Cloud Guard Policies

To control who has access to Oracle Cloud Guard, and the type of access for each group of users, you must create policies.

By default only the users in the Administrators group have access to all Cloud Guard resources. For everyone else who's involved with Cloud Guard, you must create new policies that assign them proper rights to Cloud Guard resources.

For a complete list of Oracle Cloud Infrastructure policies, see policy reference.

Resource Types

Cloud Guard offers both aggregate and individual resource types for writing policies.

You can use aggregate resource types to write fewer policies. For example, instead of allowing a group to manage cloud-guard-detectors and cloud-guard-problems, you can have a policy that allows the group to manage the aggregate resource type, cloud-guard-family.

Aggregate Resource Type Individual Resource Types
cloud-guard-family

cloud-guard-adhoc-query

cloud-guard-condition-metadata-types

cloud-guard-config

cloud-guard-coverage

cloud-guard-data-mask-rules

cloud-guard-data-sources

cloud-guard-detector-recipes

cloud-guard-detector-rule-definitions

cloud-guard-detectors

cloud-guard-findings

cloud-guard-managed-lists

cloud-guard-metadata

cloud-guard-meta-data-sync

cloud-guard-problems

cloud-guard-recommendations

cloud-guard-resource-profile

cloud-guard-resource-types

cloud-guard-resource-view

cloud-guard-responder-recipes

cloud-guard-responder-rules

cloud-guard-responder-executions

cloud-guard-risk-scores

cloud-guard-saved-query

cloud-guard-schemas

cloud-guard-security-scores

cloud-guard-service-logging

cloud-guard-signals

cloud-guard-summary-event

cloud-guard-target-detector-rules

cloud-guard-targets

cloud-guard-user-preferences

security-policy

security-recipe

security-zone

The APIs covered for the aggregate cloud-guard-family resource type cover every API listed under "Individual Resource Types" in the preceding table.

For example,

allow group cloudguard-admins to manage cloud-guard-family in compartment <x>

...is the same as writing 20 policies with this format:

allow group cloudguard-admins to manage <resource_type> in compartment <x>

Details for Verbs + Resource-Type Combinations

Tables of permissions and API operations covered by each verb for Cloud Guard.

The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access. For more information on permissions in Oracle Cloud Infrastructure, see Permissions.

cloud-guard-adhoc-query

The APIs covered for the cloud-guard-adhoc-query resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_ADHOC_QUERY_INSPECT

ListAdhocQueries

none

READ

INSPECT +

INSPECT +

none

CG_ADHOC_QUERY_READ

GetAdhocQuery

ListAdhocQueryResults

GetAdhocQueryResultContent

USE

READ +

READ +

none

CG_ADHOC_QUERY_CREATE

CreateAdhocQuery

MANAGE

no extra no extra
cloud-guard-condition-metadata-types

The APIs covered for the cloud-guard-condition-metadata-types resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_CONDITION_METADATA_TYPES_INSPECT

ListCloudGuardConditionMetadataType

none

READ

no extra

INSPECT+

INSPECT+

CG_CONDITION_METADATA_TYPES_READ

GetCloudGuardConditionMetadataType

USE

no extra no extra

MANAGE

no extra no extra
cloud-guard-config

The APIs covered for the cloud-guard-config resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_CONFIG_INSPECT

GetCloudGuard

none

READ

INSPECT +

INSPECT +

none

CG_CONFIG_READ

GetCloudGuard

none

USE

READ +

READ +

none

CG_CONFIG_UPDATE

UpdateCloudGuard

none

MANAGE

no extra no extra
cloud-guard-coverage

The APIs covered for the cloud-guard-coverage resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_COVERAGE_INSPECT

RequestSummarizedCoverage

none

READ

no extra

no extra

USE

no extra

no extra

MANAGE

no extra

no extra

cloud-guard-data-mask-rules

The APIs covered for the cloud-guard-data-mask-rules resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_DATA_MASK_RULE_INSPECT

ListDataMaskRules

none

READ

INSPECT +

INSPECT +

none

CG_DATA_MASK_RULE_READ

GetDataMaskRule

USE

READ +

READ +

none

CG_DATA_MASK_RULE_UPDATE

UpdateDataMaskRule

MANAGE

none

USE +

USE +

none

CG_DATA_MASK_RULE_CREATE

CreateDataMaskRule

CG_DATA_MASK_RULE_DELETE

DeleteDataMaskRule

cloud-guard-data-sources

The APIs covered for the cloud-guard-data-sources resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_DATA_SOURCE_INSPECT

ListDataSources

none

READ

INSPECT +

INSPECT +

none

CG_DATA_SOURCE_READ

GetDataSource

USE

READ +

READ +

none

CG_DATA_SOURCE_UPDATE

UpdateDataSource

MANAGE

none

USE +

USE +

none

CG_DATA_SOURCE_CREATE

CreateDataSource

CG_DATA_SOURCE_DELETE

DeleteDataSource

CG_DATA_SOURCE_MOVE

ChangeDataSourceCompartment

cloud-guard-detectors

The APIs covered for the cloud-guard-detectors resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_DETECTOR_INSPECT

ListCloudGuardDetectors

none

ListCloudGuardDetectorRules

READ

INSPECT +

INSPECT +

none

CG_DETECTOR_READ

GetCloudGuardDetector

GetCloudGuardDetectorRule

USE

no extra no extra

MANAGE

no extra no extra
cloud-guard-detector-recipes

The APIs covered for the cloud-guard-detector-recipes resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_DETECTOR_RECIPE_INSPECT

ListCloudGuardDetectorRecipe

none

ListCloudGuardDetectorRecipeDetectorRules

READ

INSPECT +

INSPECT +

none

CG_DETECTOR_RECIPE_READ

GetCloudGuardDetectorRecipe

GetCloudGuardDetectorRecipeDetectorRule

USE

READ +

READ +

none

CG_DETECTOR_RECIPE_UPDATE

UpdateCloudGuardDetectorRecipe

ChangeCloudGuardDetectorRecipeCompartment

UpdateCloudGuardDetectorRecipeDetectorRule

MANAGE

USE +

USE +

none

CG_DETECTOR_RECIPE_CREATE

CreateCloudGuardDetectorRecipe

CG_DETECTOR_RECIPE_DELETE

DeleteCloudGuardDetectorRecipe

cloud-guard-detector-rule-definitions

The APIs covered for the cloud-guard-detector-rule-definitions resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_DETECTOR_RULE_DEFINITION_INSPECT

ListDetectorRuleDefinitions

none

READ

INSPECT +

INSPECT +

none

CG_DETECTOR_RULE_DEFINITION_READ

GetDetectorRuleDefinition

USE

READ +

READ +

none

CG_DETECTOR_RULE_DEFINITION_UPDATE

UpdateDetectorRuleDefinition

MANAGE

USE +

USE +

none

CG_DETECTOR_RULE_DEFINITION_CREATE

CreateDetectorRuleDefinition

CG_DETECTOR_RULE_DEFINITION_DELETE

DeleteDetectorRuleDefinition

cloud-guard-findings

The APIs covered for the cloud-guard-findings resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

INSPECT

no extra no extra

READ

no extra no extra

USE

no extra no extra

MANAGE

CG_FINDING_CREATE

CreateCloudGuardFinding

none

cloud-guard-managed-lists

The APIs covered for the cloud-guard-managed-lists resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_MANAGED_LIST_INSPECT

ListCloudGuardManagedLists

none

ListCloudGuardManagedListTypes

READ

INSPECT +

INSPECT +

none

CG_MANAGED_LIST_READ

GetCloudGuardManagedList

USE

READ +

READ +

none

CG_MANAGED_LIST_UPDATE

UpdateCloudGuardManagedList

MANAGE

USE +

USE +

none

CG_MANAGED_LIST_CREATE

CreateCloudGuardManagedList

CG_MANAGED_LIST_DELETE

DeleteCloudGuardManagedList

CG_MANAGED_LIST_MOVE

ChangeManagedListCompartment

cloud-guard-metadata

The APIs covered for the cloud-guard-metadata resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_METADATA_INSPECT

ListTactics

none

ListTechniques

READ

no extra

no extra

USE

no extra

no extra

MANAGE

no extra

no extra

cloud-guard-meta-data-sync

The APIs covered for the cloud-guard-meta-data-sync resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

no extra no extra

none

none

none

READ

INSPECT +

INSPECT +

none

CG_METADATASYNC_READ

GetMetaDataSyncStatus

USE

READ +

READ +

none

CG_METADATASYNC_UPDATE

UpdateResourceSync

MANAGE

no extra no extra
cloud-guard-problems

The APIs covered for the cloud-guard-problems resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_PROBLEM_INSPECT

ListCloudGuardProblems

none

ListCloudGuardProblemHistories

ListCloudGuardResponderActivities

RequestCloudGuardSummarizedActivityProblems

READ

INSPECT +

INSPECT +

none

CG_PROBLEM_READ

GetCloudGuardProblem

RequestCloudGuardSummarizedProblems

RequestCloudGuardSummarizedTrendProblems

ListCloudGuardImpactedResources

USE

READ +

READ +

none

CG_PROBLEM_UPDATE

UpdateCloudGuardBulkProblemStatus

UpdateCloudGuardProblemStatus

TriggerCloudGuardResponder

MANAGE

no extra no extra
cloud-guard-recommendations
cloud-guard-resource-profile

The APIs covered for the cloud-guard-resource-profile resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_RESOURCE_PROFILE_INSPECT

ListResourceProfiles

none

READ

INSPECT +

INSPECT +

none

CG_RESOURCE_PROFILE_READ

GetResourceProfile

ListResourceProfileEndpoints

ListResourceProfileImpactedResources

RequestSummarizedTopTrendResourceRiskScores

RequestSummarizedTrendResourceRiskScores

USE

no extra

no extra

MANAGE

no extra

no extra

cloud-guard-resource-types

The APIs covered for the cloud-guard-cloud-guard-resource-types resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_RESOURCE_TYPES_INSPECT

ListCloudGuardResourceTypes

none

READ

no extra no extra

USE

no extra no extra

MANAGE

no extra no extra
cloud-guard-resource-view

The APIs covered for the cloud-guard-resource-view resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_RESOURCE_VIEW_INSPECT

ListResources

none

READ

INSPECT +

INSPECT +

none

CG_RESOURCE_VIEW_READ

GetResource

USE

no extra

no extra

MANAGE

no extra

no extra

cloud-guard-responder-recipes

The APIs covered for the cloud-guard-cloud-guard-responder-recipes resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_RESPONDER_RECIPE_INSPECT

ListCloudGuardResponderRecipe

none

ListCloudGuardResponderRecipeResponderRule

READ

INSPECT +

INSPECT +

none

CG_RESPONDER_RECIPE_READ

GetCloudGuardResponderRecipe

GetCloudGuardResponderRecipeResponderRule

USE

READ +

READ +

none

CG_RESPONDER_RECIPE_UPDATE

UpdateCloudGuardResponderRecipe

ChangeCloudGuardResponderRecipeCompartment

UpdateCloudGuardResponderRecipeResponderRule

MANAGE

USE +

USE +

none

CG_RESPONDER_RECIPE_CREATE

CreateCloudGuardResponderRecipe

CG_RESPONDER_RECIPE_DELETE

DeleteCloudGuardResponderRecipe

CG_RESPONDER_RECIPE_MOVE

ChangeResponderRecipeCompartment

cloud-guard-responder-executions

The APIs covered for the cloud-guard-responder-executions resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_RESPONDER_EXECUTION_INSPECT

ListCloudGuardResponderExecution

none

READ

INSPECT +

INSPECT +

none

CG_RESPONDER_EXECUTION_READ

GetCloudGuardResponderExecution

RequestCloudGuardSummarizedResponderExecutions

RequestCloudGuardSummarizedTrendResponderExecutions

USE

READ +

READ +

none

CG_RESPONDER_EXECUTION_UPDATE

ExecuteCloudGuardResponderExecution

MANAGE

no extra no extra
cloud-guard-risk-scores

The APIs covered for the cloud-guard-risk-scores resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_RISK_SCORES_INSPECT

RequestCloudGuardSummarizedRiskScores

none

RequestCloudGuardRiskScores

READ

no extra no extra

USE

no extra no extra

MANAGE

no extra no extra
cloud-guard-saved-query

The APIs covered for the cloud-guard-saved-query resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_SAVED_QUERY_INSPECT

ListSavedQueries

none

READ

INSPECT +

INSPECT +

none

CG_SAVED_QUERY_READ

GetSavedQuery

USE

READ +

READ +

none

CG_SAVED_QUERY_UPDATE

UpdateSavedQuery

MANAGE

USE +

USE +

none

CG_SAVED_QUERY_CREATE

CreateSavedQuery

CG_SAVED_QUERY_DELETE

DeleteSavedQuery

CG_SAVED_QUERY_MOVE

ChangeWlpSavedQueryCompartment

cloud-guard-schemas

The APIs covered for the cloud-guard-schemas resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_SCHEMA_INSPECT

ListSchemas

none

READ

INSPECT +

INSPECT +

none

CG_SCHEMA_READ

GetSchema

USE

READ +

READ +

none

CG_SCHEMA_UPDATE

UpdateSchema

MANAGE

USE +

USE +

none

CG_SCHEMA_CREATE

CreateSchema

CG_SCHEMA_DELETE

DeleteSchema

cloud-guard-security-scores

The APIs covered for the cloud-guard-security-scores resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_SECURITY_SCORES_INSPECT

RequestCloudGuardSummarizedSecurityScores

none

RequestCloudGuardSummarizedTrendSecurityScores

RequestCloudGuardSecurityScores

RequestSecurityScoreSummarizedTrend

READ

no extra no extra

USE

no extra no extra

MANAGE

no extra no extra
cloud-guard-service-logging

The APIs covered for the cloud-guard-service-logging resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

INSPECT

ListCloudGuardProblems

no extra

READ

INSPECT +

INSPECT +

none

CG_SERVICE_LOGGING_READ

GetServiceLogging

USE

READ +

READ +

none

CG_SERVICE_LOGGING_UPDATE

UpdateServiceLogging

MANAGE

USE +

USE +

none

CG_SERVICE_LOGGING_CREATE

CreateServiceLogging

CG_SERVICE_LOGGING_DELETE

DeleteServiceLogging

cloud-guard-signals

The APIs covered for the cloud-guard-signals resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

no extra no extra

READ

no extra no extra

USE

no extra no extra

MANAGE

USE +

USE +

none

CG_SIGNAL_CREATE

CreateCloudGuardSignal

cloud-guard-summary-event

The APIs covered for the cloud-guard-summary-event resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

no extra no extra

READ

no extra no extra

USE

no extra no extra

MANAGE

USE +

USE +

none

CG_SUMMARY_EVENT_CREATE

AddSummaryEvent

cloud-guard-targets

The APIs covered for the cloud-guard-targets resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_TARGET_INSPECT

ListCloudGuardTargets

none

ListCloudGuardTargetDetectorRecipes

ListCloudGuardTargetDetectorRecipeDetectorRules

READ

INSPECT +

INSPECT +

none

CG_TARGET_READ

GetCloudGuardTarget

ListCloudGuardTargetResponderRecipes

GetCloudGuardTargetResponderRecipe

ListCloudGuardTargetResponderRecipeResponderRules

GetCloudGuardTargetResponderRecipeResponderRule

GetCloudGuardTargetDetectorRecipe

GetCloudGuardTargetDetectorRecipeDetectorRule

USE

READ +

READ +

none

CG_TARGET_UPDATE

UpdateCloudGuardTarget

UpdateCloudGuardTargetDetectorRule

CreateCloudGuardTargetResponderRecipe

ChangeCloudGuardTargetResponderRecipeCompartment

UpdateCloudGuardTargetResponderRecipe

UpdateCloudGuardTargetResponderRecipeResponderRule

CreateCloudGuardTargetDetectorRecipe

ChangeCloudGuardTargetDetectorRecipeCompartment

UpdateCloudGuardTargetDetectorRecipe

MANAGE

USE +

USE +

none

CG_TARGET_CREATE

CreateCloudGuardTarget

CG_TARGET_DELETE

DeleteCloudGuardTarget

DeleteCloudGuardTargetResponderRecipe

DeleteCloudGuardTargetDetectorRecipe

cloud-guard-user-preferences

The APIs covered for the cloud-guard-user-preferences resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_USER_PREFERENCE_INSPECT

GetCloudGuardUserPreference

none

READ

no extra no extra

USE

READ +

READ +

none

USE +

USE +

none

CG_USER_PREFERENCE_UPDATE

ReplaceCloudGuardUserPreference

MANAGE

no extra no extra
cloud-guard-work-requests

The APIs covered for the cloud-guard-work-requests resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_WORK_REQUEST_INSPECT

LListWorkRequests

none

READ

INSPECT +

INSPECT +

none

CG_WORK_REQUEST_READ

GetWorkRequest

ListWorkRequestErrors

ListWorkRequestLogs

USE

no extra

no extra

MANAGE

USE +

USE +

none

CG_WORK_REQUEST_DELETE

CancelWorkRequest

security-policy

API Operation

Permissions Required to Use the Operation

GetSecurityPolicy SECURITY_RECIPE_READ
security-recipe

The APIs covered for the security-recipe resource-type are listed here. The APIs are displayed alphabetically for each permission.

Verb Permissions APIs Fully Covered APIs Partially Covered
inspect SECURITY_RECIPE_INSPECT ListSecurityRecipes none
read

inspect+

SECURITY_RECIPE_READ

GetSecurityRecipe none
use

read+

SECURITY_RECIPE_UPDATE

UpdateSecurityRecipe none
manage

use+

SECURITY_RECIPE_CREATE

SECURITY_RECIPE_DELETE

CreateSecurityRecipe

DeleteSecurityRecipe

none
security-zone

The APIs covered for the security-zone resource-type are listed here. The APIs are displayed alphabetically for each permission.

Verb Permissions APIs Fully Covered APIs Partially Covered
inspect SECURITY_ZONE_INSPECT ListSecurityZones none
read

inspect+

SECURITY_ZONE_READ

GetSecurityZone none
use

read+

SECURITY_ZONE_ATTACH

SECURITY_ZONE_DETACH

SECURITY_ZONE_UPDATE

AddCompartment

RemoveCompartment

UpdateSecurityZone

none
manage

use+

SECURITY_ZONE_CREATE

SECURITY_ZONE_DELETE

CreateSecurityZone

DeleteSecurityZone

none

Permissions Required for Each API Operation

Tables listing the API operations in a logical order, grouped by resource-type.

The resource-types are listed in Resource Types, in the "Individual Resource-Types "column.

For information about permissions, see permissions.

cloud-guard-adhoc-query

API Operation

Permissions Required to Use the Operation

ListAdhocQueries

CG_ADHOC_QUERY_INSPECT

GetAdhocQuery

CG_ADHOC_QUERY_READ

ListAdhocQueryResults

CG_ADHOC_QUERY_READ

GetAdhocQueryResultContent

CG_ADHOC_QUERY_READ

CreateAdhocQuery

CG_ADHOC_QUERY_CREATE

cloud-guard-condition-metadata-types

API Operation

Permissions Required to Use the Operation

ListCloudGuardConditionMetadataType

CG_CONDITION_METADATA_TYPES_INSPECT

GetCloudGuardConditionMetadataType

CG_CONDITION_METADATA_TYPES_READ

cloud-guard-config

API Operation

Permissions Required to Use the Operation

GetCloudGuard

CG_CONFIG_INSPECT

CG_CONFIG_READ

UpdateCloudGuard

CG_CONFIG_UPDATE

cloud-guard-coverage

API Operation

Permissions Required to Use the Operation

RequestSummarizedCoverage

CG_COVERAGE_INSPECT

cloud-guard-data-mask-rules

API Operation

Permissions Required to Use the Operation

CreateDataMaskRule

CG_DATA_MASK_RULE_CREATE

DeleteDataMaskRule

CG_DATA_MASK_RULE_DELETE

GetDataMaskRule

CG_DATA_MASK_RULE_READ

ListDataMaskRules

CG_DATA_MASK_RULE_INSPECT

UpdateDataMaskRule

CG_DATA_MASK_RULE_UPDATE

cloud-guard-data-sources

API Operation

Permissions Required to Use the Operation

ChangeDataSourceCompartment

CG_DATA_SOURCE_MOVE

CreateDataSource

CG_DATA_SOURCE_CREATE

DeleteDataSource

CG_DATA_SOURCE_DELETE

GetDataSource

CG_CONFIG_READ

ListDataSources

CG_DATA_SOURCE_INSPECT

UpdateDataSource

CG_DATA_SOURCE_UPDATE

cloud-guard-detectors

API Operation

Permissions Required to Use the Operation

ListCloudGuardDetectors

CG_DETECTOR_INSPECT

ListCloudGuardDetectorRules

CG_DETECTOR_INSPECT

GetCloudGuardDetector

CG_DETECTOR_READ

GetCloudGuardDetectorRule

CG_DETECTOR_READ

cloud-guard-detector-recipes

API Operation

Permissions Required to Use the Operation

ListCloudGuardDetectorRecipe

CG_DETECTOR_RECIPE_INSPECT

GetCloudGuardDetectorRecipe

CG_DETECTOR_RECIPE_READ

CreateCloudGuardDetectorRecipe

CG_DETECTOR_RECIPE_CREATE

UpdateCloudGuardDetectorRecipe

CG_DETECTOR_RECIPE_UPDATE

DeleteCloudGuardDetectorRecipe

CG_DETECTOR_RECIPE_DELETE

ChangeDetectorRecipeCompartment

CG_DETECTOR_RECIPE_MOVE

cloud-guard-detector-rule-definitions

API Operation

Permissions Required to Use the Operation

CreateDetectorRuleDefinition

CG_DETECTOR_RULE_DEFINITION_CREATE

DeleteDetectorRuleDefinition

CG_DETECTOR_RULE_DEFINITION_DELETE

GetDetectorRuleDefinition

CG_DETECTOR_RULE_DEFINITION_READ

ListDetectorRuleDefinitions

CG_DETECTOR_RULE_DEFINITION_INSPECT

UpdateDetectorRuleDefinition

CG_DETECTOR_RULE_DEFINITION_UPDATE

cloud-guard-findings

API Operation

Permissions Required to Use the Operation

CreateCloudGuardFinding

CG_FINDING_CREATE

cloud-guard-managed-lists

API Operation

Permissions Required to Use the Operation

ListCloudGuardManagedLists

CG_MANAGED_LIST_INSPECT

ListCloudGuardManagedListTypes

CG_MANAGED_LIST_INSPECT

GetCloudGuardManagedList

CG_MANAGED_LIST_READ

CreateCloudGuardManagedList

CG_MANAGED_LIST_CREATE

UpdateCloudGuardManagedList

CG_MANAGED_LIST_UPDATE

DeleteCloudGuardManagedList

CG_MANAGED_LIST_DELETE

ChangeManagedListCompartment

CG_MANAGED_LIST_MOVE

cloud-guard-metadata

API Operation

Permissions Required to Use the Operation

ListTactics

CG_METADATA_INSPECT

ListTechniques

CG_METADATA_INSPECT

cloud-guard-meta-data-sync

API Operation

Permissions Required to Use the Operation

UpdateResourceSync

CG_METADATASYNC_UPDATE

GetMetaDataSyncStatus

CG_METADATASYNC_READ

cloud-guard-problems

API Operation

Permissions Required to Use the Operation

ListCloudGuardProblems

CG_PROBLEM_INSPECT

ListCloudGuardProblemHistories

CG_PROBLEM_INSPECT

ListCloudGuardResponderActivities

CG_PROBLEM_INSPECT

GetCloudGuardProblem

CG_PROBLEM_READ

RequestCloudGuardSummarizedProblems

CG_PROBLEM_READ

RequestCloudGuardSummarizedTrendProblems

CG_PROBLEM_READ

ListCloudGuardImpactedResources

CG_PROBLEM_READ

UpdateCloudGuardBulkProblemStatus

CG_PROBLEM_UPDATE

UpdateCloudGuardProblemStatus

CG_PROBLEM_UPDATE

TriggerCloudGuardResponder

CG_PROBLEM_UPDATE

cloud-guard-recommendations

API Operation

Permissions Required to Use the Operation

ListCloudGuardRecommendations

CG_RECOMMENDATION_INSPECT

cloud-guard-resource-profile

API Operation

Permissions Required to Use the Operation

GetResourceProfile

CG_RESOURCE_PROFILE_READ

ListResourceProfileEndpoints

CG_RESOURCE_PROFILE_READ

ListResourceProfileImpactedResources

CG_RESOURCE_PROFILE_READ

ListResourceProfiles

CG_RESOURCE_PROFILE_INSPECT

RequestSummarizedTopTrendResourceRiskScores

CG_RESOURCE_PROFILE_READ

RequestSummarizedTrendResourceRiskScores

CG_RESOURCE_PROFILE_READ

cloud-guard-resource-types

API Operation

Permissions Required to Use the Operation

ListCloudGuardResourceTypes

CG_RESOURCE_TYPES_INSPECT

cloud-guard-resource-view

API Operation

Permissions Required to Use the Operation

ListResources

CG_RESOURCE_VIEW_INSPECT

GetResource

CG_RESOURCE_VIEW_READ

cloud-guard-responder-recipes

API Operation

Permissions Required to Use the Operation

ListCloudGuardResponderRecipe

CG_RESPONDER_RECIPE_INSPECT

ListCloudGuardResponderRecipeResponderRule

CG_RESPONDER_RECIPE_INSPECT

GetCloudGuardResponderRecipe

CG_RESPONDER_RECIPE_READ

GetCloudGuardResponderRecipeResponderRule

CG_RESPONDER_RECIPE_READ

CreateCloudGuardResponderRecipe

CG_RESPONDER_RECIPE_CREATE

UpdateCloudGuardResponderRecipe

CG_RESPONDER_RECIPE_UPDATE

ChangeCloudGuardResponderRecipeCompartment

CG_RESPONDER_RECIPE_UPDATE

UpdateCloudGuardResponderRecipeResponderRule

CG_RESPONDER_RECIPE_UPDATE

DeleteCloudGuardResponderRecipe

CG_RESPONDER_RECIPE_DELETE

ChangeResponderRecipeCompartment

CG_RESPONDER_RECIPE_MOVE

cloud-guard-responder-rules

API Operation

Permissions Required to Use the Operation

ListCloudGuardResponderRules

CG_RESPONDER_RULE_INSPECT

GetCloudGuardResponderRule

CG_RESPONDER_RULE_READ

cloud-guard-responder-executions

API Operation

Permissions Required to Use the Operation

ListCloudGuardResponderExecution

CG_RESPONDER_EXECUTION_INSPECT

GetCloudGuardResponderExecution

CG_RESPONDER_EXECUTION_READ

RequestCloudGuardSummarizedResponderExecutions

CG_RESPONDER_EXECUTION_READ

RequestCloudGuardSummarizedTrendResponderExecutions

CG_RESPONDER_EXECUTION_READ

ExecuteCloudGuardResponderExecution

CG_RESPONDER_EXECUTION_UPDATE

SkipCloudGuardBulkResponderExecution

CG_RESPONDER_EXECUTION_UPDATE

SkipCloudGuardResponderExecution

CG_RESPONDER_EXECUTION_UPDATE

cloud-guard-risk-scores

API Operation

Permissions Required to Use the Operation

RequestCloudGuardSummarizedRiskScores

CG_RISK_SCORES_INSPECT

RequestCloudGuardRiskScores

CG_RISK_SCORES_INSPECT

cloud-guard-saved-query

API Operation

Permissions Required to Use the Operation

ChangeSavedQueryCompartment

CG_SAVED_QUERY_MOVE

CreateSavedQuery

CG_SAVED_QUERY_CREATE

DeleteSavedQuery

CG_SAVED_QUERY_DELETE

GetSavedQuery

CG_SAVED_QUERY_READ

ListSavedQueries

CG_SAVED_QUERY_INSPECT

UpdateSavedQuery

CG_SAVED_QUERY_INSPECT

cloud-guard-schemas

API Operation

Permissions Required to Use the Operation

CreateSchema

CG_SCHEMA_CREATE

DeleteSchema

CG_SCHEMA_DELETE

GetSchema

CG_SCHEMA_READ

ListSchemas

CG_SCHEMA_INSPECT

UpdateSchema

CG_SCHEMA_UPDATE

cloud-guard-security-scores

API Operation

Permissions Required to Use the Operation

RequestCloudGuardSummarizedSecurityScores

CG_SECURITY_SCORES_INSPECT

RequestCloudGuardSummarizedTrendSecurityScores

CG_SECURITY_SCORES_INSPECT

RequestCloudGuardSecurityScores

CG_SECURITY_SCORES_INSPECT

RequestSecurityScoreSummarizedTrend

CG_SECURITY_SCORES_INSPECT

cloud-guard-service-logging

API Operation

Permissions Required to Use the Operation

CreateServiceLogging

CG_SERVICE_LOGGING_CREATE

DeleteServiceLogging

CG_SERVICE_LOGGING_DELETE

GetServiceLogging

CG_SERVICE_LOGGING_READ

UpdateCloudGuard

CG_SERVICE_LOGGING_CREATE

cloud-guard-signals

API Operation

Permissions Required to Use the Operation

CreateCloudGuardSignal

CG_SIGNAL_CREATE

cloud-guard-summary-event

API Operation

Permissions Required to Use the Operation

AddSummaryEvent

CG_SUMMARY_EVENT_CREATE

cloud-guard-targets

API Operation

Permissions Required to Use the Operation

ListCloudGuardTargets

CG_TARGET_INSPECT

ListCloudGuardTargetDetectorRecipes

CG_TARGET_INSPECT

ListCloudGuardTargetDetectorRecipeDetectorRules

CG_TARGET_INSPECT

GetCloudGuardTarget

CG_TARGET_READ

ListCloudGuardTargetResponderRecipes

CG_TARGET_READ

GetCloudGuardTargetResponderRecipe

CG_TARGET_READ

ListCloudGuardTargetResponderRecipeResponderRules

CG_TARGET_READ

GetCloudGuardTargetResponderRecipeResponderRule

CG_TARGET_READ

GetCloudGuardTargetDetectorRecipe

CG_TARGET_READ

GetCloudGuardTargetDetectorRecipeDetectorRule

CG_TARGET_READ

CreateCloudGuardTarget

CG_TARGET_CREATE

UpdateCloudGuardTarget

CG_TARGET_UPDATE

UpdateCloudGuardTargetDetectorRule

CG_TARGET_UPDATE

CreateCloudGuardTargetResponderRecipe

CG_TARGET_UPDATE

ChangeCloudGuardTargetResponderRecipeCompartment

CG_TARGET_UPDATE

UpdateCloudGuardTargetResponderRecipe

CG_TARGET_UPDATE

UpdateCloudGuardTargetResponderRecipeResponderRule

CG_TARGET_UPDATE

CreateCloudGuardTargetDetectorRecipe

CG_TARGET_UPDATE

ChangeCloudGuardTargetDetectorRecipeCompartment

CG_TARGET_UPDATE

UpdateCloudGuardTargetDetectorRecipe

CG_TARGET_UPDATE

UpdateCloudGuardTargetDetectorRecipeDetectorRule

CG_TARGET_UPDATE

DeleteCloudGuardTarget

CG_TARGET_DELETE

DeleteCloudGuardTargetResponderRecipe

CG_TARGET_DELETE

DeleteCloudGuardTargetDetectorRecipe

CG_TARGET_DELETE

cloud-guard-user-preferences

API Operation

Permissions Required to Use the Operation

GetCloudGuardUserPreference

CG_USER_PREFERENCE_INSPECT

ReplaceCloudGuardUserPreference

CG_USER_PREFERENCE_UPDATE

cloud-guard-work-requests

API Operation

Permissions Required to Use the Operation

CancelWorkRequest

CG_WORK_REQUEST_DELETE

GetWorkRequest

CG_WORK_REQUEST_READ

ListWorkRequestErrors

CG_WORK_REQUEST_READ

ListWorkRequestLogs

CG_WORK_REQUEST_READ

security-policy

API Operation

Permissions Required to Use the Operation

GetSecurityPolicy SECURITY_RECIPE_READ
security-recipe

API Operation

Permissions Required to Use the Operation

ListSecurityRecipes SECURITY_RECIPE_INSPECT
GetSecurityRecipe SECURITY_RECIPE_READ
CreateSecurityRecipe SECURITY_RECIPE_CREATE
UpdateSecurityRecipe SECURITY_RECIPE_UPDATE
DeleteSecurityRecipe SECURITY_RECIPE_DELETE
security-zone

API Operation

Permissions Required to Use the Operation

ListSecurityZones SECURITY_ZONE_INSPECT
GetSecurityZone SECURITY_ZONE_READ
CreateSecurityZone SECURITY_ZONE_CREATE
UpdateSecurityZone SECURITY_ZONE_UPDATE
DeleteSecurityZone SECURITY_ZONE_DELETE
AddCompartment SECURITY_ZONE_ATTACH
RemoveCompartment SECURITY_ZONE_DETACH

Creating a Policy

Steps to create a policy to support Cloud Guard REST API calls.

Here's how you create a policy:

  1. Open the Console navigation menu and select Identity & Security, then click Identity, then click Policies.
  2. Click Create Policy.
  3. Enter a name and description for the policy.
    Avoid entering confidential information.
  4. In the Statement field, enter a policy rule in the following format:

    allow service cloudguard to <verb> <resource_type> in <compartment or tenancy details>

  5. Click Create.

For more information on creating policies, see how policies work and policy reference.

Policy Examples

Learn about Cloud Guard IAM policies using examples.

  • Allow users in the group SecurityAdmins to create, update, and delete all Cloud Guard resources in the entire tenancy:

    Allow group SecurityAdmins to manage cloud-guard-family in tenancy
  • Allow users in the group SecurityAdmins to create, update, and delete all security zones and recipes in the entire tenancy:

    Allow group SecurityAdmins to manage security-zone in tenancy
    Allow group SecurityAdmins to manage security-recipe in tenancy
  • Allow users in the group SecurityAuditors to view the security zones and recipes in the compartment SecurityArtifacts:

    Allow group SecurityAuditors to read security-zone in compartment SecurityArtifacts
    Allow group SecurityAuditors to read security-recipe in compartment SecurityArtifacts

For more policy examples, see Policy Statements for Users.