This reference includes:
- Verbs: A list of the available actions to pair with a resource-type
- Resource-Types: A list of the main resource-types
- General Variables for All Requests: Variables you can use when writing policies for any resource-type
- Details for Analytics Cloud
- Details for the Announcements Service
- Details for API Gateway
- Details for Application Migration
- Details for the Audit Service
- Details for Container Engine for Kubernetes
- Details for the Core Services (this includes Networking, Compute, and Block Volume)
- Details for Data Catalog
- Details for Data Science
- Details for Data Flow
- Details for the Database Service
- Details for the DNS Service
- Details for Digital Assistant
- Details for the Email Service
- Details for the Events Service
- Details for the File Storage Service
- Details for Functions
- Details for the Health Checks Service
- Details for IAM
- Details for Integration
- Details for the Key Management Service
- Details for Load Balancing
- Details for Monitoring
- Details for the Notifications Service
- Details for Object Storage, Archive Storage, and Data Transfer
- Details for OS Management
- Details for Registry
- Details for Resource Manager
- Details for the Search Service
- Details for the Streaming Service
- Details for the WAF Service
For instructions on how to create and manage policies using the Console or API, see Managing Policies.
The verbs are listed in order of least amount of ability to most. The exact meaning of a each verb depends on which resource-type it's paired with. The tables later in this section show the API operations covered by each combination of verb and resource-type.
|Verb||Types of Access Covered||Target User|
||Ability to list resources, without access to any confidential information or user-specified metadata that may be part of that resource.
Important: The operation to list policies includes the contents of the policies themselves, and the list operations for the Networking resource-types return all the information (e.g., the contents of security lists and route tables).
||Day-to-day end users of resources|
||Includes all permissions for the resource.||Administrators|
The family resource-types are listed below. For the individual resource-types that make up each family, follow the links.
all-resources: All Oracle Cloud Infrastructure resource-types
cluster-family: See Details for Container Engine for Kubernetes
compute-management-family: See Details for the Core Services
data-catalog-family: See Details for Data Catalog
database-family: See Details for the Database Service
dns: See Details for the DNS Service
file-family: See Details for the File Storage Service
instance-family: See Details for the Core Services
object-family: See Details for Object Storage, Archive Storage, and Data Transfer
virtual-network-family: See Details for the Core Services
volume-family: See Details for the Core Services
IAM has no family resource-type, only individual ones. See Details for IAM.
You use variables when adding conditions to a policy. For more information, see Conditions. Here are the general variables applicable to all requests.
||Entity (OCID)||The OCID of the requesting user.|
Whether the user has been verified by multi-factor authentication (MFA). To restrict access to only MFA-verified users, add the condition
See Managing Multi-Factor Authentication for information on setting up MFA.
||List of entities (OCIDs)||The OCIDs of the groups the requesting user is in.|
The OCID of the compartment containing the primary resource.
||String||The name of the compartment specified in
||String||The API operation name being requested (for example, ListUsers).|
||String||The underlying permission being requested (see Permissions).|
The 3-letter key for the region the request is made in. Allowed values are:
||String||The name of the availability domain the request is made in. To get a list of availability domain names, use the ListAvailabilityDomains operation.|