Details for Resource Manager

This topic covers details for writing policies to control access to the Resource Manager service.

Aggregate Resource-Type

orm-family

Individual Resource-Types

orm-stacks

orm-jobs

orm-work-requests

orm-config-source-providers

Supported Variables

Resource Manager supports all the general variables (see General Variables for All Requests), plus the ones listed here.

The orm-jobs resource type can use the following variables.

Variable Variable Type Comments
target.job.operation String

Use this variable to control access for running specified job types. For example, to limit access to PLAN and APPLY jobs, use the following phrase: where any {target.job.operation = 'PLAN', target.job.operation = 'APPLY'}

target.stack.id String Use this variable to limit access to specified stacks. For example, use the following phrase: where any {target.stack.id = ocid1.ormstack.uniqueid1, target.stack.id = ocid1.ormstack.uniqueid2}

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access..

orm-stacks
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

ORM_STACK_INSPECT

ListResourceDiscoveryServices

ListStacks

ListTerraformVersions

none

read

INSPECT +

ORM_STACK_READ

GetStack

GetStackTfConfig

GetStackTfState

ListStackResourceDriftDetails

none

use

READ +

ORM_STACK_USE

no extra

CreateJob (also need manage orm-jobs)
manage

USE +

ORM_STACK_CREATE

ORM_STACK_UPDATE

ORM_STACK_MOVE

ORM_STACK_DELETE

CreateStack (unless using configuration source providers)

UpdateStack

ChangeStackCompartment

DeleteStack

DetectStateDrift

ListTerraformVersions

CreateStack: When creating stacks that use configuration source providers (configSourceType value GIT_CONFIG_SOURCE), also need read orm-config-source-providers
orm-jobs
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

ORM_JOB_INSPECT

ListJobs

none

read

INSPECT +

ORM_JOB_READ

GetJob

GetJobTfState

GetJobTfConfig

GetJobTfExecutionPlan

GetJobLogs

GetJobLogsContent

none

use

READ +

no extra

no extra

none

manage

USE +

ORM_JOB_MANAGE

UpdateJob

CancelJob

CreateJob (also need use orm-stacks)
orm-work-requests
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

ORM_WORK_REQUEST_INSPECT

ListWorkRequests

none

read

INSPECT +

ORM_WORK_REQUEST_READ

ListWorkRequestErrors

ListWorkRequestLogs

GetWorkRequest

none

use

READ +

no extra

no extra

none

manage

USE +

no extra

no extra

none

orm-config-source-providers
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

ORM_CONFIG_SOURCE_PROVIDER_INSPECT

ListConfigurationSourceProviders

none

read

INSPECT +

ORM_CONFIG_SOURCE_PROVIDER_READ

GetConfigurationSourceProvider CreateStack: When creating stacks that use configuration source providers (configSourceType value GIT_CONFIG_SOURCE), also need manage orm-stacks
use

READ +

no extra

no extra

none

manage

USE +

ORM_CONFIG_SOURCE_PROVIDER_CREATE

ORM_CONFIG_SOURCE_PROVIDER_UPDATE

ORM_CONFIG_SOURCE_PROVIDER_MOVE

ORM_CONFIG_SOURCE_PROVIDER_DELETE

CreateConfigurationSourceProvider

UpdateConfigurationSourceProvider

ChangeConfigurationSourceProviderCompartment

DeleteConfigurationSourceProvider

none

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type.

For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
CancelJob ORM_JOB_MANAGE
ChangeConfigurationSourceProviderCompartment ORM_CONFIG_SOURCE_PROVIDER_MOVE
ChangeStackCompartment ORM_STACK_MOVE
CreateConfigurationSourceProvider ORM_CONFIG_SOURCE_PROVIDER_CREATE
CreateJob ORM_JOB_MANAGE and ORM_STACK_USE
CreateStack

ORM_STACK_CREATE if not using configuration source providers.

If using configuration source providers (configSourceType value GIT_CONFIG_SOURCE), also need read orm-config-source-providers

DeleteConfigurationSourceProvider ORM_CONFIG_SOURCE_PROVIDER_DELETE
DeleteStack ORM_STACK_DELETE
DetectStateDrift ORM_STACK_UPDATE
GetConfigurationSourceProvider ORM_CONFIG_SOURCE_PROVIDER_READ
GetJob ORM_JOB_READ
GetJobLogs ORM_JOB_READ
GetJobLogsContent ORM_JOB_READ
GetJobTfConfig ORM_JOB_READ
GetJobTfExecutionPlan ORM_JOB_READ
GetJobTfState ORM_JOB_READ
GetStack ORM_STACK_READ
GetStackTfConfig ORM_STACK_READ
GetStackTfState ORM_STACK_READ
GetWorkRequest ORM_WORK_REQUEST_READ
ListConfigurationSourceProviders ORM_CONFIG_SOURCE_PROVIDER_INSPECT
ListJobs ORM_JOB_INSPECT
ListResourceDiscoveryServices ORM_STACK_INSPECT
ListStackResourceDriftDetails ORM_STACK_READ
ListStacks ORM_STACK_INSPECT
ListTerraformVersions ORM_STACK_INSPECT
ListWorkRequestErrors ORM_WORK_REQUEST_READ
ListWorkRequestLogs ORM_WORK_REQUEST_READ
ListWorkRequests ORM_WORK_REQUEST_INSPECT
UpdateConfigurationSourceProvider ORM_CONFIG_SOURCE_PROVIDER_UPDATE
UpdateJob ORM_JOB_MANAGE
UpdateStack ORM_STACK_UPDATE