Policy Reference
Get an overview of IAM policy reference topics, including verbs, resources types, and general variables.
This reference includes:
- Fleet Application Management: See Fleet Application Management Policies and Permissions
- Details for Functions
- Full Stack Disaster Recovery: See Full Stack Disaster Recovery Policies
- Globally Distributed Autonomous Database: See Globally Distributed Autonomous Database Policies
- GoldenGate: See Oracle Cloud Infrastructure GoldenGate Policies
- Details for Health Checks
- Details for IAM without Identity Domains
- For Integration Generation 2 and Integration 3, see Details for Oracle Integration.
- Details for the Java Management Service
- Details for Kubernetes Engine
For instructions on how to create and manage policies using the Console or API, see Overview of Working with Policies.
Verbs
The verbs are listed in order of least amount of ability to most. The exact meaning of a each verb depends on which resource-type it's paired with. The tables later in this section show the API operations covered by each combination of verb and resource-type.
Verb | Target User | Types of Access Covered |
---|---|---|
inspect
|
Third-party auditors | Ability to list resources, without access to any confidential information or user-specified metadata that might be part of that resource. Important: The operation to list policies includes the contents of the policies themselves. The list operations for the Networking resource-types return all the information (for example, the contents of security lists and route tables). |
read
|
Internal auditors | Includes inspect plus the ability to get user-specified metadata and the actual resource itself. |
use
|
Day-to-day end users of resources | Includes read plus the ability to work with existing resources (the actions vary by resource type). Includes the ability to update the resource, except for resource-types where the "update" operation has the same effective impact as the "create" operation (for example, UpdatePolicy , UpdateSecurityList , and more), in which case the "update" ability is available only with the manage verb. In general, this verb doesn't include the ability to create or delete that type of resource. |
manage
|
Administrators | Includes all permissions for the resource. |
Resource-Types
A few common family resource-types are listed below. For the individual resource-types that make up each family, follow the links.
all-resources
: All Oracle Cloud Infrastructure resource-typescluster-family
: See Details for Kubernetes Enginecompute-management-family
: See Details for the Core Servicesdata-catalog-family
: See Data Catalog Policiesdata-science-family
: See Data Science Policiesdatabase-family
: See Details for the Database Servicedatasafe-family-resources
: See OCI Resources for Oracle Data Safedns
: See Details for the DNS Serviceemail-family
: See Details for the Email Delivery Servicefile-family
: See Details for the File Storage Serviceinstance-agent-command-family
: See Details for the Core Servicesinstance-agent-family
: See Details for the Core Servicesinstance-family
: See Details for the Core Servicesobject-family
: See Details for Object Storage, Archive Storage, and Data Transferoptimizer-api-family
: See Creating Cloud Advisor Policiesappmgmt-family
: See Details for Stack Monitoringstack-monitoring-family
: See Details for Stack Monitoringvirtual-network-family
: See Details for the Core Servicesvolume-family
: See Details for the Core Services
IAM has no family resource-type, only individual ones. See IAM Policies Overview or Details for IAM without Identity Domains, depending on whether your tenancy has identity domains or not.
General Variables for All Requests
You use variables when adding conditions to a policy. For more information, see Conditions. Here are the general variables applicable to all requests.
Name | Type | Description |
---|---|---|
request.user.id
|
Entity (OCID) | The OCID of the requesting user. |
request.user.name |
String | Name of the requesting user. |
request.user.mfaTotpVerified
|
Boolean |
Whether the user has been verified by multifactor authentication (MFA). To restrict access to only MFA-verified users, add the condition
See Managing Multifactor Authentication for information on setting up MFA. |
request.groups.id
|
List of entities (OCIDs) | The OCIDs of the groups the requesting user is in. |
request.permission
|
String | The underlying permission being requested (see Permissions). |
request.operation
|
String | The API operation name being requested (for example, ListUsers). |
request.networkSource.name
|
String | The name of the network source group that specifies allowed IP addresses the request may come from. See Managing Network Sources for information. |
request.utc-timestamp |
String | The UTC time that the request is submitted, specified in ISO 8601 format. See Restricting Access to Resources Based on Time Frame for more information. |
request.utc-timestamp.month-of-year |
String | The month that the request is submitted in, specified in numeric ISO 8601 format (for example, '1', '2', '3', ... '12'). See Restricting Access to Resources Based on Time Frame for more information. |
request.utc-timestamp.day-of-month |
String | The day of the month that the request is submitted in, specified in numeric format '1' - '31'. See Restricting Access to Resources Based on Time Frame for more information. |
request.utc-timestamp.day-of-week |
String | The day of the week that the request is submitted in, specified in English (for example, 'Monday', 'Tuesday', 'Wednesday', etc.). See Restricting Access to Resources Based on Time Frame for more information. |
request.utc-timestamp.time-of-day |
String | The UTC time interval that request is submitted during, in ISO 8601 format (for example, '01:00:00Z' AND '02:01:00Z'). See Restricting Access to Resources Based on Time Frame for more information. |
request.region
|
String |
The 3-letter key for the region the request is made in. Allowed values are: Note: For quota policies, the region name must be specified instead of the following 3-letter key values. Also see Sample Quotas for more information.
|
request.ad
|
String | The name of the availability domain the request is made in. To get a list of availability domain names, use the ListAvailabilityDomains operation. |
request.principal.compartment.tag
|
String | The tags applied to the compartment that the requesting resource belongs to are evaluated for a match. For usage instructions, see Using Tags to Manage Access. |
request.principal.group.tag
|
String | The tags applied to the groups that the user belongs to are evaluated for a match. For usage instructions, see Using Tags to Manage Access. |
target.compartment.name
|
String | The name of the compartment specified in target.compartment.id . |
target.compartment.id
|
Entity (OCID) |
The OCID of the compartment containing the primary resource. Note: |
target.resource.compartment.tag
|
String | The tag applied to the target compartment of the request is evaluated. For usage instructions, see Using Tags to Manage Access. |
target.resource.tag
|
String | The tag applied to the target resource of the request is evaluated. For usage instructions, see Using Tags to Manage Access. |