Oracle Cloud Infrastructure Documentation

Events and IAM Policies

This topic describes how an administrator must write policy for the Events service, including authorizations for non-administrator users and the Events service itself. If you're new to policies, see Getting Started with Policies and Common Policies.

Overview of Events Policy

Events policy has two pieces: 

  • Policy for the Events service

    To create rules, you must authorize the Events service to deliver event messages to action resources (which can be any combination of A communication channel for sending messages to the subscriptions in the topic. (Notifications service.), streams, or functions). For example, if you specify a topic that should receive events, you must write policy that gives the Events service access to the topic. See Allow the Events Service to Deliver Events to Action Resources.

  • Policy for users

    To let users (not administrators) work with rules, you must authorize them to manage or read rules. For example, if you want to allow users in the DevOps group to create rules that trigger action resources, you must write policy that allows them to manage rules. See Allow Users to Work with Rules.

For more details about user policies for Events, see Details for the Events Service. For more information on authorizations for action resources, see the Authentication and Authorization section for the related service: Notifications, Streaming, or Functions.

Allow the Events Service to Deliver Events to Action Resources

To enable the Events service to deliver events to resources in your tenancy, you must create policy that provides Events access to action resources.

Writing policy for the Events service is similar to writing policy for users, but instead of authorizing a group (and then adding users to the group) you are authorizing the Events service itself. Policy syntax works the same whether the policy is for services or users. For example, if you want to give the Events service access to all Notifications topics in the tenancy you would write something like this: 

allow service cloudEvents to use ons-topic in tenancy

Notice that the preceding statement includes service after allow (instead of group) because this statement allows a service (the Events service) to access resources in your tenancy. For policy statements, the Events service uses cloudEvents to identify itself as a service.

In the preceding statement, Events is allowed broad access. You may not want to grant Events that much access, so you can also write statements that limit access by including a location and even a condition. For example, compare the preceding policy statement with the following example, which limits Events access to a single Notifications topic:

allow service cloudEvents to use ons-topic in tenancy where any {target.ons-topic.id = '<ons_topic_name>'}
        

Use the following policies to allow the Events service to deliver events to each type of action resource.

Let the Events service use Functions
Let the Events service use Notifications
Let the Events service access Streaming

Tip

You need only add policy statements for each type of action resources you specify in your rules. You do not have to add every service available for actions. If you add one service, then later decide you want to add another, you can add another statement for that service to the same policy. Likewise, if you decide to stop using one service, you can remove it.

Allow Users to Work with Rules

These policies allow users to manage or list rules.

Let users list rules in a compartment
Let admins manage rules in a compartment