You're viewing OCI IAM documentation for new tenancies in regions that have been updated to use identity domains.

Updated 2024-06-06

Details for IAM with Identity Domains

This topic covers details for writing policies to control access to IAM (for tenancies that have identity domains).

Resource-Types

authentication-policies

compartments

credentials

domains

dynamic-groups

groups

iamworkrequest

identity-providers

network-sources

policies

tag-defaults

tag-namespaces

tenancies

users

workrequest

Supported Variables

IAM supports all the general variables (see General Variables for All Requests), plus additional ones listed here:

Operations for This Resource-Type... Can Use These Variables... Variable Type Comments
users target.user.id Entity (OCID) Not available to use with CreateUser or ListUsers.
target.user.name String Not available to use with ListUsers.
target.resource.domain.id Entity (OCID)
target.resource.domain.name String
groups target.group.id Entity (OCID) Not available to use with CreateGroup or ListGroups.
target.group.name String Not available to use with ListGroups.
target.group.member Boolean

True if request.user is a member of target.group.

False if the service is creating the target.group.

Not available to use with ListGroups.

target.resource.domain.id Entity (OCID)
target.resource.domain.name String
dynamic-groups target.dynamicgroup.id Entity (OCID) Not available to use with CreateDynamicGroup or ListDynamicGroups.
target.dynamicgroup.name String Not available to use with CreateDynamicGroup or ListDynamicGroups.
target.resource.domain.id Entity (OCID)
target.resource.domain.name String
policies target.policy.id Entity (OCID) Not available to use with CreatePolicy or ListPolicies.
target.policy.name String Not available to use with ListPolicies.
target.policy.autoupdate Boolean Not available to use with ListPolicies.
compartments target.compartment.id Entity (OCID)

This is a universal variable available to use with any request across all services (see General Variables for All Requests), except it's not available to use with ListCompartments.

For CreateCompartment, this will be the value of the parent compartment (for example, the root compartment).

target.compartment.name String

This is a universal variable available to use with any request across all services (see General Variables for All Requests), except it's not available to use with ListCompartments.

 
credentials target.credential.type String For example, "smtp", "switft", "secretkey".
target.user.id Entity (OCID)
target.user.name String
target.resource.domain.id Entity (OCID)
target.resource.domain.name String
domain target.domain.id Entity (OCID) Not available to use with CreateDomain or ListDomains.
target.domain.name String  Not available to use with ListDomains.
tag-namespace target.tag-namespace.id Entity (OCID)

This variable is supported only in statements granting permissions for the tag-namespaces resource-type. For an example, see Tags and Tag Namespace Concepts. Not available to use with CreateTagNamespace or ListTagNamespaces.

target.tag-namespace.name String  Not available to use with ListTagNamespaces.

Details for Verbs + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. For example, a group that can use a resource can also inspect and read that resource. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for compartments covers no extra permissions or API operations compared to the inspect verb. The use verb includes the same ones as the read verb, plus the COMPARTMENT_UPDATE permission and UpdateCompartment API operation. The manage verb includes the same permissions and API operations as the use verb, plus the COMPARTMENT_CREATE permission and two API operations: CreateCompartment and DeleteCompartment

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type.

For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
ListRegions TENANCY_INSPECT
ListRegionSubscriptions TENANCY_INSPECT
CreateRegionSubscription TENANCY_UPDATE
GetTenancy TENANCY_INSPECT
ListDomains DOMAIN_INSPECT
GetDomain DOMAIN_READ
CreateDomain DOMAIN_CREATE
ActivateDomain DOMAIN_ACTIVATE
UpdateDomain DOMAIN_UPDATE
ReplicateDomainRegion DOMAIN_REPLICATE
ChangeDomainCompartment DOMAIN_MOVE
GetDomainLicenseTypes DOMAIN_LICENSETYPE_READ
ChangeSku DOMAIN_MOVE
DeactivateDomain DOMAIN_DEACTIVATE
DeleteDomain DOMAIN_DELETE
GetAuthenticationPolicy AUTHENTICATION_POLICY_INSPECT
UpdateAuthenticationPolicy AUTHENTICATION_POLICY_UPDATE
ListAvailabilityDomains COMPARTMENT_INSPECT
ListFaultDomains COMPARTMENT_INSPECT
ListCompartments COMPARTMENT_INSPECT
GetCompartment COMPARTMENT_INSPECT
UpdateCompartment COMPARTMENT_UPDATE
CreateCompartment COMPARTMENT_CREATE
RecoverCompartment COMPARTMENT_RECOVER
DeleteCompartment COMPARTMENT_DELETE
MoveCompartment There is not a single permission associated with the MoveCompartment operation. This operation requires manage all-resources permissions on the lowest shared parent compartment of the current compartment and the destination compartment.
GetWorkRequest COMPARTMENT_READ
ListUsers USER_INSPECT
GetUser USER_INSPECT
UpdateUser USER_UPDATE
UpdateUserState USER_UPDATE and USER_UNBLOCK
CreateUser

USER_CREATE

DeleteUser USER_DELETE
CreateOrResetUIPassword USER_UPDATE and USER_UIPASS_RESET
ListApiKeys USER_READ
UploadApiKey

USER_UPDATE and USER_APIKEY_ADD

DeleteApiKey USER_UPDATE and USER_APIKEY_REMOVE
ListAuthTokens USER_READ
UpdateAuthToken USER_UPDATE and USER_AUTHTOKEN_RESET
CreateAuthToken USER_UPDATE and USER_AUTHTOKEN_SET
DeleteAuthToken USER_UPDATE and USER_AUTHTOKEN_REMOVE
ListSwiftPasswords USER_READ
UpdateSwiftPassword USER_UPDATE and USER_SWIFTPASS_RESET
CreateSwiftPassword USER_UPDATE and USER_SWIFTPASS_SET
DeleteSwiftPassword USER_UPDATE and USER_SWIFTPASS_REMOVE
ListCustomerSecretKeys USER_READ
CreateSecretKey USER_UPDATE and USER_SECRETKEY_ADD
UpdateCustomerSecretKey USER_UPDATE and USER_SECRETKEY_UPDATE
DeleteCustomerSecretKey USER_UPDATE and USER_SECRETKEY_REMOVE
CreateOAuthClientCredential USER_UPDATE and USER_OAUTH2_CLIENT_CRED_CREATE
UpdateOAuthClientCredential USER_UPDATE and USER_OAUTH2_CLIENT_CRED_UPDATE
ListOAuthClientCredentials USER_READ
DeleteOAuthClientCredential USER_UPDATE and USER_OAUTH2_CLIENT_CRED_REMOVE
LinkSupportAccount USER_SUPPORT_ACCOUNT_LINK
UnlinkSupportAccount USER_SUPPORT_ACCOUNT_UNLINK
CreateSmtpCredential CREDENTIAL_ADD
ListSmtpCredentials CREDENTIAL_INSPECT
UpdateSmtpCredential CREDENTIAL_UPDATE
DeleteSmtpCredential CREDENTIAL_REMOVE
ListUserGroupMemberships GROUP_INSPECT and USER_INSPECT
GetUserGroupMembership USER_INSPECT and GROUP_INSPECT
AddUserToGroup GROUP_UPDATE and USER_UPDATE
RemoveUserFromGroup GROUP_UPDATE and USER_UPDATE
ListGroups GROUP_INSPECT
GetGroup GROUP_INSPECT
UpdateGroup GROUP_UPDATE
CreateGroup GROUP_CREATE
DeleteGroup GROUP_DELETE
ListDynamicGroups DYNAMIC_GROUP_INSPECT
GetDynamicGroup DYNAMIC_GROUP_INSPECT
UpdateDynamicGroup DYNAMIC_GROUP_UPDATE
CreateDynamicGroup DYNAMIC_GROUP_CREATE
DeleteDynamicGroup DYNAMIC_GROUP_DELETE
GetNetworkSource NETWORK_SOURCE_INSPECT
ListNetworkSources NETWORK_SOURCE_INSPECT
CreateNetworkSource NETWORK_SOURCE_CREATE
UpdateNetworkSource NETWORK_SOURCE_UPDATE
DeleteNetworkSource NETWORK_SOURCE_DELETE
ListPolicies POLICY_READ
GetPolicy POLICY_READ
UpdatePolicy POLICY_UPDATE
CreatePolicy POLICY_CREATE
DeletePolicy POLICY_DELETE
ListIdentityProviders IDENTITY_PROVIDER_INSPECT
GetIdentityProvider IDENTITY_PROVIDER_INSPECT
UpdateIdentityProvider IDENTITY_PROVIDER_UPDATE
CreateIdentityProvider IDENTITY_PROVIDER_CREATE
DeleteIdentityProvider IDENTITY_PROVIDER_DELETE
ListIdpGroupMappings IDENTITY_PROVIDER_INSPECT and GROUP_INSPECT
GetIdpGroupMapping IDENTITY_PROVIDER_INSPECT and GROUP_INSPECT
AddIdpGroupMapping IDENTITY_PROVIDER_UPDATE and GROUP_UPDATE
DeleteIdpGroupMapping IDENTITY_PROVIDER_UPDATE and GROUP_UPDATE
ListIamWorkRequests IAM_WORKREQUEST_INSPECT
GetIamWorkRequest IAM_WORKREQUEST_READ
ListWorkRequestErrors IAM_WORKREQUEST_INSPECT
ListIamWorkRequestLogs IAM_WORKREQUEST_INSPECT
ListTagNamespaces TAG_NAMESPACE_INSPECT
ListTaggingWorkRequest TAG_NAMESPACE_INSPECT
ListTaggingWorkRequestErrors TAG_NAMESPACE_INSPECT
ListTaggingWorkRequestLogs TAG_NAMESPACE_INSPECT
GetTaggingWorkRequest TAG_NAMESPACE_INSPECT
GetTagNamespace TAG_NAMESPACE_INSPECT
CreateTagNamespace TAG_NAMESPACE_CREATE
UpdateTagNamespace TAG_NAMESPACE_UPDATE
ChangeTagNamespaceCompartment TAG_NAMESPACE_MOVE
CascadeDeleteTagNamespace

TAG_NAMESPACE_DELETE

DeleteTagNamespace

TAG_NAMESPACE_DELETE

ListTags TAG_NAMESPACE_INSPECT
BulkEditTags TAG_NAMESPACE_INSPECT
ListCostTrackingTags TAG_NAMESPACE_INSPECT
GetTag TAG_NAMESPACE_INSPECT
CreateTag TAG_NAMESPACE_USE
UpdateTag TAG_NAMESPACE_USE
DeleteTag TAG_NAMESPACE_DELETE
BulkDeleteTags

TAG_NAMESPACE_DELETE

ListTagDefaults TAG_DEFAULT_INSPECT
GetTagDefault TAG_DEFAULT_INSPECT
CreateTagDefault TAG_DEFAULT_MANAGE
UpdateTagDefault TAG_DEFAULT_MANAGE
DeleteTagDefault TAG_DEFAULT_MANAGE