Details for the WAF Service

This topic covers details for writing policies to control access to the WAAS service.

Aggregate Resource-Type

waas-family

Individual Resource-Types

waas-policy

waas-certificate

waas-work-request

waas-metering

waas-custom-protection-rule

waas-address-list

http-redirects

Comments

A policy that uses <verb> waas is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.

See the table in Details for Verb + Resource-Type Combinations for a detailed breakout of the API operations covered by each verb, for each individual resource-type included in waas.

Supported Variables

The WAF Service supports all the general variables (see General Variables for All Requests), plus the ones listed here.

Variable Variable Type Comments
target.waas-policy.id Entity (OCID) Use this variable to control access to specific WAAS policies by OCID.
target.waf-rule-key String Use this variable to control access to specific WAF rules by name.
target.waas-work-request.id Entity (OCID)

The OCID of WAAS work requests.

target.waas-policy-certificate.id Entity (OCID)

The OCID of SSL certificates configured in a WAAS policy.

target.certificate.destination-compartment.id Entity (OCID)

The OCID of a compartment.

target.certificate.source-compartment.id Entity (OCID)

The OCID of a compartment.

target.waas-policy.destination-compartment.id Entity (OCID)

The OCID of a compartment.

target.waas-policy.source-compartment.id Entity (OCID)

The OCID of a compartment.

target.waas-custom-protection-rule.id Entity (OCID)

The OCID of a custom protection rule.

target.waas-custom-protection-rule.source-compartment.id Entity (OCID)

The OCID of a compartment.

target.waas-custom-protection-rule.destination-compartment.id Entity (OCID)

The OCID of a compartment.

target.waas-address-list.id Entity (OCID)

The OCID of an address list.

target.waas-address-list.source-compartment.id Entity (OCID)

The OCID of a compartment.

target.waas-address-list.destination-compartment.id Entity (OCID)

The OCID of a compartment.

target.http-redirects.id Entity (OCID)

The OCID of an HTTP redirect.

target.http-redirects.source-compartment.id Entity (OCID)

The OCID of a compartment.

target.http-redirects.destination-compartment.id Entity (OCID)

The OCID of a compartment.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the use and manage verbs for the waas-policy resource-type cover no extra permissions or API operations compared to the read verb.

waas-policy
waas-certificate
waas-work-request
waas-metering
waas-custom-protection-rule
waas-address-list
http-redirects

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type.

For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
CreateWaasPolicy WAAS_POLICY_CREATE
ListWaasPolcies WAAS_POLICY_INSPECT
GetWaasPolicy WAAS_POLICY_READ
UpdateWaasPolicy WAAS_POLICY_UPDATE
DeleteWaasPolicy WAAS_POLICY_DELETE
ChangeWaasPolicyCompartment WAAS_POLICY_MOVE
ListReports WAAS_POLICY_INSPECT
ListWafReports WAAS_POLICY_INSPECT
GetWafTraffic WAAS_POLICY_READ
GetWafBlocked WAAS_POLICY_READ
GetWafRequests WAAS_POLICY_READ
GetWafSettings WAAS_POLICY_READ
UpdateWafSettings WAAS_POLICY_UPDATE
GetAccessRules WAAS_POLICY_READ
UpdateAccessRules WAAS_POLICY_UPDATE
GetCaptchas WAAS_POLICY_READ
UpdateCaptchas WAAS_POLICY_UPDATE
GetDeviceFingerprintChallenge WAAS_POLICY_READ
UpdateDeviceFingerprintChallenge WAAS_POLICY_UPDATE
GetHumanInteractionChallenge WAAS_POLICY_READ
UpdateHumanInteractionChallenge WAAS_POLICY_UPDATE
GetJsChallenge WAAS_POLICY_READ
UpdateJsChallenge WAAS_POLICY_UPDATE
GetIpRateLimiting WAAS_POLICY_READ
UpdateIpRateLimiting WAAS_POLICY_UPDATE
GetGoodBots WAAS_POLICY_READ
UpdateGoodBots WAAS_POLICY_UPDATE
GetWafWhitelists WAAS_POLICY_READ
UpdateWafWhitelists WAAS_POLICY_UPDATE
GetWafRecommendations WAAS_POLICY_READ
AcceptWafRecommendations WAAS_POLICY_UPDATE
ListWafRules WAAS_POLICY_INSPECT
UpdateWafRuleActions WAAS_POLICY_UPDATE
GetWafRule WAAS_POLICY_READ
GetThreatFeeds WAAS_POLICY_READ
UpdateThreatFeedAction WAAS_POLICY_UPDATE
GetAlerts WAAS_POLICY_READ
ListWorkRequests WAAS_WORK_REQUEST_INSPECT
ListWaasOriginRequestCidrs WAAS_POLICY_INSPECT
GetWorkRequestDetails WAAS_WORK_REQUEST_READ
DeleteWorkRequest WAAS_WORK_REQUEST_DELETE
CreateCertificate WAAS_CERTIFICATE_CREATE
ListCertificates WAAS_CERTIFICATE_INSPECT
GetCertificate WAAS_CERTIFICATE_READ
DeleteCertificate WAAS_CERTIFICATE_DELETE
ChangeCertificateCompartment WAAS_CERTIFICATE_MOVE
GetWafReport WAAS_METERING_READ
CreateCustomProtectionRule WAAS_CUSTOM_PROTECTION_RULE_CREATE
ListCustomProtectionRules WAAS_CUSTOM_PROTECTION_RULE_INSPECT
GetCustomProtectionRule WAAS_CUSTOM_PROTECTION_RULE_READ
UpdateCustomProtectionRule WAAS_CUSTOM_PROTECTION_RULE_UPDATE
DeleteCustomProtectionRule WAAS_CUSTOM_PROTECTION_RULE_DELETE
ChangeCustomProtectionRuleCompartment WAAS_CUSTOM_PROTECTION_RULE_MOVE
CreateAddressList WAAS_ADDRESS_LIST_CREATE
GetAddressList WAAS_ADDRESS_LIST_READ
ListAddressLists WAAS_ADDRESS_LIST_INSPECT
ChangeAddressListCompartment WAAS_ADDRESS_LIST_MOVE
UpdateAddressList WAAS_ADDRESS_LIST_UPDATE
DeleteAddressList WAAS_ADDRESS_LIST_DELETE
ListHttpRedirects HTTPREDIRECT_INSPECT
GetHttpRedirect HTTPREDIRECT_READ
CreateHttpRedirect HTTPREDIRECT_CREATE
UpdateHttpRedirect HTTPREDIRECT_UPDATE
DeleteHttpRedirect HTTPREDIRECT_DELETE
ChangeHttpRedirectCompartment HTTPREDIRECT_MOVE