This variable is supported only in statements granting permissions for the tag-namespaces resource-type. For an example, see Tags and Tag Namespace Concepts. Not available to use with CreateTagNamespace.
target.tag-namespace.name
String
Details for Verbs + Resource-Type Combinations 🔗
The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. For example, a group that can use a resource can also inspect and read that resource. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
For example, the read verb for compartments covers no extra permissions or API operations compared to the inspect verb. The use verb includes the same ones as the read verb, plus the COMPARTMENT_UPDATE permission and UpdateCompartment API operation. The manage verb includes the same permissions and API operations as the use verb, plus the COMPARTMENT_CREATE permission and two API operations: CreateCompartment and DeleteCompartment
To move a compartment (that is, use the MoveCompartment operation) you must belong to a group that has manage all-resources permissions on the lowest shared parent compartment of the current compartment and the destination compartment.
The credentials resource type refers to only the SMTP credentials. Permissions to work with other credentials that can be added to a user (such as auth tokens, API keys, and customer secret keys) are included with users resource permissions.
Note: To apply, update, or remove defined tags for a resource, a user must be granted permissions on the resource and permissions to use the tag namespace.
Note that to work with the SMTP credentials for a user, you must have permissions for the credentials resource type.
Verbs
Permissions
APIs Fully Covered
APIs Partially Covered
inspect
USER_INSPECT
ListUsers
GetUser
GetUserGroupMembership (also need inspect groups)
read
INSPECT +
USER_READ
INSPECT +
ListApiKeys
ListSwiftPasswords
ListAuthTokens
ListCustomerSecretKeys
ListOAuthClientCredentials
ListMfaTotpDevices
no extra
use
READ +
USER_UPDATE
READ +
UpdateUser
READ +
AddUserToGroup (also need use groups)
RemoveUserFromGroup (also need use groups)
manage
USE +
USER_CREATE
USER_DELETE
USER_UNBLOCK
USER_APIKEY_ADD
USER_APIKEY_REMOVE
USER_UIPASS_SET
USER_UIPASS_RESET
USER_SWIFTPASS_SET
USER_SWIFTPASS_RESET
USER_SWIFTPASS_REMOVE
USER_AUTHTOKEN_SET
USER_AUTHTOKEN_RESET
USER_AUTHTOKEN_REMOVE
USER_OAUTH2_CLIENT_CRED_CREATE
USER_OAUTH2_CLIENT_CRED_UPDATE
USER_OAUTH2_CLIENT_CRED_REMOVE
USER_SECRETKEY_ADD
USER_SECRETKEY_UPDATE
USER_SECRETKEY_REMOVE
USER_SUPPORT_ACCOUNT_LINK
USER_SUPPORT_ACCOUNT_UNLINK
USER_TOTPDEVICE_ADD
USER_TOTPDEVICE_REMOVE
USER_TOTPDEVICE_UPDATE
USE +
CreateUser
DeleteUser
UpdateUserState
UploadApiKey
DeleteApiKey
CreateOrResetUIPassword
UpdateSwiftPassword
CreateSwiftPassword
DeleteSwiftPassword
UpdateAuthToken
CreateAuthToken
DeleteAuthToken
CreateOAuthClientCredential
UpdateOAuthClientCredential
DeleteOAuthClientCredential
CreateSecretKey
UpdateCustomerSecretKey
DeleteCustomerSecretKey
CreateOAuthClientCredential
UpdateAuthClientCredential
DeleteOAuthClientCredential
LinkSupportAccount
UnlinkSupportAccount
CreateMfaTotpDevice
ActivateMfaTotpDevice
DeleteMfaTotpDevice
no extra
Permissions Required for Each API Operation 🔗
The following table lists the API operations in a logical order, grouped by resource type.
For information about permissions, see Permissions.
API Operation
Permissions Required to Use the Operation
ListRegions
TENANCY_INSPECT
ListRegionSubscriptions
TENANCY_INSPECT
CreateRegionSubscription
TENANCY_UPDATE
GetTenancy
TENANCY_INSPECT
GetAuthenticationPolicy
AUTHENTICATION_POLICY_INSPECT
UpdateAuthenticationPolicy
AUTHENTICATION_POLICY_UPDATE
ListAvailabilityDomains
COMPARTMENT_INSPECT
ListFaultDomains
COMPARTMENT_INSPECT
ListCompartments
COMPARTMENT_INSPECT
GetCompartment
COMPARTMENT_INSPECT
UpdateCompartment
COMPARTMENT_UPDATE
CreateCompartment
COMPARTMENT_CREATE
RecoverCompartment
COMPARTMENT_RECOVER
DeleteCompartment
COMPARTMENT_DELETE
MoveCompartment
There is not a single permission associated with the MoveCompartment operation. This operation requires manage all-resources permissions on the lowest shared parent compartment of the current compartment and the destination compartment.