Managing Locks for Tag Namespaces and Tag Defaults
Resource Locking provides a consistent and standard way of protecting your tag defaults and tag namespaces against tampering. An authorized user can create a tag defaults or tag namespaces with lock or add the lock later. When the lock is applied, a lock symbol is displayed and users other than the lock owner cannot retire, edit, or move the locked tag namespace to another compartment. All the tag key definitions within the locked tag namespace inherit the same lock.
Resource locks are of two types:
- Delete lock: With delete lock, authorized users can read and modify the resource, but cannot delete it.
- Full lock: With full lock, authorized users cannot modify the resource, but they can only read from the resource.
The user who places a lock is displayed as the lock owner. However, any authorized user with lock privilege or users with global manage permission of the tenancy has the authorization to create and remove any lock in the tenancy.
Required IAM Policy
Users must have Administrator or manage resources to add or remove locks.
RESOURCE_LOCK_ADD
and RESOURCE_LOCK_REMOVE
access.allow service serviceA to {RESOURCE_LOCK_ADD, RESOURCE_LOCK_REMOVE} on compartment serviceCompartmentA
Using the API
Use these API operations to manage locks for tag namespaces:
Use these API operations to manage locks for tag defaults: