Managing Policies

This topic describes the basics of working with policies.

Tagging Resources

You can apply tags to your resources to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the desired tags. For general information about applying tags, see Resource Tags.

Working with Policies

If you haven't already, make sure to read How Policies Work to understand the basics of how policies work.

When creating a policy, you must specify the compartment where it should be attached, which is either the tenancy (the root compartment) or another compartment. Where it's attached governs who can later modify or delete it. For more information, see Policy Attachment. When creating the policy in the Console, you attach the policy to the desired compartment by creating the policy while viewing that compartment. If you're using the API, you specify the identifier of the desired compartment in the CreatePolicy request.

Also when creating a policy, you can specify its version date. For more information, see Policy Language Version. You can change the version date later if you like.

When creating a policy, you must also provide a unique, non-changeable name for it. The name must be unique across all policies in your tenancy. You must also provide a description (although it can be an empty string), which is a non-unique, changeable description for the policy. Oracle will also assign the policy a unique ID called an Oracle Cloud ID. For more information, see Resource Identifiers.

Note

If you delete a policy and then create a new policy with the same name, they'll be considered different policies because they'll have different OCIDs.

For information about how to write a policy, see How Policies Work and Policy Syntax.

When you create a policy, make changes to an existing policy, or delete a policy, your changes go into effect typically within 10 seconds.

You can view a list of your policies in the Console or with the API. In the Console, the list is automatically filtered to show only the policies attached to the compartment you're viewing. To determine which policies apply to a particular group, you must view the individual statements inside all your policies. There isn't a way to automatically obtain that information in the Console or API.

For information about the number of policies you can have, see Service Limits.

Using the Console

Warning

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.
To create a policy

Prerequisite: The group and compartment that you're writing the policy for must already exist.

  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Policies. A list of the policies in the compartment you're viewing is displayed.
  2. If you want to attach the policy to a compartment other than the one you're viewing, select the desired compartment from the list on the left. Where the policy is attached controls who can later modify or delete it (see Policy Attachment).
  3. Click Create Policy.
  4. Enter the following:
    • Name: A unique name for the policy. The name must be unique across all policies in your tenancy. You cannot change this later.
    • Description: A friendly description. You can change this later if you want to.
    • Policy Versioning: Select Keep Policy Current if you'd like the policy to stay current with any future changes to the service's definitions of verbs and resources. Or if you'd prefer to limit access according to the definitions that were current on a specific date, select Use Version Date and enter that date in format YYYY-MM-DD format. For more information, see Policy Language Version.
    • Statement: A policy statement. For the correct format to use, see Policy Basics and also Policy Syntax. If you want to add more than one statement, click +.
    • Click Show Advanced Options. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.
  5. To move the statements up or down in the policy, use the up and down indicators or select and drag the grid icon next to the statement.
  6. Click Create.

The new policy will go into effect typically within 10 seconds.

To get a list of your policies

Open the navigation menu. Under Governance and Administration, go to Identity and click Policies. A list of the policies in the compartment you're currently viewing is displayed. If you want to view policies attached to a different compartment, select that compartment from the list on the left. You can't get a single list of all policies; they're always displayed by compartment.

To determine which policies apply to a particular group, you must view the individual statements inside all your policies. There isn't a way to automatically obtain that information in the Console.

To update the description for an existing policy

This is available only through the API. A workaround is to create a new policy with the new description and delete the old policy.

To update the statements in an existing policy
  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Policies. A list of the policies in the compartment you're viewing is displayed. If you don’t see the one you're looking for, verify that you’re viewing the correct compartment (select from the list on the left side of the page).
  2. Click the policy you want to update. The policy's details and statements are displayed.
  3. Click Edit Policy Statements. In the Edit Policy Statements dialog you can revise existing statements, add statements, delete statements, or rearrange the order (for the required format for statements, see Policy Basics and Policy Syntax).
  4. Click Save Changes when you are finished editing.

Your changes will go into effect typically within 10 seconds.

To update the version date for an existing policy
  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Policies. A list of the policies in the compartment you're currently viewing is displayed. If you don't see the policy you're looking for, make sure you're viewing the correct compartment (select from the list on the left side of the page).
  2. Click the policy you want to update. The policy's details, version date, and statements are displayed.
  3. Click Update Version Date.
  4. Select Keep Policy Current if you'd like the policy to stay current with any future changes to the service's definitions of verbs and resources. Or if you'd prefer to limit access according to the definitions that were current on a specific date, select Use Version Date and enter that date in format YYYY-MM-DD format. For more information, see Policy Language Version.
  5. Click Update Version Date.

Your changes will go into effect typically within 10 seconds.

To delete a policy
  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Policies. A list of the policies in the compartment you're viewing is displayed. If you don’t see the one you're looking for, verify that you’re viewing the correct compartment (select from the list on the left side of the page).
  2. For the policy you want to delete, click Delete.
  3. Confirm when prompted.

Your changes will go into effect typically within 10 seconds.

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Note

Updates Are Not Immediate Across All Regions

Your IAM resources reside in your home region. To enforce policy across all regions, the IAM service replicates your resources in each region. Whenever you create or change a policy, user, or group, the changes take effect first in the home region, and then are propagated out to your other regions. It can take several minutes for changes to take effect in all regions. For example, assume you have a group with permissions to launch instances in the tenancy. If you add UserA to this group, UserA will be able to launch instances in your home region within a minute. However, UserA will not be able to launch instances in other regions until the replication process is complete. This process can take up to several minutes. If UserA tries to launch an instance before replication is complete, they will get a not authorized error.

Use these API operations to manage policies: