Cloud Guard Policies
To control who has access to Oracle Cloud Guard, and the type of access for each group of users, you must create policies.
By default only the users in the Administrators
group have access to all Cloud Guard resources. For everyone else who's involved with Cloud Guard, you must create new policies that assign them proper rights to Cloud Guard resources.
For a complete list of Oracle Cloud Infrastructure policies, see policy reference.
Resource Types
Cloud Guard offers both aggregate and individual resource types for writing policies.
You can use aggregate resource types to write fewer policies. For example, instead of allowing a group to manage cloud-guard-detectors
and cloud-guard-problems
, you can have a policy that allows the group to manage the aggregate resource type, cloud-guard-family
.
Aggregate Resource Type | Individual Resource Types |
---|---|
cloud-guard-family |
|
The APIs covered for the aggregate cloud-guard-family
resource type cover every API listed under "Individual Resource Types" in the preceding table.
For example,
allow group cloudguard-admins to manage cloud-guard-family in compartment <x>
...is the same as writing 20 policies with this format:
allow group cloudguard-admins to manage <resource_type> in compartment <x>
Details for Verbs + Resource-Type Combinations
Tables of permissions and API operations covered by each verb for Cloud Guard.
The level of access is cumulative as you go from inspect > read > use > manage
. A plus sign (+)
in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access. For more information on permissions in Oracle Cloud Infrastructure, see Permissions.
The APIs covered for the cloud-guard-adhoc-query
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_ADHOC_QUERY_INSPECT |
|
none |
READ |
||
INSPECT + |
INSPECT + |
none |
CG_ADHOC_QUERY_READ |
|
|
|
||
|
||
USE |
||
READ + |
READ + |
none |
CG_ADHOC_QUERY_CREATE |
CreateAdhocQuery |
|
MANAGE |
no extra | no extra |
The APIs covered for the cloud-guard-condition-metadata-types
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_CONDITION_METADATA_TYPES_INSPECT |
|
none |
READ |
no extra | |
INSPECT+ |
INSPECT+ |
|
CG_CONDITION_METADATA_TYPES_READ |
GetCloudGuardConditionMetadataType |
|
USE |
no extra | no extra |
MANAGE |
no extra | no extra |
The APIs covered for the cloud-guard-config
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_CONFIG_INSPECT |
|
none |
READ |
||
INSPECT + |
INSPECT + |
none |
CG_CONFIG_READ |
|
none |
USE |
||
READ + |
READ + |
none |
CG_CONFIG_UPDATE |
|
none |
MANAGE |
no extra | no extra |
The APIs covered for the cloud-guard-coverage
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_COVERAGE_INSPECT |
|
none |
READ |
no extra |
no extra |
USE |
no extra |
no extra |
MANAGE |
no extra |
no extra |
The APIs covered for the cloud-guard-data-mask-rules
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_DATA_MASK_RULE_INSPECT |
|
none |
READ |
||
INSPECT + |
INSPECT + |
none |
CG_DATA_MASK_RULE_READ |
|
|
USE |
||
READ + |
READ + |
none |
CG_DATA_MASK_RULE_UPDATE |
|
|
MANAGE |
none |
|
USE + |
USE + |
none |
CG_DATA_MASK_RULE_CREATE |
|
|
CG_DATA_MASK_RULE_DELETE |
|
The APIs covered for the cloud-guard-data-sources
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_DATA_SOURCE_INSPECT |
|
none |
READ |
||
INSPECT + |
INSPECT + |
none |
CG_DATA_SOURCE_READ |
|
|
USE |
||
READ + |
READ + |
none |
CG_DATA_SOURCE_UPDATE |
|
|
MANAGE |
none |
|
USE + |
USE + |
none |
CG_DATA_SOURCE_CREATE |
|
|
CG_DATA_SOURCE_DELETE |
|
|
CG_DATA_SOURCE_MOVE |
|
The APIs covered for the cloud-guard-detectors
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_DETECTOR_INSPECT |
|
none |
|
||
READ |
||
INSPECT + |
INSPECT + |
none |
CG_DETECTOR_READ |
|
|
|
||
USE |
no extra | no extra |
MANAGE |
no extra | no extra |
The APIs covered for the cloud-guard-detector-recipes
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_DETECTOR_RECIPE_INSPECT |
|
none |
|
||
READ |
||
INSPECT + |
INSPECT + |
none |
CG_DETECTOR_RECIPE_READ |
|
|
|
||
USE |
||
READ + |
READ + |
none |
CG_DETECTOR_RECIPE_UPDATE |
UpdateCloudGuardDetectorRecipe |
|
|
||
|
||
MANAGE |
||
USE + |
USE + |
none |
CG_DETECTOR_RECIPE_CREATE |
|
|
CG_DETECTOR_RECIPE_DELETE |
|
The APIs covered for the cloud-guard-detector-rule-definitions
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_DETECTOR_RULE_DEFINITION_INSPECT |
|
none |
READ |
||
INSPECT + |
INSPECT + |
none |
CG_DETECTOR_RULE_DEFINITION_READ |
|
|
USE |
||
READ + |
READ + |
none |
CG_DETECTOR_RULE_DEFINITION_UPDATE |
UpdateDetectorRuleDefinition |
|
MANAGE |
||
USE + |
USE + |
none |
CG_DETECTOR_RULE_DEFINITION_CREATE |
|
|
CG_DETECTOR_RULE_DEFINITION_DELETE |
|
The APIs covered for the cloud-guard-findings
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
INSPECT |
no extra | no extra |
READ |
no extra | no extra |
USE |
no extra | no extra |
MANAGE |
||
CG_FINDING_CREATE |
|
none |
The APIs covered for the cloud-guard-managed-lists
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_MANAGED_LIST_INSPECT |
|
none |
|
||
READ |
||
INSPECT + |
INSPECT + |
none |
CG_MANAGED_LIST_READ |
|
|
USE |
||
READ + |
READ + |
none |
CG_MANAGED_LIST_UPDATE |
UpdateCloudGuardManagedList |
|
MANAGE |
||
USE + |
USE + |
none |
CG_MANAGED_LIST_CREATE |
|
|
CG_MANAGED_LIST_DELETE |
|
|
CG_MANAGED_LIST_MOVE |
|
The APIs covered for the cloud-guard-metadata
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_METADATA_INSPECT |
|
none |
|
||
READ |
no extra |
no extra |
USE |
no extra |
no extra |
MANAGE |
no extra |
no extra |
The APIs covered for the cloud-guard-meta-data-sync
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
no extra | no extra |
none |
none |
none |
READ |
||
INSPECT + |
INSPECT + |
none |
CG_METADATASYNC_READ |
|
|
USE |
||
READ + |
READ + |
none |
CG_METADATASYNC_UPDATE |
UpdateResourceSync |
|
MANAGE |
no extra | no extra |
The APIs covered for the cloud-guard-problems
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_PROBLEM_INSPECT |
|
none |
|
||
|
||
|
||
READ |
||
INSPECT + |
INSPECT + |
none |
CG_PROBLEM_READ |
|
|
|
||
|
||
|
||
USE |
||
READ + |
READ + |
none |
CG_PROBLEM_UPDATE |
UpdateCloudGuardBulkProblemStatus |
|
|
||
|
||
MANAGE |
no extra | no extra |
The APIs covered for the cloud-guard-recommendations
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_RECOMMENDATION_INSPECT |
|
none |
READ |
no extra | no extra |
USE |
no extra | no extra |
MANAGE |
no extra | no extra |
The APIs covered for the cloud-guard-resource-profile
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_RESOURCE_PROFILE_INSPECT |
|
none |
READ |
||
INSPECT + |
INSPECT + |
none |
CG_RESOURCE_PROFILE_READ |
|
|
|
||
|
||
|
||
|
||
USE |
no extra |
no extra |
MANAGE |
no extra |
no extra |
The APIs covered for the cloud-guard-cloud-guard-resource-types
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_RESOURCE_TYPES_INSPECT |
|
none |
READ |
no extra | no extra |
USE |
no extra | no extra |
MANAGE |
no extra | no extra |
The APIs covered for the cloud-guard-resource-view
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_RESOURCE_VIEW_INSPECT |
|
none |
READ |
||
INSPECT + |
INSPECT + |
none |
CG_RESOURCE_VIEW_READ |
|
|
USE |
no extra |
no extra |
MANAGE |
no extra |
no extra |
The APIs covered for the cloud-guard-cloud-guard-responder-recipes
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_RESPONDER_RECIPE_INSPECT |
|
none |
|
||
READ |
||
INSPECT + |
INSPECT + |
none |
CG_RESPONDER_RECIPE_READ |
|
|
|
||
USE |
||
READ + |
READ + |
none |
CG_RESPONDER_RECIPE_UPDATE |
UpdateCloudGuardResponderRecipe |
|
|
||
|
||
MANAGE |
||
USE + |
USE + |
none |
CG_RESPONDER_RECIPE_CREATE |
|
|
CG_RESPONDER_RECIPE_DELETE |
|
|
CG_RESPONDER_RECIPE_MOVE |
|
The APIs covered for the cloud-guard-responder-executions
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_RESPONDER_EXECUTION_INSPECT |
|
none |
READ |
||
INSPECT + |
INSPECT + |
none |
CG_RESPONDER_EXECUTION_READ |
|
|
|
||
|
||
USE |
||
READ + |
READ + |
none |
CG_RESPONDER_EXECUTION_UPDATE |
ExecuteCloudGuardResponderExecution |
|
MANAGE |
no extra | no extra |
The APIs covered for the cloud-guard-risk-scores
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_RISK_SCORES_INSPECT |
|
none |
|
||
READ |
no extra | no extra |
USE |
no extra | no extra |
MANAGE |
no extra | no extra |
The APIs covered for the cloud-guard-saved-query
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_SAVED_QUERY_INSPECT |
|
none |
READ |
||
INSPECT + |
INSPECT + |
none |
CG_SAVED_QUERY_READ |
|
|
USE |
||
READ + |
READ + |
none |
CG_SAVED_QUERY_UPDATE |
UpdateSavedQuery |
|
MANAGE |
||
USE + |
USE + |
none |
CG_SAVED_QUERY_CREATE |
|
|
CG_SAVED_QUERY_DELETE |
|
|
CG_SAVED_QUERY_MOVE |
|
The APIs covered for the cloud-guard-schemas
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_SCHEMA_INSPECT |
|
none |
READ |
||
INSPECT + |
INSPECT + |
none |
CG_SCHEMA_READ |
|
|
USE |
||
READ + |
READ + |
none |
CG_SCHEMA_UPDATE |
UpdateSchema |
|
MANAGE |
||
USE + |
USE + |
none |
CG_SCHEMA_CREATE |
|
|
CG_SCHEMA_DELETE |
|
The APIs covered for the cloud-guard-security-scores
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_SECURITY_SCORES_INSPECT |
|
none |
|
||
|
||
|
||
READ |
no extra | no extra |
USE |
no extra | no extra |
MANAGE |
no extra | no extra |
The APIs covered for the cloud-guard-service-logging
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
INSPECT |
|
no extra |
READ |
||
INSPECT + |
INSPECT + |
none |
CG_SERVICE_LOGGING_READ |
|
|
USE |
||
READ + |
READ + |
none |
CG_SERVICE_LOGGING_UPDATE |
UpdateServiceLogging |
|
MANAGE |
||
USE + |
USE + |
none |
CG_SERVICE_LOGGING_CREATE |
|
|
CG_SERVICE_LOGGING_DELETE |
|
The APIs covered for the cloud-guard-signals
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
no extra | no extra |
READ |
no extra | no extra |
USE |
no extra | no extra |
MANAGE |
||
USE + |
USE + |
none |
CG_SIGNAL_CREATE |
|
The APIs covered for the cloud-guard-summary-event
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
no extra | no extra |
READ |
no extra | no extra |
USE |
no extra | no extra |
MANAGE |
||
USE + |
USE + |
none |
CG_SUMMARY_EVENT_CREATE |
|
The APIs covered for the cloud-guard-targets
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_TARGET_INSPECT |
|
none |
|
||
|
||
READ |
||
INSPECT + |
INSPECT + |
none |
CG_TARGET_READ |
|
|
|
||
|
||
|
||
|
||
|
||
|
||
USE |
||
READ + |
READ + |
none |
CG_TARGET_UPDATE |
UpdateCloudGuardTarget |
|
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
MANAGE |
||
USE + |
USE + |
none |
CG_TARGET_CREATE |
|
|
CG_TARGET_DELETE |
|
|
|
||
|
The APIs covered for the cloud-guard-user-preferences
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_USER_PREFERENCE_INSPECT |
|
none |
READ |
no extra | no extra |
USE |
||
READ + |
READ + |
none |
USE + |
USE + |
none |
CG_USER_PREFERENCE_UPDATE |
|
|
MANAGE |
no extra | no extra |
The APIs covered for the cloud-guard-work-requests
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Permissions |
APIs Fully Covered |
APIs Partially Covered |
---|---|---|
INSPECT |
||
CG_WORK_REQUEST_INSPECT |
|
none |
READ |
||
INSPECT + |
INSPECT + |
none |
CG_WORK_REQUEST_READ |
|
|
|
||
|
||
USE |
no extra |
no extra |
MANAGE |
||
USE + |
USE + |
none |
CG_WORK_REQUEST_DELETE |
|
API Operation |
Permissions Required to Use the Operation |
---|---|
GetSecurityPolicy |
SECURITY_RECIPE_READ |
The APIs covered for the security-recipe
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Verb | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
SECURITY_RECIPE_INSPECT |
ListSecurityRecipes |
none |
read |
|
GetSecurityRecipe |
none |
use |
|
UpdateSecurityRecipe |
none |
manage |
|
|
none |
The APIs covered for the security-zone
resource-type are listed here. The APIs are displayed alphabetically for each permission.
Verb | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
SECURITY_ZONE_INSPECT |
ListSecurityZones |
none |
read |
|
GetSecurityZone |
none |
use |
|
|
none |
manage |
|
|
none |
Permissions Required for Each API Operation
Tables listing the API operations in a logical order, grouped by resource-type.
The resource-types are listed in Resource Types, in the "Individual Resource-Types "column.
For information about permissions, see permissions.
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_ADHOC_QUERY_INSPECT |
|
CG_ADHOC_QUERY_READ |
|
CG_ADHOC_QUERY_READ |
|
CG_ADHOC_QUERY_READ |
|
CG_ADHOC_QUERY_CREATE |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_CONDITION_METADATA_TYPES_INSPECT |
|
CG_CONDITION_METADATA_TYPES_READ |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_CONFIG_INSPECT CG_CONFIG_READ |
|
CG_CONFIG_UPDATE |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_COVERAGE_INSPECT |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_DATA_MASK_RULE_CREATE |
|
CG_DATA_MASK_RULE_DELETE |
|
CG_DATA_MASK_RULE_READ |
|
CG_DATA_MASK_RULE_INSPECT |
|
CG_DATA_MASK_RULE_UPDATE |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_DATA_SOURCE_MOVE |
|
CG_DATA_SOURCE_CREATE |
|
CG_DATA_SOURCE_DELETE |
|
CG_CONFIG_READ |
|
CG_DATA_SOURCE_INSPECT |
|
CG_DATA_SOURCE_UPDATE |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_DETECTOR_INSPECT |
|
CG_DETECTOR_INSPECT |
|
CG_DETECTOR_READ |
|
CG_DETECTOR_READ |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_DETECTOR_RECIPE_INSPECT |
GetCloudGuardDetectorRecipe |
CG_DETECTOR_RECIPE_READ |
|
CG_DETECTOR_RECIPE_CREATE |
|
CG_DETECTOR_RECIPE_UPDATE |
|
CG_DETECTOR_RECIPE_DELETE |
|
CG_DETECTOR_RECIPE_MOVE |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_DETECTOR_RULE_DEFINITION_CREATE |
|
CG_DETECTOR_RULE_DEFINITION_DELETE |
|
CG_DETECTOR_RULE_DEFINITION_READ |
|
CG_DETECTOR_RULE_DEFINITION_INSPECT |
|
CG_DETECTOR_RULE_DEFINITION_UPDATE |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_FINDING_CREATE |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_MANAGED_LIST_INSPECT |
|
CG_MANAGED_LIST_INSPECT |
|
CG_MANAGED_LIST_READ |
|
CG_MANAGED_LIST_CREATE |
|
CG_MANAGED_LIST_UPDATE |
|
CG_MANAGED_LIST_DELETE |
|
CG_MANAGED_LIST_MOVE |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_METADATA_INSPECT |
|
CG_METADATA_INSPECT |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_METADATASYNC_UPDATE |
|
CG_METADATASYNC_READ |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_PROBLEM_INSPECT |
|
CG_PROBLEM_INSPECT |
|
CG_PROBLEM_INSPECT |
|
CG_PROBLEM_READ |
|
CG_PROBLEM_READ |
|
CG_PROBLEM_READ |
|
CG_PROBLEM_READ |
|
CG_PROBLEM_UPDATE |
|
CG_PROBLEM_UPDATE |
|
CG_PROBLEM_UPDATE |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_RECOMMENDATION_INSPECT |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_RESOURCE_PROFILE_READ |
|
CG_RESOURCE_PROFILE_READ |
|
CG_RESOURCE_PROFILE_READ |
|
CG_RESOURCE_PROFILE_INSPECT |
|
CG_RESOURCE_PROFILE_READ |
|
CG_RESOURCE_PROFILE_READ |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_RESOURCE_TYPES_INSPECT |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_RESOURCE_VIEW_INSPECT |
|
CG_RESOURCE_VIEW_READ |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_RESPONDER_RECIPE_INSPECT |
|
CG_RESPONDER_RECIPE_INSPECT |
|
CG_RESPONDER_RECIPE_READ |
|
CG_RESPONDER_RECIPE_READ |
|
CG_RESPONDER_RECIPE_CREATE |
|
CG_RESPONDER_RECIPE_UPDATE |
|
CG_RESPONDER_RECIPE_UPDATE |
|
CG_RESPONDER_RECIPE_UPDATE |
|
CG_RESPONDER_RECIPE_DELETE |
|
CG_RESPONDER_RECIPE_MOVE |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_RESPONDER_RULE_INSPECT |
|
CG_RESPONDER_RULE_READ |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_RESPONDER_EXECUTION_INSPECT |
|
CG_RESPONDER_EXECUTION_READ |
|
CG_RESPONDER_EXECUTION_READ |
|
CG_RESPONDER_EXECUTION_READ |
|
CG_RESPONDER_EXECUTION_UPDATE |
|
CG_RESPONDER_EXECUTION_UPDATE |
|
CG_RESPONDER_EXECUTION_UPDATE |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_RISK_SCORES_INSPECT |
|
CG_RISK_SCORES_INSPECT |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_SAVED_QUERY_MOVE |
|
CG_SAVED_QUERY_CREATE |
|
CG_SAVED_QUERY_DELETE |
|
CG_SAVED_QUERY_READ |
|
CG_SAVED_QUERY_INSPECT |
|
CG_SAVED_QUERY_INSPECT |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_SCHEMA_CREATE |
|
CG_SCHEMA_DELETE |
|
CG_SCHEMA_READ |
|
CG_SCHEMA_INSPECT |
|
CG_SCHEMA_UPDATE |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_SECURITY_SCORES_INSPECT |
|
CG_SECURITY_SCORES_INSPECT |
|
CG_SECURITY_SCORES_INSPECT |
|
CG_SECURITY_SCORES_INSPECT |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_SERVICE_LOGGING_CREATE |
|
CG_SERVICE_LOGGING_DELETE |
|
CG_SERVICE_LOGGING_READ |
|
CG_SERVICE_LOGGING_CREATE |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_SIGNAL_CREATE |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_SUMMARY_EVENT_CREATE |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_TARGET_INSPECT |
|
CG_TARGET_INSPECT |
|
CG_TARGET_INSPECT |
|
CG_TARGET_READ |
|
CG_TARGET_READ |
|
CG_TARGET_READ |
|
CG_TARGET_READ |
|
CG_TARGET_READ |
|
CG_TARGET_READ |
|
CG_TARGET_READ |
|
CG_TARGET_CREATE |
|
CG_TARGET_UPDATE |
|
CG_TARGET_UPDATE |
|
CG_TARGET_UPDATE |
|
CG_TARGET_UPDATE |
|
CG_TARGET_UPDATE |
|
CG_TARGET_UPDATE |
|
CG_TARGET_UPDATE |
|
CG_TARGET_UPDATE |
|
CG_TARGET_UPDATE |
|
CG_TARGET_UPDATE |
|
CG_TARGET_DELETE |
|
CG_TARGET_DELETE |
|
CG_TARGET_DELETE |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_USER_PREFERENCE_INSPECT |
|
CG_USER_PREFERENCE_UPDATE |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CG_WORK_REQUEST_DELETE |
|
CG_WORK_REQUEST_READ |
|
CG_WORK_REQUEST_READ |
|
CG_WORK_REQUEST_READ |
API Operation |
Permissions Required to Use the Operation |
---|---|
GetSecurityPolicy |
SECURITY_RECIPE_READ |
API Operation |
Permissions Required to Use the Operation |
---|---|
ListSecurityRecipes |
SECURITY_RECIPE_INSPECT |
GetSecurityRecipe |
SECURITY_RECIPE_READ |
CreateSecurityRecipe |
SECURITY_RECIPE_CREATE |
UpdateSecurityRecipe |
SECURITY_RECIPE_UPDATE |
DeleteSecurityRecipe |
SECURITY_RECIPE_DELETE |
API Operation |
Permissions Required to Use the Operation |
---|---|
ListSecurityZones |
SECURITY_ZONE_INSPECT |
GetSecurityZone |
SECURITY_ZONE_READ |
CreateSecurityZone |
SECURITY_ZONE_CREATE |
UpdateSecurityZone |
SECURITY_ZONE_UPDATE |
DeleteSecurityZone |
SECURITY_ZONE_DELETE |
AddCompartment |
SECURITY_ZONE_ATTACH |
RemoveCompartment |
SECURITY_ZONE_DETACH |
Creating a Policy
Steps to create a policy to support Cloud Guard REST API calls.
Here's how you create a policy:
For more information on creating policies, see how policies work and policy reference.
Policy Examples
Learn about Cloud Guard IAM policies using examples.
-
Allow users in the group
SecurityAdmins
to create, update, and delete all Cloud Guard resources in the entire tenancy:Allow group SecurityAdmins to manage cloud-guard-family in tenancy
-
Allow users in the group
SecurityAdmins
to create, update, and delete all security zones and recipes in the entire tenancy:Allow group SecurityAdmins to manage security-zone in tenancy Allow group SecurityAdmins to manage security-recipe in tenancy
-
Allow users in the group
SecurityAuditors
to view the security zones and recipes in the compartmentSecurityArtifacts
:Allow group SecurityAuditors to read security-zone in compartment SecurityArtifacts Allow group SecurityAuditors to read security-recipe in compartment SecurityArtifacts
For more policy examples, see Policy Statements for Users.