6.5 Grabbing the Policy Concept

Warning

This content has been generated by machine translation. The translations are automated and have not undergone human review or validation.

6.5 Getting the Policy Concept

IAM Policy

IAM Policy is an access policy for OCI resources. A policy can generally be thought of as defining what grants a user group permission to a specific type of resource belonging to a specific compartment.

Policy syntax

All policies have the following syntax.

Allow <subject> to <verb> <resource-type> in <location> where <conditions>

For detailed syntax, please refer to OCI Documentation.
https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/policysyntax.htm

Policy General Format

If the permissions for resources are defined through the policy below, all permissions are granted to the administrator when creating a tenancy, and general users and groups that do not apply a separate policy have no permissions at all. Grants only the permissions explicitly granted by the policy.

A commonly used policy is defined in a format in which a user group grants read, write, and full privileges to a specific resource type within the compartment as shown below.

Allow group <group_name> to <verb> <resource-type> in compartment <compartment_name>

Some define policies that apply to the entire tenancy rather than a compartment.

Allow group <group_name> to <verb> <resource-type> in tenancy

Subjects

This is usually group, but you cannot specify a specific user. Any-user can be specified.

Verbs

Verb	Description	Target Users
inspect	Permission to list (inquire) resources excluding user-defined metadata and security information	Third-party users who require inquiry
read	Includes permission to also view custom metadata in addition to inspect	Internal Users Requiring Query
use	In addition to read, including permission to use the resource. No permission to create or delete resources. In general, it also includes update permission, but does not include update permission, which is equivalent to creation	general user
manage	with full access to resources	admin

See: https://docs.cloud.oracle.com/iaas/Content/Identity/Reference/policyreference.htm#Verbs

Resource-Type

By referring to the resource to be used, it can refer to one individual resource or all of the same resource, and so on.

individual resource-type : eg, vcns, subnets, instances, volumes, etc.
family resource-type : eg, virtual-network-family, instance-family, volume-family, etc.
all-resources : All resources in the Compartment or Tenancy

Locations

Usually you specify either Comparment or tenancy.

See: https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/policysyntax.htm#four

Conditions

Additional detailed conditions can be specified.

Hierarchical Comparment

If a compartment consists of multiple layers, the policy given to the parent compartment is inherited by the child compartment.

Example Policy

Example Policy by granting user management rights to specific groups based on tenancy

Allow group HelpDesk to manage users in tenancy

Example Policy that assigns a group of administrators to manage all resources on a Compartment basis

Allow group A-Admins to manage all-resources in compartment Project-A

Example of a policy that assigns a group of partial administrators to manage only a specific resource family based on the compartment

Allow group A-Admins to manage instance-family in compartment Project-A
Allow group A-Admins to manage volume-family in compartment Project-A
Allow group A-Admins to use virtual-network-family in compartment Networks

Examples of policies that can be used

Common Policies for policies that can be used in general are provided in the document. Please refer to it when creating a policy.
https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/commonpolicies.htm

As an individual, this article was written with my personal time. There may be errors in the content of the article, and the opinions in the article are personal opinions.

Last updated on 18 Jan 2019