Oracle Cloud Infrastructure Documentation

Cluster Placement Groups IAM Policies

Write IAM policies to control access to the Cluster Placement Groups service.

Resource-Types

cluster-placement-group

cluster-placement-groups

Supported Variables

Cluster Placement Groups supports all the general variables, plus the ones listed here. For more information about general variables supported by Oracle Cloud Infrastructure services, see General Variables for All Requests.

Variable Variable Type Comments
target.cluster-placement-group.id Entity (OCID) Use this variable to control whether to allow operations against a specific cluster placement group in response to a request to read, update, delete, or move a cluster placement group or to view information related to work requests for a cluster placement group.
target.cluster-placement-group.name String Use this variable to control whether to allow operations against a specific cluster placement group in response to a request to read, update, delete, or move a cluster placement group or to view information related to work requests for a cluster placement group. This variable can't be used to control whether to allow operations against a specific cluster placement group in response to a request to create a resource in a specific cluster placement group.

Details for Verb + Resource-Type Combinations

The level of access is cumulative as you go from inspect to read to use to manage.

A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell, whereas no extra indicates no incremental access.

For example, the read verb for the cluster-placement-group resource-type includes the same permissions and API operations as the inspect verb, but also adds the GetClusterPlacementGroup API operation. Likewise, the manage verb for the cluster-placement-group resource-type allows even more permissions when compared to the use permission. For the cluster-placement-group resource-type, the manage verb includes the same permissions and API operations as the use verb, plus the CLUSTER_PLACEMENT_GROUP_CREATE, CLUSTER_PLACEMENT_GROUP_UPDATE, CLUSTER_PLACEMENT_GROUP_DELETE, and CLUSTER_PLACEMENT_GROUP_MOVE permissions and several API operations (CreateClusterPlacementGroup, UpdateClusterPlacementGroup, DeleteClusterPlacementGroup, and ChangeClusterPlacementGroupCompartment).

cluster-placement-group

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

CLUSTER_PLACEMENT_GROUP_INSPECT

ListClusterPlacementGroups

none
read

INSPECT +

CLUSTER_PLACEMENT_GROUP_READ

INSPECT +

GetClusterPlacementGroup

none
use

READ +

CLUSTER_PLACEMENT_GROUP_USE

  

no extra

none
manage

USE +

CLUSTER_PLACEMENT_GROUP_CREATE

CLUSTER_PLACEMENT_GROUP_UPDATE

CLUSTER_PLACEMENT_GROUP_DELETE

CLUSTER_PLACEMENT_GROUP_MOVE

USE +

CreateClusterPlacementGroup

UpdateClusterPlacementGroup

ChangeClusterPlacementGroupCompartment

ActivateClusterPlacementGroup

DeactivateClusterPlacementGroup

DeleteClusterPlacementGroup (also needs permission to inspect all-resources)

Permissions Required for Each API Operation

The following table lists the API operations in a logical order.

For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
ListClusterPlacementGroups CLUSTER_PLACEMENT_GROUP_INSPECT
GetClusterPlacementGroup CLUSTER_PLACEMENT_GROUP_READ
CreateClusterPlacementGroup CLUSTER_PLACEMENT_GROUP_CREATE
UpdateClusterPlacementGroup CLUSTER_PLACEMENT_GROUP_UPDATE
DeleteClusterPlacementGroup CLUSTER_PLACEMENT_GROUP_DELETE
ChangeClusterPlacementGroupCompartment CLUSTER_PLACEMENT_GROUP_MOVE
DeactivateClusterPlacementGroup CLUSTER_PLACEMENT_GROUP_UPDATE
ActivateClusterPlacementGroup CLUSTER_PLACEMENT_GROUP_UPDATE

Policy Examples

Cluster Placement Groups policy examples include the following:

  • Allow users in the group NetworkAdmins to create and update all Cluster Placement Groups resources in the entire tenancy:

    Allow group NetworkAdmins to manage cluster-placement-groups in tenancy

  • Allow users in the group ClusterPlacementGroupUsers to create resources in cluster placement groups in the entire tenancy:

    Allow group ClusterPlacementGroupUsers to use cluster-placement-groups in tenancy

  • Allow users in the group NetworkAdmins to list resources in cluster placement groups in the entire tenancy:

    Allow group NetworkAdmins to inspect all-resources in tenancy

  • Allow users in the group NetworkAdmins to delete all Cluster Placement Groups resources in the entire tenancy:

    Allow group NetworkAdmins to manage cluster-placement-groups in tenancy
Allow group NetworkAdmins to inspect all-resources in tenancy

To create an instance or block volume in a cluster placement group, users require the following permissions for other Oracle Cloud Infrastructure resources:

  • Manage instances
  • Read instances
  • Read instance agent (Oracle Cloud Agent) plugins
  • Manage block volumes
  • Read block volumes
  • Inspect work requests
  • Use cluster placement groups

To learn more, see Details for the Core Services.