Managing Locks for Tag Namespaces and Tag Defaults

Resource Locking provides a consistent and standard way of protecting your tag defaults and tag namespaces against tampering. An authorized user can create a tag defaults or tag namespaces with lock or add the lock later. When the lock is applied, a lock symbol is displayed and users other than the lock owner cannot retire, edit, or move the locked tag namespace to another compartment. All the tag key definitions within the locked tag namespace inherit the same lock.

Resource locks are of two types:

Delete lock: With delete lock, authorized users can read and modify the resource, but cannot delete it.
Full lock: With full lock, authorized users cannot modify the resource, but they can only read from the resource.

The user who places a lock is displayed as the lock owner. However, any authorized user with lock privilege or users with global manage permission of the tenancy has the authorization to create and remove any lock in the tenancy.

Required IAM Policy

Users must have Administrator or manage resources to add or remove locks.

For example, to allow a serviceA to add or remove locks in service CompartmentA requires RESOURCE_LOCK_ADD and RESOURCE_LOCK_REMOVE access.

allow service serviceA to {RESOURCE_LOCK_ADD, RESOURCE_LOCK_REMOVE} on compartment serviceCompartmentA

Using the API

Use these API operations to manage locks for tag namespaces:

Use these API operations to manage locks for tag defaults:

Oracle Cloud Infrastructure Documentation

Managing Locks for Tag Namespaces and Tag Defaults

Required IAM Policy

Using the API