Oracle Cloud Infrastructure Documentation

IAM Policies

Oracle Cloud Infrastructure Identity and Access Management (IAM) uses policies to grant permissions to groups on resources in compartments in a tenancy. Only a tenancy administrator can create policies. Policies can be created only in IAM.

A policy is a document that consists of one or more statements. A policy statement follows this basic syntax:

Allow group <group_name> to <verb><resource-type> in compartment <compartment_name>

Policy language uses simple verbs like inspect, read, use, and manage.

By default, a tenancy administrator has the necessary permissions to enable Oracle Data Safe. If a group other than the tenancy's Administrators group, (for example, the Data-Safe-Admins group) needs to enable and administer Oracle Data Safe, that group requires a policy with statements similar to the following:
Allow group Data-Safe-Admins to manage data-safe in tenancy
Allow group Data-Safe-Admins to inspect groups in tenancy

See Required Permission for Enabling Oracle Data Safe for different examples. The inspect permission on groups in the tenancy allows the user group to configure authorization policies in the Oracle Data Safe Console.

The following Oracle Cloud Infrastructure documentation discusses how to create policies in Oracle Cloud Infrastructure Identity and Access Management (IAM):