Details for API Gateway

This topic covers details for writing policies to control access to API Gateway.

Resource-Types

Aggregate Resource-Type

api-gateway-family

Individual Resource-Types

  • api-gateways
  • api-deployments
  • api-workrequests

Comments

A policy that uses <verb> api-gateway-family is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.

See the table in Details for Verb + Resource-Type Combinations for a detailed breakout of the API operations covered by each verb, for each individual resource-type included in api-gateway-family.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access..

For example, the read verb for the api-gateways resource-type includes the same permissions and API operations as the inspect verb, plus the API_GATEWAY_READ permission and a number of API operations (e.g., GetGateway, etc.). The use verb covers additional permissions and API operations compared to read. Lastly, manage covers more permissions and operations compared to use.

api-gateways
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

API_GATEWAY_LIST

ListGateways

none

read

INSPECT +

API_GATEWAY_READ

INSPECT +

GetGateway

GetDeployment (also needs read api-deployments)
use

READ +

API_GATEWAY_ADD_DEPLOYMENT

API_GATEWAY_REMOVE_DEPLOYMENT

no extra

CreateDeployment and DeleteDeployment (both also need manage api-deployments)

UpdateDeployment (also needs use api-deployments)

manage

USE +

API_GATEWAY_CREATE

API_GATEWAY_DELETE

API_GATEWAY_UPDATE

API_GATEWAY_MOVE

USE +

CreateGateway

DeleteGateway

UpdateGateway

ChangeGatewayCompartment

none

api-deployments
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

API_DEPLOYMENT_LIST

ListDeployments

none

read

INSPECT +

API_DEPLOYMENT_READ

no extra

GetDeployment (also needs read api-gateways)
use

READ +

API_DEPLOYMENT_UPDATE

no extra

UpdateDeployment (also needs use api-gateways)
manage

USE +

API_DEPLOYMENT_CREATE

API_DEPLOYMENT_DELETE

API_DEPLOYMENT_MOVE

ChangeDeploymentCompartment CreateDeployment and DeleteDeployment (both also need use api-gateways)
api-workrequests
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

API_WORK_REQUEST_LIST

ListWorkRequests

none

read

INSPECT +

API_WORK_REQUEST_READ

INSPECT +

GetWorkRequest

ListWorkRequestErrors

ListWorkRequestLogs

none

use

READ +

API_WORK_REQUEST_CANCEL

READ +

CancelWorkRequest

none

manage

no extra

no extra

none

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type. For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
ListGateways API_GATEWAY_LIST
CreateGateway API_GATEWAY_CREATE
GetGateway API_GATEWAY_READ
UpdateGateway API_GATEWAY_UPDATE
DeleteGateway API_GATEWAY_DELETE
ChangeGatewayCompartment API_GATEWAY_READ and API_GATEWAY_UPDATE and API_GATEWAY_MOVE
ListDeployments API_DEPLOYMENT_LIST
CreateDeployment API_DEPLOYMENT_CREATE and API_GATEWAY_READ and API_GATEWAY_ADD_DEPLOYMENT
GetDeployment API_DEPLOYMENT_READ and API_GATEWAY_READ
UpdateDeployment API_DEPLOYMENT_UPDATE and API_GATEWAY_READ and API_GATEWAY_ADD_DEPLOYMENT
DeleteDeployment API_DEPLOYMENT_DELETE and API_GATEWAY_READ and API_GATEWAY_REMOVE_DEPLOYMENT
ChangeDeploymentCompartment API_DEPLOYMENT_READ and API_DEPLOYMENT_UPDATE and API_DEPLOYMENT_MOVE
ListWorkRequests

API_WORK_REQUEST_LIST

GetWorkRequest

API_WORK_REQUEST_READ

CancelWorkRequest

API_WORK_REQUEST_CANCEL

ListWorkRequestErrors

API_WORK_REQUEST_READ

ListWorkRequestLogs

API_WORK_REQUEST_READ