZPR_POLICY_UPDATE	`UpdateZprPolicy`	none
manage	USE + ZPR_POLICY_CREATE ZPR_POLICY_DELETE	USE + `CreateZprPolicy` `DeleteZprPolicy`	none

zpr-configuration


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect			none
read	INSPECT + ZPR_CONFIGURATION_READ	INSPECT + `GetConfiguration` `GetZprConfigurationWorkRequest` `ListZprConfigurationWorkRequests` `ListZprConfigurationWorkRequestErrors` `ListZprConfigurationWorkRequestLogs`	none
use	READ + ZPR_CONFIGURATION_UPDATE	`UpdateConfiguration`	none
manage	USE + ZPR_CONFIGURATION_CREATE ZPR_CONFIGURATION_DELETE	USE + `CreateConfiguration` `DeleteConfiguration`	none

security-attribute-namespace


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	SECURITY_ATTRIBUTE_NAMESPACE_INSPECT	`ReadSecurityAttributeNamespace` `ReadSecurityAttribute` `SecurityAttributeWorkRequest`	none
read	INSPECT + SECURITY_ATTRIBUTE_NAMESPACE_READ	INSPECT + `ReadSecurityAttributeNamespace` `ReadSecurityAttribute`	none
use	READ + SECURITY_ATTRIBUTE_NAMESPACE_USE		none
manage	USE + SECURITY_ATTRIBUTE_NAMESPACE_CREATE SECURITY_ATTRIBUTE_NAMESPACE_DELETE SECURITY_ATTRIBUTE_NAMESPACE_MOVE SECURITY_ATTRIBUTE_NAMESPACE_UPDATE ZPR_CONFIGURATION_DELETE	USE + `CreateSecurityAttributeNamespace` `DeleteSecurityAttributeNamespace` `CascadeDeleteSecurityAttributeNamespace` `DeleteSecurityAttribute` `ChangeCompartment` for `SecurityAttributeNamespace` `UpdateSecurityAttributeNamespace` `CreateSecurityAttribute` `UpdateSecurityAttribute`	none

Permissions Required for Each API Operation

The following sections list the Zero Trust Packet Routing API and Security Attribute API operations.

Zero Trust Packet Routing API Operations

The following table lists the API operations in a logical order, grouped by resource type.

For information about permissions, see Permissions.


API Operation	Permissions Required to Use the Operation
`ListZprPolicies` `ListZprPolicyWorkRequests`	ZPR_POLICY_INSPECT
`CreateZprPolicy`	ZPR_POLICY_CREATE
`GetZprPolicy`	ZPR_POLICY_READ
`GetZprPolicyWorkRequest`	ZPR_POLICY_READ
`ListZprPolicyWorkRequestErrors`	ZPR_POLICY_READ
`ListZprPolicyWorkRequestLogs`	ZPR_POLICY_READ
`UpdateZprPolicy`	ZPR_POLICY_UPDATE
`DeleteZprPolicy`	ZPR_POLICY_DELETE
`CreateConfiguration`	ZPR_CONFIGURATION_CREATE
`GetConfiguration`	ZPR_CONFIGURATION_READ
`ListZprConfigurationWorkRequests`	ZPR_CONFIGURATION_READ
`GetZprConfigurationWorkRequest`	ZPR_CONFIGURATION_READ
`ListZprConfigurationWorkRequestErrors`	ZPR_CONFIGURATION_READ
`ListZprConfigurationWorkRequestLogs`	ZPR_CONFIGURATION_READ
`UpdateConfiguration`	ZPR_CONFIGURATION_UPDATE
`DeleteConfiguration`	ZPR_CONFIGURATION_DELETE

Security Attribute API Operations

The following table lists the API operations in a logical order, grouped by resource type.

For information about permissions, see Permissions.


API Operation	Permissions Required to Use the Operation
`CreateSecurityAttributeNamespace`	SECURITY_ATTRIBUTE_NAMESPACE_CREATE
`DeleteSecurityAttributeNamespace`	SECURITY_ATTRIBUTE_NAMESPACE_DELETE
`CascadeDeleteSecurityAttributeNamespace`	SECURITY_ATTRIBUTE_NAMESPACE_DELETE
`DeleteSecurityAttribute`	SECURITY_ATTRIBUTE_NAMESPACE_DELETE
`ReadSecurityAttributeNamespace`	SECURITY_ATTRIBUTE_NAMESPACE_INSPECT
`ReadSecurityAttribute`	SECURITY_ATTRIBUTE_NAMESPACE_INSPECT
`SecurityAttributeWorkRequest`	SECURITY_ATTRIBUTE_NAMESPACE_INSPECT
`ChangeSecurityAttributeNamespaceCompartment`	SECURITY_ATTRIBUTE_NAMESPACE_MOVE
`ReadSecurityAttributeNamespace`	SECURITY_ATTRIBUTE_NAMESPACE_READ
`ReadSecurityAttribute`	SECURITY_ATTRIBUTE_NAMESPACE_READ
`UpdateSecurityAttributeNamespace`	SECURITY_ATTRIBUTE_NAMESPACE_UPDATE
`CreateSecurityAttribute`	SECURITY_ATTRIBUTE_NAMESPACE_UPDATE
`UpdateSecurityAttribute`	SECURITY_ATTRIBUTE_NAMESPACE_UPDATE
`UpdateSecurityAttribute`	SECURITY_ATTRIBUTE_NAMESPACE_USE

Policy Examples

Use the following examples to learn about Zero Trust Packet Routing IAM policies.

To use the Zero Trust Packet Routing (ZPR) service, users require the following permissions for other Oracle Cloud Infrastructure resources:

Read compute instances
Read database resources
Inspect work requests

To learn more, see Details for the Core Services, including Networking and Compute.

ZPR IAM Policy Examples

Allow users in the group SecurityAdmins to create, update, and delete all ZPR policies in the entire tenancy:

Allow group SecurityAdmins to manage zpr-configuration in tenancy
Allow group SecurityAdmins to manage security-attribute-namespace in tenancy
Allow group SecurityAdmins to manage zpr-policy in tenancy

Allow users in the group SecurityAuditors to view all ZPR resources in tenancy:

Allow group SecurityAuditors to read zpr-configuration in tenancy
Allow group SecurityAuditors to read zpr-policy in tenancy
Allow group SecurityAuditors to read security-attribute-namespace in tenancy

Allow group app-admin to manage only the security attribute namespace applications, and group database-admin to manage only the database security attribute namespace.

Allow group app-admin to manage security-attribute-namespace where target.security-attribute-namespace.name = 'applications'

and

Allow group app-admin to manage security-attribute-namespace where target.security-attribute-namespace.name = 'database'