Details for the Email Delivery Service

This topic covers details for writing policies to control access to the Email Delivery service.

Resource-Types

email-domains

email-work-requests

email-family

approved-senders

suppressions

Supported Variables

The Email Delivery Service supports all the general variables (see General Variables for All Requests), plus the ones listed here.

Variable Variable Type Comments
target.approved-sender.email-domain String The value matches the domain portion (right-hand-side) of the email address and the name of the associated email-domain object if one exists. Policies should use the U-label form of the domain. Matching is case-insensitive. This is not available for ListSenders.
target.email-domain.name String Scopes permission to domains that match the specified domain name. Policies should use the U-label form of the domain. Matching is case-insensitive. This variable can be used with pattern matching syntax to grant sub-domain access. This is not available for ListEmailDomains.
target.email-domain.id Entity (OCID) Not available for ListEmailDomains or CreateEmailDomain.
target.email-work-request.id Entity (OCID) Not available for ListWorkRequests.
target.approved-sender.id Entity (OCID) Not available for ListSenders and CreateSenders.
target.approved-sender.emailaddress String Not available for ListSenders.
target.dkim.email-domain String Scopes permission to DKIMs for a specific email domain. Policies should use the U-label form of the domain and matching is case-insensitive. Not for ListDkims.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

email-domains
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

EMAIL_DOMAIN_INSPECT

ListEmailDomains

None

read

INSPECT +

EMAIL_DOMAIN_READ

GetEmailDomain None
use

READ +

EMAIL_DOMAIN_UPDATE

UpdateEmailDomain None
manage

USE +

EMAIL_DOMAIN_CREATE

EMAIL_DOMAIN_DELETE

EMAIL_DOMAIN_MOVE

CreateEmailDomain

DeleteEmailDomain

ChangeEmailDomainCompartment

None
dkims
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

DKIM_INSPECT

ListDkims

None

read

INSPECT +

DKIM_READ

GetDkim None
use READ +

DKIM_UPDATE

 

UpdateDkim
None
manage

USE +

DKIM_CREATE

DKIM_DELETE

CreateDkim

DeleteDkim

None
email-work-requests
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

EMAIL_WORK_REQUEST_INSPECT

ListWorkRequests

None

read

INSPECT +

EMAIL_WORK_REQUEST_READ

GetWorkRequest

ListWorkRequestErrors

ListWorkRequestLogs
None
email-family
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

APPROVED_SENDER_INSPECT

EMAIL_DOMAIN_INSPECT

EMAIL_WORK_REQUEST_INSPECT

SUPPRESSION_INSPECT

ListSenders

ListEmailDomains

ListWorkRequestErrors

ListSuppression
None
read

INSPECT +

APPROVED_SENDER_READ

EMAIL_DOMAIN_READ

EMAIL_WORK_REQUEST_READ

SUPPRESSION_READ

GetSender

GetEmailDomain

ListWorkRequests

ListWorkRequestErrors

ListWorkRequestLogs

GetSuppression
None
use

READ +

APPROVED_SENDER_USE

APPROVED_SENDER_UPDATE

EMAIL_DOMAIN_UPDATE

SmtpSend

UpdateSender

UpdateEmailDomain

None
manage

USE +

APPROVED_SENDER_CREATE

APPROVED_SENDER_DELETE

APPROVED_SENDER_MOVE

EMAIL_DOMAIN_CREATE

EMAIL_DOMAIN_DELETE

EMAIL_DOMAIN_MOVE

SUPPRESSION_CREATE

SUPPRESSION_DELETE

CreateSender

DeleteSender

MoveSender

CreateEmailDomain

DeleteEmailDomain

ChangeEmailDomainCompartment

CreateSuppression

DeleteSuppression

None

approved-senders
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

APPROVED_SENDER_INSPECT

ListSenders

None

read

INSPECT +

APPROVED_SENDER_READ

GetSender None
use

READ +

APPROVED_SENDER_USE

SmtpSend None
manage

USE +

APPROVED_SENDER_CREATE

APPROVED_SENDER_DELETE

APPROVED_SENDER_UPDATE

APPROVED_SENDER_MOVE

CreateSender

DeleteSender

UpdateSender

MoveSender

None

suppressions
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

SUPPRESSION_INSPECT

ListSuppression

None

read

INSPECT +

SUPPRESSION_READ

GetSuppression None
use

No extra

 

None

None
manage

USE +

SUPPRESSION_CREATE

SUPPRESSION_DELETE

CreateSuppression

DeleteSuppression

None

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type.

For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
ListEmailDomains EMAIL_DOMAIN_INSPECT
GetEmailDomain EMAIL_DOMAIN_READ
CreateEmailDomain EMAIL_DOMAIN_CREATE
UpdateEmailDomain EMAIL_DOMAIN_UPDATE
DeleteEmailDomain EMAIL_DOMAIN_DELETE
ChangeEmailDomainCompartment EMAIL_DOMAIN_MOVE
ListSenders APPROVED_SENDER_INSPECT
GetSender APPROVED_SENDER_READ
CreateSender APPROVED_SENDER_CREATE
UpdateSender APPROVED_SENDER_UPDATE
DeleteSender APPROVED_SENDER_DELETE
MoveSender APPROVED_SENDER_MOVE
SmtpSend APPROVED_SENDER_USE
ListSuppression SUPPRESSION_INSPECT
GetSuppression SUPPRESSION_READ
CreateSuppression SUPPRESSION_CREATE
DeleteSuppression SUPPRESSION_DELETE
ListWorkRequests EMAIL_WORK_REQUEST_INSPECT
GetWorkRequest EMAIL_WORK_REQUEST_READ
ListWorkRequestErrors EMAIL_WORK_REQUEST_INSPECT
ListWorkRequestLogs EMAIL_WORK_REQUEST_INSPECT