The verbs are listed in order of least amount of ability to most. The exact meaning of a each verb depends on which resource-type it's paired with. The tables later in this section show the API operations covered by each combination of verb and resource-type.
Verb
Target User
Types of Access Covered
inspect
Third-party auditors
Ability to list resources, without access to any confidential information or user-specified metadata that might be part of that resource. Important: The operation to list policies includes the contents of the policies themselves. The list operations for the Networking resource-types return all the information (for example, the contents of security lists and route tables).
read
Internal auditors
Includes inspect plus the ability to get user-specified metadata and the actual resource itself.
use
Day-to-day end users of resources
Includes read plus the ability to work with existing resources (the actions vary by resource type). Includes the ability to update the resource, except for resource-types where the "update" operation has the same effective impact as the "create" operation (for example, UpdatePolicy, UpdateSecurityList, and more), in which case the "update" ability is available only with the manage verb. In general, this verb doesn't include the ability to create or delete that type of resource.
manage
Administrators
Includes all permissions for the resource.
Resource-Types 🔗
A few common family resource-types are listed below. For the individual resource-types
that make up each family, follow the links.
all-resources: All Oracle Cloud Infrastructure
resource-types
The day of the week that the request is submitted in, specified in
English (for example, 'Monday', 'Tuesday', 'Wednesday', etc.). See Restricting Access to Resources Based on Time Frame for more information.
The 3-letter key for the region the request is made in. Allowed values are:
Note: For quota policies, the region name must be specified instead of the following 3-letter key values. Also see Sample Quotas for more information.
AMS - use for
Netherlands Northwest (Amsterdam)
ARN - use for Sweden Central (Stockholm)
AUH - use for UAE Central (Abu Dhabi)
BEG - use for Serbia Central (Jovanovac)
BOG - use for Colombia Central (Bogota)
BOM - use for India West (Mumbai)
CDG - use for France Central (Paris)
CWL - use for UK West (Newport)
DXB - use for UAE East (Dubai)
FRA - use for
Germany Central (Frankfurt)
GRU - use for
Brazil East (Sao Paulo)
HYD - use for
India South (Hyderabad)
IAD - use for US East (Ashburn)
ICN - use for South Korea Central (Seoul)
JED - use for Saudi Arabia West (Jeddah)
JNB - use
for South Africa Central (Johannesburg)
KIX - use for Japan Central (Osaka)
LHR - use for UK South (London)
LIN - use for Italy Northwest (Milan)
MAD - use for Spain Central (Madrid)
MEL - use for
Australia Southeast (Melbourne)
MRS - use for France South (Marseille)
MTY - use for Mexico Northeast (Monterrey)
MTZ - use for
Israel Central (Jerusalem)
NRT - use for Japan East (Tokyo)
ORD - use for US Midwest (Chicago)
PHX - use for US West (Phoenix)
QRO - use for
Mexico Central (Queretaro)
RUH - use for Saudi Arabia Central (Riyadh)
SCL - use for Chile Central (Santiago)
SIN - use for Singapore (Singapore)
SJC - use for
US West (San Jose)
SYD - use for Australia East (Sydney)
VAP - use for Chile West (Valparaiso)
VCP - use for Brazil Southeast (Vinhedo)
XSP - use for Singapore West (Singapore)
YNY - use for South Korea North (Chuncheon)
YUL - use for
Canada Southeast (Montreal)
YYZ - use for Canada Southeast (Toronto)
ZRH - use for Switzerland North (Zurich)
request.ad
String
The name of the availability domain
the request is made in. To get a list of availability domain names, use the ListAvailabilityDomains operation.
request.principal.compartment.tag
String
The tags applied to the compartment that the requesting resource belongs to are evaluated for a match. For usage instructions, see Using Tags to Manage Access.
request.principal.group.tag
String
The tags applied to the groups that the user belongs to are evaluated for a match. For usage instructions, see Using Tags to Manage Access.
target.compartment.name
String
The name of the compartment specified in target.compartment.id.
target.compartment.id
Entity (OCID)
The OCID of the compartment containing the primary resource.
Note: target.compartment.id and target.compartment.name cannot be used with a "List" API operation to filter the list based on the requesting user's access to the compartment.
target.resource.compartment.tag
String
The tag applied to the target compartment of the request is evaluated. For usage instructions, see Using Tags to Manage Access.
target.resource.tag
String
The tag applied to the target resource of the request is evaluated. For usage instructions, see Using Tags to Manage Access.