Policy Reference

This reference includes:

For instructions on how to create and manage policies using the Console or API, see Managing Policies.


The verbs are listed in order of least amount of ability to most. The exact meaning of a each verb depends on which resource-type it's paired with. The tables later in this section show the API operations covered by each combination of verb and resource-type.

Verb Types of Access Covered Target User
inspect Ability to list resources, without access to any confidential information or user-specified metadata that may be part of that resource.
Important: The operation to list policies includes the contents of the policies themselves, and the list operations for the Networking resource-types return all the information (e.g., the contents of security lists and route tables).
Third-party auditors
read Includes inspect plus the ability to get user-specified metadata and the actual resource itself. Internal auditors
use Includes read plus the ability to work with existing resources (the actions vary by resource type). Includes the ability to update the resource, except for resource-types where the "update" operation has the same effective impact as the "create" operation (e.g., UpdatePolicy, UpdateSecurityList, etc.), in which case the "update" ability is available only with the manage verb. In general, this verb does not include the ability to create or delete that type of resource. Day-to-day end users of resources
manage Includes all permissions for the resource. Administrators


The family resource-types are listed below. For the individual resource-types that make up each family, follow the links.

IAM has no family resource-type, only individual ones. See Details for IAM.

General Variables for All Requests

You use variables when adding conditions to a policy. For more information, see Conditions. Here are the general variables applicable to all requests.

Name Type Description
request.user.id Entity (OCID) The OCID of the requesting user.
request.user.mfaTotpVerified Boolean

Whether the user has been verified by multi-factor authentication (MFA). To restrict access to only MFA-verified users, add the condition

where request.user.mfaTotpVerified='true'

See Managing Multi-Factor Authentication for information on setting up MFA.

request.groups.id List of entities (OCIDs) The OCIDs of the groups the requesting user is in.
request.permission String The underlying permission being requested (see Permissions).
request.operation String The API operation name being requested (for example, ListUsers).
request.networkSource.name String The name of the network source group that specifies allowed IP addresses the request may come from. See Managing Network Sources for information.
request.region String

The 3-letter key for the region the request is made in. Allowed values are:

  • AMS - use for Netherlands Northwest (Amsterdam)
  • BOM - use for India West (Mumbai)
  • FRA - use for Germany Central (Frankfurt)
  • GRU - use for Brazil East (Sao Paulo)
  • HYD - use for India South (Hyderabad)
  • IAD - use for US East (Ashburn)
  • ICN - use for South Korea Central (Seoul)
  • JED - use for Saudi Arabia West (Jeddah)
  • KIX - use for Japan Central (Osaka)

  • LHR - use for UK South (London)

  • MEL - use for Australia Southeast (Melbourne)
  • NRT - use for Japan East (Tokyo)
  • PHX - use for US West (Phoenix)
  • SYD - use for Australia East (Sydney)
  • YNY - use for South Korea North (Chuncheon)
  • YUL - use for Canada Southeast (Montreal)
  • YYZ - use for Canada Southeast (Toronto)
  • ZRH - use for Switzerland North (Zurich)
request.ad String The name of the availability domain the request is made in. To get a list of availability domain names, use the ListAvailabilityDomains operation.
request.principal.compartment.tag String The tags applied to the compartment that the requesting resource belongs to are evaluated for a match. For usage instructions, see Using Tags to Manage Access.
request.principal.group.tag String The tags applied to the groups that the user belongs to are evaluated for a match. For usage instructions, see Using Tags to Manage Access.
target.compartment.name String The name of the compartment specified in target.compartment.id.
target.compartment.id Entity (OCID)

The OCID of the compartment containing the primary resource.

Note: target.compartment.id and target.compartment.name cannot be used with a "List" API operation to filter the list based on the requesting user's access to the compartment.

target.resource.compartment.tag   The tag applied to the target compartment of the request is evaluated. For usage instructions, see Using Tags to Manage Access.
target.resource.tag   The tag applied to the target resource of the request is evaluated. For usage instructions, see Using Tags to Manage Access.