Oracle Cloud Infrastructure Documentation

Details for the Core Services

This topic covers details for writing policies to control access to the Core Services (Networking, Compute, and Block Volume).

Resource-Types

Networking
Compute
Block Volume

Supported Variables

The Core Services support all the general variables, plus the ones listed here. For more information about general variables supported by Oracle Cloud Infrastructure services, see General Variables for All Requests.

Variable Variable Type Comments
target.boot-volume.kms-key.id String Use this variable to control whether Compute instances can be launched with boot volumes that were created without a Key Management master encryption key.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read and use verbs for the vcns resource-type cover no extra permissions or API operations compared to the inspect verb. However, the manage verb includes several extra permissions and API operations.

For virtual-network-family Resource Types

vcns
subnets
route-tables
network-security-groups
security-lists
dhcp-options
private-ips
public-ips
ipv6s
internet-gateways
nat-gateways
service-gateways
local-peering-gateways
local-peering-from
local-peering-to
remote-peering-connections
remote-peering-from
remote-peering-to
drgs
cpes
ipsec
cross-connects
cross-connect-groups
virtual-circuits
vnics
vnic-attachments

For instance-family Resource Types

The instance-family aggregate resource-type includes extra permissions beyond the sum of the permissions for the individual resource-types included in instance-family. For example: It includes a few permissions for vnics and volumes, even though those resource-types aren't generally considered part of the instance-family. Why are there extras included? So you can write fewer policy statements to cover general use cases, like working with an instance that has an attached block volume. You can write one statement for instance-family instead of multiple statements covering instances, vnics, and volumes.

Here's a list of the extra permissions:

For inspect instance-family:

  • VNIC_READ
  • VNIC_ATTACHMENT_READ
  • VOLUME_ATTACHMENT_INSPECT

For read instance-family:

  • VOLUME_ATTACHMENT_READ

For use instance-family:

  • VNIC_ATTACH
  • VNIC_DETACH
  • VOLUME_ATTACHMENT_UPDATE

For manage instance-family:

  • VOLUME_ATTACHMENT_CREATE
  • VOLUME_ATTACHMENT_DELETE

The following tables list the permissions and API operations covered by each of the individual resource-types included in instance-family.

instances
console-histories
instance-console-connection
instance-images
app-catalog-listing

For compute-management-family Resource Types

The following tables list the permissions and API operations covered by each of the individual resource-types included in compute-management-family.

instance-configurations
instance-pools
cluster-networks

For Additional Compute Individual Resource Types

The following tables list the permissions and API operations covered by other Compute resource-types that aren't included in any aggregate resource-types.

auto-scaling-configurations
dedicated-vm-hosts
work-requests

For volume-family Resource Types

The following tables list the permissions and API operations covered by each of the individual resource-types included in volume-family.

volumes
volume-attachments
volume-backups
boot-volume-backups
backup-policies
volume-groups
volume-group-backups

Permissions Required for Each API Operation

The following tables list the API operations grouped by resource type. The resource types are listed in alphabetical order.

For information about permissions, see Permissions.

Core Services API Operations

API Operation Permissions Required to Use the Operation
GetVolumeBackupPolicy BACKUP_POLICY_INSPECT
ListVolumeBackupPolicies BACKUP_POLICY_INSPECT
ListClusterNetworks CLUSTER_NETWORK_INSPECT and INSTANCE_POOL_INSPECT
ListClusterNetworkInstances CLUSTER_NETWORK_READ and INSTANCE_POOL_READ
GetClusterNetwork CLUSTER_NETWORK_READ and INSTANCE_POOL_READ
UpdateClusterNetwork CLUSTER_NETWORK_UPDATE
CreateClusterNetwork

CLUSTER_NETWORK_CREATE and INSTANCE_POOL_CREATE

ChangeClusterNetworkCompartment CLUSTER_NETWORK_MOVE
TerminateClusterNetwork

CLUSTER_NETWORK_DELETE and INSTANCE_POOL_DELETE

ListConsoleHistories CONSOLE_HISTORY_READ and INSTANCE_INSPECT
GetConsoleHistory CONSOLE_HISTORY_READ and INSTANCE_INSPECT
ShowConsoleHistoryData CONSOLE_HISTORY_READ and INSTANCE_READ and INSTANCE_IMAGE_READ
CaptureConsoleHistory CONSOLE_HISTORY_CREATE and INSTANCE_READ and INSTANCE_IMAGE_READ
DeleteConsoleHistory CONSOLE_HISTORY_DELETE
ListCpes CPE_READ
GetCpe CPE_READ
UpdateCpe CPE_UPDATE
CreateCpe CPE_CREATE
DeleteCpe CPE_DELETE
ChangeCpeCompartment CPE_RESOURCE_MOVE
ListCrossConnects CROSS_CONNECT_READ
GetCrossConnect CROSS_CONNECT_READ
UpdateCrossConnect

CROSS_CONNECT_UPDATE

CreateCrossConnect

CROSS_CONNECT_CREATE if not creating cross-connect in a cross-connect group.

If creating the cross-connect in a cross-connect group, also need CROSS_CONNECT_CREATE and CROSS_CONNECT_ATTACH

DeleteCrossConnect

CROSS_CONNECT_DELETE if cross-connect is not in a cross-connect group.

If the cross-connect is in a cross-connect group, also need CROSS_CONNECT_DELETE and CROSS_CONNECT_DETACH

ChangeCrossConnectCompartment CROSS_CONNECT_RESOURCE_MOVE
ListCrossConnectGroups CROSS_CONNECT_GROUP_READ
GetCrossConnectGroup CROSS_CONNECT_GROUP_READ
UpdateCrossConnectGroup CROSS_CONNECT_GROUP_UPDATE
CreateCrossConnectGroup CROSS_CONNECT_GROUP_CREATE
DeleteCrossConnectGroup CROSS_CONNECT_GROUP_DELETE
ChangeCrossConnectGroupCompartment CROSS_CONNECT_GROUP_RESOURCE_MOVE
ListDhcpOptions DHCP_READ
GetDhcpOptions DHCP_READ
UpdateDhcpOptions DHCP_UPDATE
CreateDhcpOptions DHCP_CREATE and VCN_ATTACH
DeleteDhcpOptions DHCP_DELETE and VCN_DETACH
ChangeDhcpOptionsCompartment DHCP_MOVE
ListDrgs DRG_READ
GetDrg DRG_READ
UpdateDrg DRG_UPDATE
CreateDrg DRG_CREATE
DeleteDrg DRG_DELETE
ChangeDrgCompartment DRG_MOVE
ListDrgAttachments DRG_ATTACHMENT_READ
GetDrgAttachment DRG_ATTACHMENT_READ
UpdateDrgAttachment

DRG_ATTACHMENT_UPDATE

ROUTE_TABLE_ATTACH is necessary to associate a route table with the DRG attachment during the update.

CreateDrgAttachment

DRG_ATTACH and VCN_ATTACH

ROUTE_TABLE_ATTACH is necessary to associate a route table with the DRG attachment during creation.

DeleteDrgAttachment DRG_DETACH and VCN_DETACH
CreateInstanceConsoleConnection INSTANCE_CONSOLE_CONNECTION_CREATE and INSTANCE_READ
DeleteInstanceConsoleConnection INSTANCE_CONSOLE_CONNECTION_DELETE
GetInstanceConsoleConnection INSTANCE_CONSOLE_CONNECTION_READ and INSTANCE_READ
ListInstanceConsoleConnections INSTANCE_CONSOLE_CONNECTION_INSPECT and INSTANCE_INSPECT and INSTANCE_READ
ListImages INSTANCE_IMAGE_READ
GetImage INSTANCE_IMAGE_READ
UpdateImage INSTANCE_IMAGE_UPDATE
CreateImage

INSTANCE_IMAGE_CREATE and INSTANCE_CREATE_IMAGE

The first permission is related to the instance-image; the second is related to the instance.

ChangeImageCompartment INSTANCE_IMAGE_MOVE
DeleteImage INSTANCE_IMAGE_DELETE
ListInstances INSTANCE_READ
GetInstance INSTANCE_READ
LaunchInstance

INSTANCE_CREATE and INSTANCE_IMAGE_READ and VNIC_CREATE and VNIC_ATTACH and SUBNET_ATTACH

If putting the instance in a network security group during instance creation, also need NETWORK_SECURITY_GROUP_UPDATE_MEMBERS and VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP

UpdateInstance INSTANCE_UPDATE
InstanceAction INSTANCE_POWER_ACTIONS
ChangeInstanceCompartment INSTANCE_MOVE
TerminateInstance INSTANCE_DELETE and VNIC_DELETE and SUBNET_DETACH
ListInstanceConfigurations INSTANCE_CONFIGURATION_INSPECT
GetInstanceConfiguration INSTANCE_CONFIGURATION_READ
LaunchInstanceConfiguration INSTANCE_CONFIGURATION_LAUNCH
UpdateInstanceConfiguration INSTANCE_CONFIGURATION_UPDATE
CreateInstanceConfiguration

INSTANCE_CONFIGURATION_CREATE (if using the CreateInstanceConfigurationDetails subtype)

INSTANCE_READ and VNIC_READ and VNIC_ATTACHMENT_READ and VOLUME_INSPECT and VOLUME_ATTACHMENT_INSPECT (if using the CreateInstanceConfigurationFromInstanceDetails subtype)

ChangeInstanceConfigurationCompartment INSTANCE_CONFIGURATION_MOVE
DeleteInstanceConfiguration INSTANCE_CONFIGURATION_DELETE
ListInstancePools INSTANCE_POOL_INSPECT
ListInstancePoolInstances INSTANCE_POOL_READ
GetInstancePool INSTANCE_POOL_READ
UpdateInstancePool INSTANCE_POOL_UPDATE
ResetInstancePool INSTANCE_POOL_POWER_ACTIONS
SoftresetInstancePool INSTANCE_POOL_POWER_ACTIONS
StartInstancePool INSTANCE_POOL_POWER_ACTIONS
StopInstancePool INSTANCE_POOL_POWER_ACTIONS
CreateInstancePool INSTANCE_POOL_CREATE and INSTANCE_CREATE and IMAGE_READ and VNIC_CREATE and SUBNET_ATTACH
ChangeInstancePoolCompartment INSTANCE_POOL_MOVE
TerminateInstancePool

INSTANCE_POOL_DELETE and INSTANCE_DELETE and VNIC_DELETE and SUBNET_DETACH and VOLUME_ATTACHMENT_DELETE and VOLUME_WRITE

ListInternetGateways INTERNET_GATEWAY_READ
GetInternetGateway INTERNET_GATEWAY_READ
UpdateInternetGateway INTERNET_GATEWAY_UPDATE
CreateInternetGateway INTERNET_GATEWAY_CREATE and VCN_ATTACH
DeleteInternetGateway INTERNET_GATEWAY_DELETE and VCN_DETACH
ChangeInternetGatewayCompartment INTERNET_GATEWAY_MOVE
ListIPSecConnections IPSEC_CONNECTION_READ
GetIPSecConnection IPSEC_CONNECTION_READ
UpdateIpSecConnection IPSEC_CONNECTION_UPDATE
CreateIPSecConnection DRG_ATTACH and CPE_ATTACH and IPSEC_CONNECTION_CREATE
DeleteIPSecConnection DRG_DETACH and CPE_DETACH and IPSEC_CONNECTION_DELETE
GetIPSecConnectionDeviceConfig IPSEC_CONNECTION_DEVICE_CONFIG_READ
GetIPSecConnectionDeviceStatus IPSEC_CONNECTION_READ
ListIPSecConnectionTunnels IPSEC_CONNECTION_READ
GetIPSecConnectionTunnel IPSEC_CONNECTION_READ
UpdateIPSecConnectionTunnel IPSEC_CONNECTION_UPDATE
GetIPSecConnectionTunnelSharedSecret IPSEC_CONNECTION_DEVICE_CONFIG_READ
UpdateIPSecConnectionTunnelSharedSecret IPSEC_CONNECTION_DEVICE_CONFIG_UPDATE
ListIpv6s

IPV6_READ and SUBNET_READ (if listing by subnet) and VNIC_READ (if listing by VNIC)

GetIpv6 IPV6_READ
UpdateIpv6

IPV6_UPDATE and

VNIC_UNASSIGN and VNIC_ASSIGN (if moving IPv6 to a different VNIC)

CreateIpv6 IPV6_CREATE and SUBNET_ATTACH and VNIC_ASSIGN
DeleteIpv6 IPV6_DELETE and SUBNET_DETACH and VNIC_UNASSIGN
ListLocalPeeringGateways LOCAL_PEERING_GATEWAY_READ
GetLocalPeeringGateway LOCAL_PEERING_GATEWAY_READ
UpdateLocalPeeringGateway

LOCAL_PEERING_GATEWAY_UPDATE

ROUTE_TABLE_ATTACH is necessary to associate a route table with the LPG during the update.

CreateLocalPeeringGateway

LOCAL_PEERING_GATEWAY_CREATE and VCN_ATTACH

ROUTE_TABLE_ATTACH is necessary to associate a route table with the LPG during creation.

DeleteLocalPeeringGateway LOCAL_PEERING_GATEWAY_DELETE and VCN_DETACH
ConnectLocalPeeringGateway

LOCAL_PEERING_GATEWAY_CONNECT_FROM and

LOCAL_PEERING_GATEWAY_CONNECT_TO

ChangeLocalPeeringGatewayCompartment LOCAL_PEERING_GATEWAY_MOVE
ListNatGateways NAT_GATEWAY_READ
GetNatGateway NAT_GATEWAY_READ
UpdateNatGateway NAT_GATEWAY_UPDATE
CreateNatGateway NAT_GATEWAY_CREATE and VCN_READ and VCN_ATTACH
DeleteNatGateway NAT_GATEWAY_DELETE and VCN_READ and VCN_DETACH
ChangeNatGatewayCompartment NAT_GATEWAY_MOVE
ListNetworkSecurityGroups NETWORK_SECURITY_GROUP_READ
GetNetworkSecurityGroup NETWORK_SECURITY_GROUP_READ
UpdateNetworkSecurityGroup NETWORK_SECURITY_GROUP_UPDATE
CreateNetworkSecurityGroup

NETWORK_SECURITY_GROUP_CREATE and VCN_ATTACH

DeleteNetworkSecurityGroup NETWORK_SECURITY_GROUP_DELETE and VCN_DETACH
ChangeNetworkSecurityGroupCompartment NETWORK_SECURITY_GROUP_MOVE
ListNetworkSecurityGroupSecurityRules NETWORK_SECURITY_GROUP_LIST_SECURITY_RULES
UpdateNetworkSecurityGroupSecurityRules

NETWORK_SECURITY_GROUP_UPDATE_SECURITY_RULES and

NETWORK_SECURITY_GROUP_INSPECT if writing a rule that specifies a network security group as the source (for ingress rules) or destination (for egress rules)

AddNetworkSecurityGroupSecurityRules

NETWORK_SECURITY_GROUP_UPDATE_SECURITY_RULES and

NETWORK_SECURITY_GROUP_INSPECT if writing a rule that specifies a network security group as the source (for ingress rules) or destination (for egress rules)

RemoveNetworkSecurityGroupSecurityRules NETWORK_SECURITY_GROUP_UPDATE_SECURITY_RULES
ListPrivateIps PRIVATE_IP_READ
GetPrivateIp PRIVATE_IP_READ
UpdatePrivateIp PRIVATE_IP_UPDATE
CreatePrivateIp PRIVATE_IP_CREATE and PRIVATE_IP_ASSIGN and VNIC_ASSIGN and SUBNET_ATTACH
DeletePrivateIp PRIVATE_IP_DELETE and PRIVATE_IP_UNASSIGN and VNIC_UNASSIGN and SUBNET_DETACH
ListRemotePeeringConnections REMOTE_PEERING_CONNECTION_READ
GetRemotePeeringConnection REMOTE_PEERING_CONNECTION_READ
UpdateRemotePeeringConnection REMOTE_PEERING_CONNECTION_UPDATE
CreateRemotePeeringConnection REMOTE_PEERING_CONNECTION_CREATE and DRG_ATTACH
DeleteRemotePeeringConnection REMOTE_PEERING_CONNECTION_DELETE and DRG_DETACH
ChangeRemotePeeringConnectionCompartment REMOTE_PEERING_CONNECTION_RESOURCE_MOVE
ConnectRemotePeeringConnections

REMOTE_PEERING_CONNECTION_CONNECT_FROM and

REMOTE_PEERING_CONNECTION_CONNECT_TO

ListPublicIps

For ephemeral public IPs: PRIVATE_IP_READ

For reserved public IPs: PUBLIC_IP_READ

GetPublicIp

For ephemeral public IPs: PRIVATE_IP_READ

For reserved public IPs: PUBLIC_IP_READ

GetPublicIpByPrivateIpId

For ephemeral public IPs: PRIVATE_IP_READ

For reserved public IPs: PUBLIC_IP_READ

GetPublicIpByIpAddress

For ephemeral public IPs: PRIVATE_IP_READ

For reserved public IPs: PUBLIC_IP_READ

UpdatePublicIP

For ephemeral public IPs: PRIVATE_IP_UPDATE

For reserved public IPs: PUBLIC_IP_UPDATE and PRIVATE_IP_ASSIGN_PUBLIC_IP and PUBLIC_IP_ASSIGN_PRIVATE_IP and PRIVATE_IP_UNASSIGN_PUBLIC_IP and PUBLIC_IP_UNASSIGN_PRIVATE_IP

CreatePublicIp

For ephemeral public IPs: PRIVATE_IP_ASSIGN_PUBLIC_IP

For reserved public IPs: PUBLIC_IP_CREATE and PUBLIC_IP_ASSIGN_PRIVATE_IP and PRIVATE_IP_ASSIGN_PUBLIC_IP

DeletePublicIp

For ephemeral public IPs: PRIVATE_IP_UNASSIGN_PUBLIC_IP

For reserved public IPs: PUBLIC_IP_DELETE and PUBLIC_IP_UNASSIGN_PRIVATE_IP and PRIVATE_IP_UNASSIGN_PUBLIC_IP

ChangePublicIpCompartment

PUBLIC_IP_MOVE

Note: This operation applies only to reserved public IPs.

ListRouteTables ROUTE_TABLE_READ
GetRouteTable ROUTE_TABLE_READ
UpdateRouteTable

ROUTE_TABLE_UPDATE and

INTERNET_GATEWAY_ATTACH (if creating a route rule that uses an internet gateway as a target) and

INTERNET_GATEWAY_DETACH (if deleting a route rule that uses an internet gateway as a target) and

DRG_ATTACH (if creating a route rule that uses a DRG as a target) and

DRG_DETACH (if deleting a route rule that uses a DRG as a target) and

PRIVATE_IP_ROUTE_TABLE_ATTACH (if creating a route rule that uses a private IP as a target) and

PRIVATE_IP_ROUTE_TABLE_DETACH (if deleting a route rule that uses a private IP as a target) and

LOCAL_PEERING_GATEWAY_ATTACH (if creating a route rule that uses an LPG as a target) and

LOCAL_PEERING_GATEWAY_DETACH (if deleting a route rule that uses an LPG as a target) and

NAT_GATEWAY_ATTACH (if creating a route rule that uses a NAT gateway as a target) and

NAT_GATEWAY_DETACH (if deleting a route rule that uses a NAT gateway as a target) and

SERVICE_GATEWAY_ATTACH (if creating a route rule that uses a service gateway as a target) and

SERVICE_GATEWAY_DETACH (if deleting a route rule that uses a service gateway as a target)

CreateRouteTable

ROUTE_TABLE_CREATE and VCN_ATTACH and

INTERNET_GATEWAY_ATTACH (if creating a route rule that uses an internet gateway as a target) and

DRG_ATTACH (if creating a route rule that uses a DRG as a target) and

PRIVATE_IP_ROUTE_TABLE_ATTACH (if creating a route rule that uses a private IP as a target) and

LOCAL_PEERING_GATEWAY_ATTACH (if creating a route rule that uses an LPG as a target) and

NAT_GATEWAY_ATTACH (if creating a route rule that uses a NAT gateway as a target) and

SERVICE_GATEWAY_ATTACH (if creating a route rule that uses a service gateway as a target)

DeleteRouteTable

ROUTE_TABLE_DELETE and VCN_DETACH and

INTERNET_GATEWAY_DETACH (if deleting a route rule that uses an internet gateway as a target) and

DRG_DETACH (if deleting a route rule that uses a DRG as a target) and

PRIVATE_IP_ROUTE_TABLE_DETACH (if deleting a route rule that uses a private IP as a target) and

LOCAL_PEERING_GATEWAY_DETACH (if deleting a route rule that uses an LPG as a target) and

NAT_GATEWAY_DETACH (if deleting a route rule that uses a NAT gateway as a target) and

SERVICE_GATEWAY_DETACH (if deleting a route rule that uses a service gateway as a target)

ChangeRouteTableCompartment ROUTE_TABLE_MOVE
ListSecurityLists SECURITY_LIST_READ
GetSecurityList SECURITY_LIST_READ
UpdateSecurityList SECURITY_LIST_UPDATE
ChangeSecurityListCompartment SECURITY_LIST_MOVE
CreateSecurityList SECURITY_LIST_CREATE and VCN_ATTACH
DeleteSecurityList SECURITY_LIST_DELETE and VCN_DETACH
ListServiceGateways SERVICE_GATEWAY_READ
GetServiceGateway SERVICE_GATEWAY_READ
UpdateServiceGateway

SERVICE_GATEWAY_UPDATE

ROUTE_TABLE_ATTACH is necessary to associate a route table with the service gateway during the update.

ChangeServiceGatewayCompartment SERVICE_GATEWAY_MOVE
CreateServiceGateway

SERVICE_GATEWAY_CREATE and VCN_READ and VCN_ATTACH

ROUTE_TABLE_ATTACH is necessary to associate a route table with the service gateway during creation.

DeleteServiceGateway SERVICE_GATEWAY_DELETE and VCN_READ and VCN_DETACH
AttachServiceId SERVICE_GATEWAY_ADD_SERVICE
DetachServiceId SERVICE_GATEWAY_DELETE_SERVICE
ListShapes MACHINE_SHAPE_READ
ListSubnets SUBNET_READ
GetSubnet SUBNET_READ
UpdateSubnet

SUBNET_UPDATE

If changing which route table is associated with the subnet, also need ROUTE_TABLE_ATTACH and ROUTE_TABLE_DETACH

If changing which security lists are associated with the subnet, also need SECURITY_LIST_ATTACH and SECURITY_LIST_DETACH

If changing which set of DHCP options are associated with the subnet, also need DHCP_ATTACH and DHCP_DETACH

CreateSubnet SUBNET_CREATE and VCN_ATTACH and ROUTE_TABLE_ATTACH and SECURITY_LIST_ATTACH and DHCP_ATTACH
DeleteSubnet SUBNET_DELETE and VCN_DETACH and ROUTE_TABLE_DETACH and SECURITY_LIST_DETACH and DHCP_DETACH
ChangeSubnetCompartment SUBNET_MOVE
ListVcns VCN_READ
GetVcn VCN_READ
UpdateVcn VCN_UPDATE
CreateVcn VCN_CREATE
DeleteVcn VCN_DELETE
ChangeVcnCompartment VCN_MOVE
ListVirtualCircuits VIRTUAL_CIRCUIT_READ
GetVirtualCircuit VIRTUAL_CIRCUIT_READ
UpdateVirtualCircuit

VIRTUAL_CIRCUIT_UPDATE and DRG_ATTACH and DRG_DETACH

If updating which cross-connect or cross-connect group the virtual circuit is using, also need CROSS_CONNECT_DETACH and CROSS_CONNECT_ATTACH

CreateVirtualCircuit

VIRTUAL_CIRCUIT_CREATE and DRG_ATTACH

If creating the virtual circuit with a mapping to a specific cross-connect or cross-connect group, also need CROSS_CONNECT_ATTACH

DeleteVirtualCircuit

VIRTUAL_CIRCUIT_DELETE and DRG_DETACH

If deleting a virtual circuit that's currently using a cross-connect or cross-connect group, also need CROSS_CONNECT_DETACH

changeVirtualCircuitCompartment VIRTUAL_CIRCUIT_RESOURCE_MOVE
GetVnic VNIC_READ
AttachVnic

INSTANCE_ATTACH_SECONDARY_VNIC and VNIC_ATTACH and VNIC_CREATE and SUBNET_ATTACH

If putting the secondary VNIC in a network security group during VNIC creation, also need NETWORK_SECURITY_GROUP_UPDATE_MEMBERS and VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP

DetachVnic INSTANCE_DETACH_SECONDARY_VNIC and VNIC_DETACH and VNIC_DELETE and SUBNET_DETACH
UpdateVnic

VNIC_UPDATE

If adding or removing the VNIC from a network security group, also need NETWORK_SECURITY_GROUP_UPDATE_MEMBERS and VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP

ListVnicAttachments VNIC_ATTACHMENT_READ and INSTANCE_INSPECT
GetVnicAttachment VNIC_ATTACHMENT_READ
ListVolumes VOLUME_INSPECT
GetVolume VOLUME_INSPECT
UpdateVolume VOLUME_UPDATE
CreateVolume VOLUME_CREATE (and VOLUME_BACKUP_READ if creating volume from a backup)
DeleteVolume VOLUME_DELETE
ChangeVolumeCompartment VOLUME_MOVE
ListVolumeAttachments VOLUME_ATTACHMENT_INSPECT and VOLUME_INSPECT and INSTANCE_INSPECT
GetVolumeAttachment

VOLUME_ATTACHMENT_INSPECT and VOLUME_INSPECT and INSTANCE_INSPECT

Note: To also get the CHAP secret for the volume, then VOLUME_ATTACHMENT_READ is required instead of VOLUME_ATTACHMENT_INSPECT

AttachVolume VOLUME_ATTACHMENT_CREATE and VOLUME_WRITE and INSTANCE_ATTACH_VOLUME
DetachVolume VOLUME_ATTACHMENT_DELETE and VOLUME_WRITE and INSTANCE_DETACH_VOLUME
ListVolumeBackups VOLUME_BACKUP_INSPECT and VOLUME_INSPECT
GetVolumeBackup VOLUME_BACKUP_INSPECT and VOLUME_INSPECT
UpdateVolumeBackup VOLUME_BACKUP_UPDATE and VOLUME_INSPECT
CreateVolumeBackup VOLUME_BACKUP_CREATE and VOLUME_WRITE
DeleteVolumeBackup VOLUME_BACKUP_DELETE and VOLUME_INSPECT
ChangeVolumeBackupCompartment VOLUME_BACKUP_MOVE
GetBootVolume VOLUME_INSPECT
ListBootVolumes VOLUME_INSPECT
UpdateBootVolume VOLUME_UPDATE
DeleteBootVolume VOLUME_DELETE
ChangeBootVolumeCompartment BOOT_VOLUME_MOVE
CreateBootVolumeBackup BOOT_VOLUME_BACKUP_CREATE, VOLUME_WRITE
ListBootVolumeBackups BOOT_VOLUME_BACKUP_INSPECT, VOLUME_INSPECT
GetBootVolumeBackup BOOT_VOLUME_BACKUP_INSPECT, VOLUME_INSPECT
UpdateBootVolumeBackup BOOT_VOLUME_BACKUP_UPDATE, VOLUME_INSPECT
DeleteBootVolumeBackup BOOT_VOLUME_BACKUP_DELETE, VOLUME_INSPECT
ChangeBootVolumeBackupCompartment BOOT_VOLUME_BACKUP_MOVE
CreateVolumeGroup

VOLUME_GROUP_CREATE, VOLUME_INSPECT if creating the volume group from a list of volumes.

VOLUME_GROUP_CREATE, VOLUME_GROUP_INSPECT, VOLUME_CREATE, VOLUME_WRITE if cloning a volume group.

VOLUME_GROUP_CREATE, VOLUME_GROUP_BACKUP_INSPECT, VOLUME_BACKUP_READ/BOOT_VOLUME_BACKUP_READ, VOLUME_CREATE, VOLUME_WRITE if restoring from a volume group backup.

DeleteVolumeGroup VOLUME_GROUP_DELETE
GetVolumeGroup VOLUME_GROUP_INSPECT
ListVolumeGroups VOLUME_GROUP_INSPECT
UpdateVolumeGroup VOLUME_GROUP_UPDATE, VOLUME_INSPECT
ChangeVolumegGroupCompartment VOLUME_GROUP_MOVE, VOLUME_MOVE/BOOT_VOLUME_MOVE
CreateVolumeGroupBackup

VOLUME_GROUP_BACKUP_CREATE, VOLUME_GROUP_INSPECT, VOLUME_WRITE, VOLUME_BACKUP_CREATE/BOOT_VOLUME_BACKUP_CREATE

DeleteVolumeGroupBackup VOLUME_GROUP_BACKUP_DELETE, VOLUME_BACKUP_DELETE/BOOT_VOLUME_BACKUP_DELETE
GetVolumeGroupBackup VOLUME_GROUP_BACKUP_INSPECT
ListVolumeGroupBackups VOLUME_GROUP_BACKUP_INSPECT
UpdateVolumeGroupBackup VOLUME_GROUP_BACKUP_UPDATE
ChangeVolumegGroupBackupCompartment VOLUME_GROUP_BACKUP_MOVE, VOLUME_BACKUP_MOVE/BOOT_VOLUME_BACKUP_MOVE

Dedicated Virtual Machine Host API Operations

API Operation Permissions Required to Use the Operation
CreateDedicatedVmHost DEDICATED_VM_HOST_CREATE
ChangeDedicatedVmHostCompartment DEDICATED_VM_HOST_MOVE
DeleteDedicatedVmHost DEDICATED_VM_HOST_DELETE
GetDedicatedVmHost DEDICATED_VM_HOST_READ
ListDedicatedVmHosts DEDICATED_VM_HOST_INSPECT
ListDedicatedVmHostInstances DEDICATED_VM_HOST_READ
ListDedicatedVmHostInstanceShapes None
ListDedicatedVmHostShapes None
LaunchInstance

DEDICATED_VM_HOST_LAUNCH_INSTANCE in dedicated virtual machine host compartment

INSTANCE_CREATE in compartment for the instance launched on the dedicated virtual machine host

UpdateDedicatedVmHost AUTO_SCALING_CONFIGURATION_CREATE and INSTANCE_POOL_UPDATE

Autoscaling API Operations

API Operation Permissions Required to Use the Operation
ListAutoScalingConfigurations AUTO_SCALING_CONFIGURATION_INSPECT
GetAutoScalingConfiguration AUTO_SCALING_CONFIGURATION_READ
UpdateAutoScalingConfiguration AUTO_SCALING_CONFIGURATION_UPDATE and INSTANCE_POOL_UPDATE
CreateAutoScalingConfiguration AUTO_SCALING_CONFIGURATION_CREATE and INSTANCE_POOL_UPDATE
ChangeAutoScalingConfigurationCompartment AUTO_SCALING_CONFIGURATION_MOVE
DeleteAutoScalingConfiguration AUTO_SCALING_CONFIGURATION_DELETE and INSTANCE_POOL_UPDATE
ListAutoScalingPolicies AUTO_SCALING_CONFIGURATION_READ
GetAutoScalingPolicy AUTO_SCALING_CONFIGURATION_READ
UpdateAutoScalingPolicy AUTO_SCALING_CONFIGURATION_UPDATE and INSTANCE_POOL_UPDATE
CreateAutoScalingPolicy AUTO_SCALING_CONFIGURATION_CREATE and INSTANCE_POOL_UPDATE
DeleteAutoScalingPolicy AUTO_SCALING_CONFIGURATION_DELETE and INSTANCE_POOL_UPDATE

Work Requests API Operations

API Operation Permissions Required to Use the Operation
ListWorkRequests

WORKREQUEST_INSPECT

GetWorkRequests Work requests inherit the permissions of the operation that spawns the work request. Generally, <RESOURCE>_CREATE permissions for the associated resource are required.
ListWorkRequestLogs

Work requests inherit the permissions of the operation that spawns the work request. Generally, <RESOURCE>_CREATE permissions for the associated resource are required.

ListWorkRequestErrors

Work requests inherit the permissions of the operation that spawns the work request. Generally, <RESOURCE>_CREATE permissions for the associated resource are required.